gozi_ifsb | 00bd4de4ad3ccb503cb3e46030055454905d2a4033c03a462fd755af96edab27

General

Target

SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe
Size

346KB
MD5

f577fbb7280758f98ad523a7b580d818
SHA1

0c3262702dfec0ab6c305ab5126ee72b44eece07
SHA256

00bd4de4ad3ccb503cb3e46030055454905d2a4033c03a462fd755af96edab27
SHA512

d7d49d21710cf43050b9caa339462b63b20fb6419b129e37ad1e5b6c1675ab2bb33c70957dff612df9b47506d5c7b0f6f387f37c8377dfe294a713c7bff7a5ad

Score

10^/10

banker trojan gozi_ifsb ursnif spyware

Malware Config

Signatures

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Suspicious behavior: EnumeratesProcesses 955 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3556 powershell.exe
2988 Explorer.EXE
2988 Explorer.EXE
1464 cmd.exe

Checks whether UAC is enabled 7 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2960 PING.EXE

pid	process
2960	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
2900	iexplore.exe
2900	iexplore.exe
3604	IEXPLORE.EXE
3604	IEXPLORE.EXE
3148	iexplore.exe
3148	iexplore.exe
3860	IEXPLORE.EXE
3860	IEXPLORE.EXE
4032	iexplore.exe
4032	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
4032	iexplore.exe
4032	iexplore.exe
2288	IEXPLORE.EXE
2288	IEXPLORE.EXE
4032	iexplore.exe
4032	iexplore.exe
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
2988	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

2900 iexplore.exe
3148 iexplore.exe
4032 iexplore.exe
4032 iexplore.exe
4032 iexplore.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3556 set thread context of 2988	3556	powershell.exe	Explorer.EXE
PID 2988 set thread context of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 set thread context of 3496	2988	Explorer.EXE	RuntimeBroker.exe
PID 1464 set thread context of 2960	1464	cmd.exe	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2960 PING.EXE

pid	process
2960	PING.EXE

Modifies Internet Explorer settings 1 TTPs 67 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30821461"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bd853b554cd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "579562762"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0402925554cd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000c3fff801bc7bc8acfed2726d8ea681e20fa7384d0dcbea15dd67716deb3a48c8000000000e800000000200002000000006e5a440a4f5663bc7982886b1d991db90442cfde233d81af5fbaa2dd128115920000000438cfa08e7c3c1c16419e526f98f686f163d2190306b98133cc559151d6d16fc400000004c62679195a2c00ff2585b76fc099b1495aac8f7f5afb86098dc75c00df49d147a6dfaa45699d3fda6a956f3ebc1f09912cc1a9bcf6a31795a053392ad63f0c5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "579562762"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000f24eef158b68248aa249a4857fad48f0d7f871137cbca7f1eb1832c40bac4765000000000e800000000200002000000091351898158d3088938ceb15a14c3e4e3aec6786ba6d43ec496d2e482880014620000000f1eff207d09ede8e9cf0682d3b94468fa2695fa515ede19e003c211847b6416040000000128237edeba745a2c3aac41092fa07b48ae3faa22c11743ba4f288e24f0800688a638a6f571eea81617f65a383efa1b8ae25817231b04f5ca9140837d94cf71b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c0200000000002000000000010660000000100002000000075fa44285119a79846841530400b862e207ebe5f8efcce69aea950449d9a61d8000000000e8000000002000020000000226ba342c8e2000f399b740ba839e9210fc0e2e9848a47956bd859832935726b20000000c0e7fe247b50f37ee81f734740db0dabfd28bdf9a32744be38f9eeab2773242b400000000803e5de63b4642ccf7a49c4ee03790149a0214d04414439f5e4016f2cce4132d985ffda940341c0db33131f9e24e9fb3d5b1ffde919cb9118080236e5056215	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DE3E36E-B848-11EA-BF1A-7249B19516BC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68ED2C0A-B848-11EA-BF1A-7249B19516BC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00020f25554cd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c020000000000200000000001066000000010000200000009c55021f3717d7f39192e4bf2cdfbf555c85366f58a07ee3e5137fc5e5b76133000000000e8000000002000020000000e41132e959557c0bbffdb0bd633f5d165661212e5e090c3f284986eccb76232020000000d31db2c7650d9e863e59038ae67be3c8d2b8dff657094651b2135c1bb66ba9964000000097ba01e55d6de86073059c009516c74af7ff7ab4a3f769d19ce57eaa4e742bde2dddf8026fe9cfaa3770f6e7bdddfc2db427445926a2c6b0a3031d63b065d25f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{769DEDCD-B848-11EA-BF1A-7249B19516BC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30821461"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907db13a554cd601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000046f7df88b9a43280e43fe8b78e8d091e81485b575e355e053da21a524de0825000000000e80000000020000200000005978000d121b9eba56fb8ab094f97c7f1a0e7a3201c961f8bcfa519818c86b3520000000b7ef83b049c37a92919091f20a4f8ec606d573a0b0a6b4d897e3ed54164421a4400000005f8bfc1bfdf8b7f8b0eea8933dada504d8128b6cbe536a7b373b7a2bdf5e2510526b5fe7b8bc382a2945ec601fc6067ac49b471b2e076f23b3d8ac5161559a39	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09bcc39554cd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e062ad2c554cd601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2900 wrote to memory of 3604	2900	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 3604	2900	iexplore.exe	IEXPLORE.EXE
PID 2900 wrote to memory of 3604	2900	iexplore.exe	IEXPLORE.EXE
PID 3148 wrote to memory of 3860	3148	iexplore.exe	IEXPLORE.EXE
PID 3148 wrote to memory of 3860	3148	iexplore.exe	IEXPLORE.EXE
PID 3148 wrote to memory of 3860	3148	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 1196	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 1196	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 1196	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 2288	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 2288	4032	iexplore.exe	IEXPLORE.EXE
PID 4032 wrote to memory of 2288	4032	iexplore.exe	IEXPLORE.EXE
PID 1364 wrote to memory of 3556	1364	mshta.exe	powershell.exe
PID 1364 wrote to memory of 3556	1364	mshta.exe	powershell.exe
PID 3556 wrote to memory of 3684	3556	powershell.exe	csc.exe
PID 3556 wrote to memory of 3684	3556	powershell.exe	csc.exe
PID 3684 wrote to memory of 2880	3684	csc.exe	cvtres.exe
PID 3684 wrote to memory of 2880	3684	csc.exe	cvtres.exe
PID 3556 wrote to memory of 1724	3556	powershell.exe	csc.exe
PID 3556 wrote to memory of 1724	3556	powershell.exe	csc.exe
PID 1724 wrote to memory of 508	1724	csc.exe	cvtres.exe
PID 1724 wrote to memory of 508	1724	csc.exe	cvtres.exe
PID 3556 wrote to memory of 2988	3556	powershell.exe	Explorer.EXE
PID 3556 wrote to memory of 2988	3556	powershell.exe	Explorer.EXE
PID 3556 wrote to memory of 2988	3556	powershell.exe	Explorer.EXE
PID 3556 wrote to memory of 2988	3556	powershell.exe	Explorer.EXE
PID 2988 wrote to memory of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3496	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3496	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1464	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3496	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3496	2988	Explorer.EXE	RuntimeBroker.exe
PID 1464 wrote to memory of 2960	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 2960	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 2960	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 2960	1464	cmd.exe	PING.EXE
PID 1464 wrote to memory of 2960	1464	cmd.exe	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe"
  2⤵
  PID:2416
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5A899765-F1C8-9C2D-4B2E-B590AF42B9C4\\\APHob_ps'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\5A899765-F1C8-9C2D-4B2E-B590AF42B9C4").AppVdsrv))
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psfwg3ds\psfwg3ds.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEEE.tmp" "c:\Users\Admin\AppData\Local\Temp\psfwg3ds\CSCB10EB48FF73B41C4917FB7DA4688842D.TMP"
        5⤵
        
        PID:2880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whmyk3wv\whmyk3wv.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B3.tmp" "c:\Users\Admin\AppData\Local\Temp\whmyk3wv\CSC9B882D4084B44BE98CC05747D8CC1AE5.TMP"
        5⤵
        
        PID:508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2900 CREDAT:82945 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:3604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3148 CREDAT:82945 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:3860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:82945 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:1196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:82951 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\434LGR37.cookie

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAEEE.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0B3.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\psfwg3ds\psfwg3ds.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\whmyk3wv\whmyk3wv.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psfwg3ds\CSCB10EB48FF73B41C4917FB7DA4688842D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psfwg3ds\psfwg3ds.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\psfwg3ds\psfwg3ds.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whmyk3wv\CSC9B882D4084B44BE98CC05747D8CC1AE5.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whmyk3wv\whmyk3wv.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whmyk3wv\whmyk3wv.cmdline

Download Submit
memory/508-19-0x0000000000000000-mapping.dmp

Download
memory/1196-4-0x0000000000000000-mapping.dmp

Download
memory/1464-24-0x0000005D1327D000-mapping.dmp

Download
memory/1464-23-0x0000000000000000-mapping.dmp

Download
memory/1724-16-0x0000000000000000-mapping.dmp

Download
memory/2288-7-0x0000000000000000-mapping.dmp

Download
memory/2416-0-0x0000000001D41000-0x0000000001D42000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/2880-12-0x0000000000000000-mapping.dmp

Download
memory/2960-25-0x0000000000000000-mapping.dmp

Download
memory/2960-26-0x0000009D4CD18000-mapping.dmp

Download
memory/3556-8-0x0000000000000000-mapping.dmp

Download
memory/3604-2-0x0000000000000000-mapping.dmp

Download
memory/3684-9-0x0000000000000000-mapping.dmp

Download
memory/3860-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads