gozi_ifsb | d5ccf9039136d23649240cd3879f6e9d40dae0dff2a5cfcdefc8535f93587c38

General

Target

3.exe
Size

142KB
MD5

5105430437588f8878da6957bc8c3119
SHA1

818651e37ef71701165c3eb03c5c1813c1047b32
SHA256

d5ccf9039136d23649240cd3879f6e9d40dae0dff2a5cfcdefc8535f93587c38
SHA512

3149a53bc48feea00ce6067cf5bbe94ae5b65e933ffdd5ae4139d217c2e7e7e65fa636ab021d9a374e091a791c952e6f995e6cb923ddbfcc33d4d1e575e528b1

Score

10^/10

banker trojan gozi_ifsb ursnif spyware evasion

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
240	iexplore.exe
240	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
240	iexplore.exe
240	iexplore.exe
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
240	iexplore.exe
240	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 872 set thread context of 1304	872	powershell.exe	Explorer.EXE
PID 1304 set thread context of 240	1304	Explorer.EXE	iexplore.exe
PID 1304 set thread context of 2040	1304	Explorer.EXE	cmd.exe
PID 2040 set thread context of 1600	2040	cmd.exe	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1600 PING.EXE

pid	process
1600	PING.EXE

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906c18804859d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000c7be896d28006ce0c706bc6e65a0d8270227aefca443bb0ba5105c73ff1b3068000000000e8000000002000020000000f030f38f8d145339029ecacedb913931934f9a08daded8a5c31cbf0388732037900000007d52e82ef2b5eaf668228dd019111944f71e3fc254cab0c0e71697672616c93834463723b7d2e2141daa67621b774de76892b119f47e0294e4eeb5850d9f81afc094e53f467c4b6b73ff688637e87bfde6730499f9eef66cc122a38af128a8b23aa08cb74d782797b6848f86e44cdf56ee3216ce9a12602027737228ed107ea2b0e7a1b600fae2914fd8cb0672ad548f400000003dfe5523a732f510ce3291581e9b51ea62ceb113327e702ab4ab798e82df837829c686df04b3816c5abceb31c2c05fa9cc15169c02e87be1acdb1e8d275c1380	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab312388000000000200000000001066000000010000200000005da6adb6e1f4db5f804f3a1fb01ab155aa4219f346750a3c99ababc2ca964466000000000e8000000002000020000000ee14f7865e561a9137d55e8ac3a823e812114790a8fe1fdf8281c86e18da6ee620000000f0562915cdf1035c903ba219b2f2e5249d601156430ef58147ea2655a89606594000000051a8b4e0e9448c444c4abc48e1595fc8d00dc1f6e69a81d2591d5444443623dc4f0e4a7274482c0b2323b2bbeb05cbae6a8f0765a84960c589be7575128c79ba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8A0B681-C53B-11EA-9064-7216F48E0260} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "301432063"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

iexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.exe

description	pid	process	target process
PID 240 wrote to memory of 1536	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1536	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1536	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1536	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1000	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1000	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1000	240	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 1000	240	iexplore.exe	IEXPLORE.EXE
PID 1952 wrote to memory of 872	1952	mshta.exe	powershell.exe
PID 1952 wrote to memory of 872	1952	mshta.exe	powershell.exe
PID 1952 wrote to memory of 872	1952	mshta.exe	powershell.exe
PID 872 wrote to memory of 1784	872	powershell.exe	csc.exe
PID 872 wrote to memory of 1784	872	powershell.exe	csc.exe
PID 872 wrote to memory of 1784	872	powershell.exe	csc.exe
PID 1784 wrote to memory of 1600	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 1600	1784	csc.exe	cvtres.exe
PID 1784 wrote to memory of 1600	1784	csc.exe	cvtres.exe
PID 872 wrote to memory of 1628	872	powershell.exe	csc.exe
PID 872 wrote to memory of 1628	872	powershell.exe	csc.exe
PID 872 wrote to memory of 1628	872	powershell.exe	csc.exe
PID 1628 wrote to memory of 1640	1628	csc.exe	cvtres.exe
PID 1628 wrote to memory of 1640	1628	csc.exe	cvtres.exe
PID 1628 wrote to memory of 1640	1628	csc.exe	cvtres.exe
PID 872 wrote to memory of 1304	872	powershell.exe	Explorer.EXE
PID 872 wrote to memory of 1304	872	powershell.exe	Explorer.EXE
PID 872 wrote to memory of 1304	872	powershell.exe	Explorer.EXE
PID 1304 wrote to memory of 240	1304	Explorer.EXE	iexplore.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 240	1304	Explorer.EXE	iexplore.exe
PID 1304 wrote to memory of 240	1304	Explorer.EXE	iexplore.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	cmd.exe
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1600	2040	cmd.exe	PING.EXE
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	cmd.exe
PID 1640 wrote to memory of 328	1640	cmd.exe	nslookup.exe
PID 1640 wrote to memory of 328	1640	cmd.exe	nslookup.exe
PID 1640 wrote to memory of 328	1640	cmd.exe	nslookup.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	nslookup.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	nslookup.exe
PID 1812 wrote to memory of 1504	1812	cmd.exe	nslookup.exe
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 872 powershell.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

872 powershell.exe
1304 Explorer.EXE
1304 Explorer.EXE
2040 cmd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2040 cmd.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exeExplorer.EXE

pid process

240 iexplore.exe
240 iexplore.exe
240 iexplore.exe
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
1304 Explorer.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

872 powershell.exe
872 powershell.exe
1304 Explorer.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1600 PING.EXE

description	pid	process
Token: SeDebugPrivilege	872	powershell.exe

pid	process
872	powershell.exe
1304	Explorer.EXE
1304	Explorer.EXE
2040	cmd.exe

pid	process
2040	cmd.exe

pid	process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

pid	process
872	powershell.exe
872	powershell.exe
1304	Explorer.EXE

pid	process
1600	PING.EXE

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
PID:1304
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  PID:1296
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05\\\Efsltprf'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05").dmrctcls))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: EnumeratesProcesses
    - Drops file in System32 directory
    PID:872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iadislf5\iadislf5.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF601.tmp" "c:\Users\Admin\AppData\Local\Temp\iadislf5\CSC629350CE14E243E6892C9CE41F5165EF.TMP"
        5⤵
        
        PID:1600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2mzmmoo\p2mzmmoo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF68E.tmp" "c:\Users\Admin\AppData\Local\Temp\p2mzmmoo\CSC70BB0F5D930B414C93F33B0C1136EAA.TMP"
        5⤵
        
        PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Deletes itself
  PID:2040
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\28DC.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2894.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2894.bi1"
  2⤵
  PID:1576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:209928 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2894.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2894.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF601.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF68E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\iadislf5\iadislf5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\p2mzmmoo\p2mzmmoo.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O1TEJZ7S.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iadislf5\CSC629350CE14E243E6892C9CE41F5165EF.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iadislf5\iadislf5.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iadislf5\iadislf5.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p2mzmmoo\CSC70BB0F5D930B414C93F33B0C1136EAA.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p2mzmmoo\p2mzmmoo.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p2mzmmoo\p2mzmmoo.cmdline

Download Submit
memory/328-26-0x0000000000000000-mapping.dmp

Download
memory/872-4-0x0000000000000000-mapping.dmp

Download
memory/1000-3-0x0000000000000000-mapping.dmp

Download
memory/1296-0-0x0000000000D59000-0x0000000000D6A000-memory.dmp

Filesize
68KB

Download
memory/1296-1-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download
memory/1504-27-0x0000000000000000-mapping.dmp

Download
memory/1536-2-0x0000000000000000-mapping.dmp

Download
memory/1576-28-0x0000000000000000-mapping.dmp

Download
memory/1600-8-0x0000000000000000-mapping.dmp

Download
memory/1600-22-0x0000000000000000-mapping.dmp

Download
memory/1600-23-0x000007FFFFFDB000-mapping.dmp

Download
memory/1628-12-0x0000000000000000-mapping.dmp

Download
memory/1640-25-0x0000000000000000-mapping.dmp

Download
memory/1640-15-0x0000000000000000-mapping.dmp

Download
memory/1784-5-0x0000000000000000-mapping.dmp

Download
memory/1812-24-0x0000000000000000-mapping.dmp

Download
memory/2040-21-0x000007FFFFFDB000-mapping.dmp

Download
memory/2040-20-0x0000000000000000-mapping.dmp

Download
memory/2040-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads