gozi_ifsb | 7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0

General

Target

tr_4.xls
Size

90KB
MD5

4cabdfd852c1c7fe830508cec8dd0982
SHA1

ee530e442bdf28a4834bca1922be2dd54761c6d5
SHA256

7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0
SHA512

a6ec25d43a123a9a9b7f5005a7acd7b9bad3f3142f0b29d9c43b993fabec22e8926f29f324e85a050ed832a2c4c594802906705ed89ac7460e818188c0b8cd2a

Score

10^/10

discovery spyware banker trojan gozi_ifsb ursnif rat stealer pony

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3376 powershell.exe
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
2232 cmd.exe
3020 Explorer.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

484 PING.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3376	powershell.exe
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
2232	cmd.exe
3020	Explorer.EXE

pid	process
484	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 3684 wrote to memory of 2588	3684	EXCEL.EXE	regsvr32.exe
PID 3684 wrote to memory of 2588	3684	EXCEL.EXE	regsvr32.exe
PID 2588 wrote to memory of 2640	2588	regsvr32.exe	regsvr32.exe
PID 2588 wrote to memory of 2640	2588	regsvr32.exe	regsvr32.exe
PID 2588 wrote to memory of 2640	2588	regsvr32.exe	regsvr32.exe
PID 2640 wrote to memory of 1008	2640	regsvr32.exe	svchost.exe
PID 2640 wrote to memory of 1008	2640	regsvr32.exe	svchost.exe
PID 2640 wrote to memory of 1008	2640	regsvr32.exe	svchost.exe
PID 2640 wrote to memory of 1008	2640	regsvr32.exe	svchost.exe
PID 2640 wrote to memory of 1008	2640	regsvr32.exe	svchost.exe
PID 1008 wrote to memory of 1204	1008	svchost.exe	cmd.exe
PID 1008 wrote to memory of 1204	1008	svchost.exe	cmd.exe
PID 1008 wrote to memory of 1204	1008	svchost.exe	cmd.exe
PID 1008 wrote to memory of 1492	1008	svchost.exe	svchost.exe
PID 1008 wrote to memory of 1492	1008	svchost.exe	svchost.exe
PID 1008 wrote to memory of 1492	1008	svchost.exe	svchost.exe
PID 1008 wrote to memory of 1492	1008	svchost.exe	svchost.exe
PID 1008 wrote to memory of 1492	1008	svchost.exe	svchost.exe
PID 1008 wrote to memory of 1756	1008	svchost.exe	BN2D25.tmp
PID 1008 wrote to memory of 1756	1008	svchost.exe	BN2D25.tmp
PID 1008 wrote to memory of 1756	1008	svchost.exe	BN2D25.tmp
PID 1900 wrote to memory of 4004	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 4004	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 4004	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3448	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3448	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3448	1900	iexplore.exe	IEXPLORE.EXE
PID 3732 wrote to memory of 3376	3732	mshta.exe	powershell.exe
PID 3732 wrote to memory of 3376	3732	mshta.exe	powershell.exe
PID 3376 wrote to memory of 4024	3376	powershell.exe	csc.exe
PID 3376 wrote to memory of 4024	3376	powershell.exe	csc.exe
PID 4024 wrote to memory of 1160	4024	csc.exe	cvtres.exe
PID 4024 wrote to memory of 1160	4024	csc.exe	cvtres.exe
PID 3376 wrote to memory of 912	3376	powershell.exe	csc.exe
PID 3376 wrote to memory of 912	3376	powershell.exe	csc.exe
PID 912 wrote to memory of 3184	912	csc.exe	cvtres.exe
PID 912 wrote to memory of 3184	912	csc.exe	cvtres.exe
PID 3376 wrote to memory of 3020	3376	powershell.exe	Explorer.EXE
PID 3376 wrote to memory of 3020	3376	powershell.exe	Explorer.EXE
PID 3376 wrote to memory of 3020	3376	powershell.exe	Explorer.EXE
PID 3376 wrote to memory of 3020	3376	powershell.exe	Explorer.EXE
PID 3020 wrote to memory of 3392	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 3392	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3392	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 3392	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 1900	3020	Explorer.EXE	iexplore.exe
PID 3020 wrote to memory of 1900	3020	Explorer.EXE	iexplore.exe
PID 3020 wrote to memory of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 1900	3020	Explorer.EXE	iexplore.exe
PID 3020 wrote to memory of 1900	3020	Explorer.EXE	iexplore.exe
PID 2232 wrote to memory of 484	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 484	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 484	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 484	2232	cmd.exe	PING.EXE
PID 2232 wrote to memory of 484	2232	cmd.exe	PING.EXE
PID 3020 wrote to memory of 3464	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3464	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3480	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3480	3020	Explorer.EXE	cmd.exe
PID 3480 wrote to memory of 1964	3480	cmd.exe	nslookup.exe

Suspicious behavior: EnumeratesProcesses 1925 IoCs

Processes:

svchost.exeWerFault.exepowershell.exeExplorer.EXE

pid	process
1008	svchost.exe
1008	svchost.exe
1008	svchost.exe
1008	svchost.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

1900 iexplore.exe
1900 iexplore.exe
1900 iexplore.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1900	iexplore.exe
1900	iexplore.exe
1900	iexplore.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2588	3684	regsvr32.exe	EXCEL.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

484 PING.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api.ipify.org

pid	process
484	PING.EXE

flow	ioc
21	api.ipify.org

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000001dc10b9fcb208765dc969b4aae92b9946bef5876cf0049d0a39afd28ae0314ee000000000e8000000002000020000000334af263d50e7a114471d712a6d375267d6d1ecb470d44adc947234d3f30bc3220000000dc61a61c13057443b26e84d9802dd468c1c475f2cf2ab4d0454d01db53bd946f400000005c1e247038f826d817b24a7ed1b93d0f56442913c60e424366d34ea5ef5817df025ec372b64a820c92c28b2174e141c636980d4bf36d1ce08298c66aa5b30a7d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1331368771"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1331368771"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000006d189d088721c3c5363e11dee78f8a4af99f0c229955448ec93d04ca29846aea000000000e8000000002000020000000dc5714673a6dd1d132ae13de6733967f1996f467cd877da6899bc114afd1c6e12000000018cdd95b91b4a7e992e8e42e6bc39c231b4f05070011d4d2f6820d61a43d5ed0400000007caf2a0516d2d9fb1b88fb94e65730b391c60ffc40d147d6842454a3a986ad5007b68cb6ed281128d3f2b63334a3de79f8ae879b71c5c2ab4438830e2f81c02b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8090f33f9e59d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1334025718"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7ADE757F-C591-11EA-95F0-C69595AB4A8B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1014e9409e59d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1334025718"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
3684	EXCEL.EXE
1900	iexplore.exe
1900	iexplore.exe
4004	IEXPLORE.EXE
4004	IEXPLORE.EXE
1900	iexplore.exe
1900	iexplore.exe
3448	IEXPLORE.EXE
3448	IEXPLORE.EXE
1900	iexplore.exe
1900	iexplore.exe
4004	IEXPLORE.EXE
4004	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3684 EXCEL.EXE

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

Processes:

svchost.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

BN2D25.tmp

pid process

1756 BN2D25.tmp
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2144 2640 WerFault.exe regsvr32.exe

pid	process
1756	BN2D25.tmp

pid	pid_target	process	target process
2144	2640	WerFault.exe	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Checks whether UAC is enabled 3 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2640 regsvr32.exe

pid	process
2640	regsvr32.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

regsvr32.exesvchost.exepowershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2640 set thread context of 1008	2640	regsvr32.exe	svchost.exe
PID 1008 set thread context of 1492	1008	svchost.exe	svchost.exe
PID 3376 set thread context of 3020	3376	powershell.exe	Explorer.EXE
PID 3020 set thread context of 3392	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 set thread context of 2232	3020	Explorer.EXE	cmd.exe
PID 3020 set thread context of 1900	3020	Explorer.EXE	iexplore.exe
PID 2232 set thread context of 484	2232	cmd.exe	PING.EXE
PID 3020 set thread context of 2332	3020	Explorer.EXE	WinMail.exe

Suspicious use of AdjustPrivilegeToken 96 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1008	svchost.exe
Token: SeTcbPrivilege	1008	svchost.exe
Token: SeChangeNotifyPrivilege	1008	svchost.exe
Token: SeCreateTokenPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeIncreaseQuotaPrivilege	1008	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1008	svchost.exe
Token: SeImpersonatePrivilege	1008	svchost.exe
Token: SeTcbPrivilege	1008	svchost.exe
Token: SeChangeNotifyPrivilege	1008	svchost.exe
Token: SeCreateTokenPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeIncreaseQuotaPrivilege	1008	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1008	svchost.exe
Token: SeImpersonatePrivilege	1008	svchost.exe
Token: SeTcbPrivilege	1008	svchost.exe
Token: SeChangeNotifyPrivilege	1008	svchost.exe
Token: SeCreateTokenPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeIncreaseQuotaPrivilege	1008	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1008	svchost.exe
Token: SeImpersonatePrivilege	1008	svchost.exe
Token: SeTcbPrivilege	1008	svchost.exe
Token: SeChangeNotifyPrivilege	1008	svchost.exe
Token: SeCreateTokenPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeIncreaseQuotaPrivilege	1008	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1008	svchost.exe
Token: SeImpersonatePrivilege	1008	svchost.exe
Token: SeTcbPrivilege	1008	svchost.exe
Token: SeChangeNotifyPrivilege	1008	svchost.exe
Token: SeCreateTokenPrivilege	1008	svchost.exe
Token: SeBackupPrivilege	1008	svchost.exe
Token: SeRestorePrivilege	1008	svchost.exe
Token: SeIncreaseQuotaPrivilege	1008	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1008	svchost.exe
Token: SeImpersonatePrivilege	1492	svchost.exe
Token: SeTcbPrivilege	1492	svchost.exe
Token: SeChangeNotifyPrivilege	1492	svchost.exe
Token: SeCreateTokenPrivilege	1492	svchost.exe
Token: SeBackupPrivilege	1492	svchost.exe
Token: SeRestorePrivilege	1492	svchost.exe
Token: SeIncreaseQuotaPrivilege	1492	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1492	svchost.exe
Token: SeImpersonatePrivilege	1492	svchost.exe
Token: SeTcbPrivilege	1492	svchost.exe
Token: SeChangeNotifyPrivilege	1492	svchost.exe
Token: SeCreateTokenPrivilege	1492	svchost.exe
Token: SeBackupPrivilege	1492	svchost.exe
Token: SeRestorePrivilege	1492	svchost.exe
Token: SeIncreaseQuotaPrivilege	1492	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1492	svchost.exe
Token: SeImpersonatePrivilege	1492	svchost.exe
Token: SeTcbPrivilege	1492	svchost.exe
Token: SeChangeNotifyPrivilege	1492	svchost.exe
Token: SeCreateTokenPrivilege	1492	svchost.exe
Token: SeBackupPrivilege	1492	svchost.exe
Token: SeRestorePrivilege	1492	svchost.exe
Token: SeIncreaseQuotaPrivilege	1492	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1492	svchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:3020

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_4.xls"
2⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Checks processor information in registry
PID:3684

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx
3⤵
- Suspicious use of WriteProcessMemory
- Process spawned unexpected child process
PID:2588

C:\Windows\SysWOW64\regsvr32.exe
/s /i dDdoiBj.ocx
4⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /K
6⤵
PID:1204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
6⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 668
5⤵
- Suspicious behavior: EnumeratesProcesses
- Program crash
PID:2144

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2FFAFA40-C261-3936-44D3-167DB8B7AA01\\\Addrient'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\2FFAFA40-C261-3936-44D3-167DB8B7AA01").appiness))
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:3376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9277.tmp" "c:\Users\Admin\AppData\Local\Temp\2uf0qoog\CSC34BDC6584AD24D90853E8CE642A0B1BC.TMP"
5⤵
PID:1160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9313.tmp" "c:\Users\Admin\AppData\Local\Temp\mswhtq3l\CSC34B0182361C643F483B2E23F8A9FC592.TMP"
5⤵
PID:3184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2232

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:484

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"
2⤵
PID:3464

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1000

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D3E.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1964

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"
2⤵
PID:2176

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D3E.bi1"
2⤵
PID:2240

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:2332

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:1900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:4004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82952 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Remote System Discovery

1

T1018

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ACE.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ACE.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3E.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3E.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9277.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9313.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.dll

Download Submit
C:\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2uf0qoog\CSC34BDC6584AD24D90853E8CE642A0B1BC.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\CSC34B0182361C643F483B2E23F8A9FC592.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.cmdline

Download Submit
\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
memory/484-96-0x000000E028F21000-mapping.dmp

Download
memory/484-95-0x0000000000000000-mapping.dmp

Download
memory/912-86-0x0000000000000000-mapping.dmp

Download
memory/1000-100-0x0000000000000000-mapping.dmp

Download
memory/1008-5-0x0000000000402960-mapping.dmp

Download
memory/1008-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1008-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1160-82-0x0000000000000000-mapping.dmp

Download
memory/1204-7-0x0000000000000000-mapping.dmp

Download
memory/1492-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1492-9-0x000000000BC01067-mapping.dmp

Download
memory/1492-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1756-14-0x0000000000DE6000-0x0000000000DE7000-memory.dmp

Filesize
4KB

Download
memory/1756-11-0x0000000000000000-mapping.dmp

Download
memory/1756-15-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/1964-99-0x0000000000000000-mapping.dmp

Download
memory/2144-19-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/2144-24-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2176-101-0x0000000000000000-mapping.dmp

Download
memory/2232-93-0x0000000000000000-mapping.dmp

Download
memory/2232-94-0x0000008B47170000-mapping.dmp

Download
memory/2240-102-0x0000000000000000-mapping.dmp

Download
memory/2332-108-0x0000003F840DE000-mapping.dmp

Download
memory/2332-107-0x0000000000000000-mapping.dmp

Download
memory/2588-0-0x0000000000000000-mapping.dmp

Download
memory/2640-20-0x0000000000000000-mapping.dmp

Download
memory/2640-73-0x0000000000000000-mapping.dmp

Download
memory/2640-2-0x0000000000000000-mapping.dmp

Download
memory/2640-21-0x0000000000000000-mapping.dmp

Download
memory/2640-22-0x0000000000000000-mapping.dmp

Download
memory/2640-72-0x0000000000000000-mapping.dmp

Download
memory/2640-74-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3184-89-0x0000000000000000-mapping.dmp

Download
memory/3376-78-0x0000000000000000-mapping.dmp

Download
memory/3448-76-0x0000000000000000-mapping.dmp

Download
memory/3464-97-0x0000000000000000-mapping.dmp

Download
memory/3480-98-0x0000000000000000-mapping.dmp

Download
memory/4004-75-0x0000000000000000-mapping.dmp

Download
memory/4024-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads