pony | 0eb8945c373c97dc92daf2606d48ba5677b954110ee7b7a00b0d7b006a01fa03

Analysis

max time kernel
150s
max time network
142s
platform
windows10_x64
resource
win10v200430
submitted
14-07-2020 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tr_3.xls
Size

90KB
MD5

5ca92721e11bdf5639bb4b318a21306e
SHA1

18dfa536f2c91664c502f2bf651aa07ce2189668
SHA256

0eb8945c373c97dc92daf2606d48ba5677b954110ee7b7a00b0d7b006a01fa03
SHA512

fd003ba7c0be78f493cd7a687e77b27c5cd102df0ca20e21edc5d9789a25830dc1160e0ea49e1fc9fb6ed87b48373fefce714b9dc3c26a932ffe11088fdd175c

Score

10^/10

discovery spyware rat stealer pony banker trojan gozi_ifsb ursnif

Malware Config

Signatures

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 3548	3944	EXCEL.EXE	regsvr32.exe
PID 3944 wrote to memory of 3548	3944	EXCEL.EXE	regsvr32.exe
PID 3548 wrote to memory of 3940	3548	regsvr32.exe	regsvr32.exe
PID 3548 wrote to memory of 3940	3548	regsvr32.exe	regsvr32.exe
PID 3548 wrote to memory of 3940	3548	regsvr32.exe	regsvr32.exe
PID 3940 wrote to memory of 3612	3940	regsvr32.exe	svchost.exe
PID 3940 wrote to memory of 3612	3940	regsvr32.exe	svchost.exe
PID 3940 wrote to memory of 3612	3940	regsvr32.exe	svchost.exe
PID 3940 wrote to memory of 3612	3940	regsvr32.exe	svchost.exe
PID 3940 wrote to memory of 3612	3940	regsvr32.exe	svchost.exe
PID 3612 wrote to memory of 2508	3612	svchost.exe	cmd.exe
PID 3612 wrote to memory of 2508	3612	svchost.exe	cmd.exe
PID 3612 wrote to memory of 2508	3612	svchost.exe	cmd.exe
PID 3612 wrote to memory of 3756	3612	svchost.exe	svchost.exe
PID 3612 wrote to memory of 3756	3612	svchost.exe	svchost.exe
PID 3612 wrote to memory of 3756	3612	svchost.exe	svchost.exe
PID 3612 wrote to memory of 3756	3612	svchost.exe	svchost.exe
PID 3612 wrote to memory of 3756	3612	svchost.exe	svchost.exe
PID 3612 wrote to memory of 3768	3612	svchost.exe	BN3464.tmp
PID 3612 wrote to memory of 3768	3612	svchost.exe	BN3464.tmp
PID 3612 wrote to memory of 3768	3612	svchost.exe	BN3464.tmp
PID 3500 wrote to memory of 4084	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 4084	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 4084	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 3180	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 3180	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 3180	3500	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 3952	1216	mshta.exe	powershell.exe
PID 1216 wrote to memory of 3952	1216	mshta.exe	powershell.exe
PID 3952 wrote to memory of 3792	3952	powershell.exe	csc.exe
PID 3952 wrote to memory of 3792	3952	powershell.exe	csc.exe
PID 3792 wrote to memory of 3328	3792	csc.exe	cvtres.exe
PID 3792 wrote to memory of 3328	3792	csc.exe	cvtres.exe
PID 3952 wrote to memory of 3128	3952	powershell.exe	csc.exe
PID 3952 wrote to memory of 3128	3952	powershell.exe	csc.exe
PID 3128 wrote to memory of 1784	3128	csc.exe	cvtres.exe
PID 3128 wrote to memory of 1784	3128	csc.exe	cvtres.exe
PID 3952 wrote to memory of 2988	3952	powershell.exe	Explorer.EXE
PID 3952 wrote to memory of 2988	3952	powershell.exe	Explorer.EXE
PID 3952 wrote to memory of 2988	3952	powershell.exe	Explorer.EXE
PID 3952 wrote to memory of 2988	3952	powershell.exe	Explorer.EXE
PID 2988 wrote to memory of 3400	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3400	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3400	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3400	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3500	2988	Explorer.EXE	iexplore.exe
PID 2988 wrote to memory of 3500	2988	Explorer.EXE	iexplore.exe
PID 2988 wrote to memory of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3500	2988	Explorer.EXE	iexplore.exe
PID 2988 wrote to memory of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3500	2988	Explorer.EXE	iexplore.exe
PID 3412 wrote to memory of 3796	3412	cmd.exe	PING.EXE
PID 3412 wrote to memory of 3796	3412	cmd.exe	PING.EXE
PID 3412 wrote to memory of 3796	3412	cmd.exe	PING.EXE
PID 3412 wrote to memory of 3796	3412	cmd.exe	PING.EXE
PID 3412 wrote to memory of 3796	3412	cmd.exe	PING.EXE
PID 2988 wrote to memory of 1804	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1804	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3920	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3920	2988	Explorer.EXE	cmd.exe
PID 1804 wrote to memory of 3764	1804	cmd.exe	nslookup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

3500 iexplore.exe
3500 iexplore.exe
3500 iexplore.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3500	iexplore.exe
3500	iexplore.exe
3500	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e5f6f8ae59d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "116503086"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c0200000000002000000000010660000000100002000000062b546c0eddbb8c4d5f45a69210fc643dabb88f6ac9fa0665e6cc11e011d516d000000000e8000000002000020000000bec36dae3eaa60a8ce7876316f36561ff7788eeac86fc958aed0e97083a81c71200000008e5d1b21d9b3848f3a52f3386d42e5850d3b2fcf05746612f8cd9a74e08c78bf4000000018717af43b47a5dec1ca42374a2170e04249a5c1806b1e40fc3ee59dd360e65db95b100794f9062a809dcecae61d305cf7fa405d446b4965b165791775fd6e1a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824879"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "119471187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824879"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cbd8f7ae59d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c020000000000200000000001066000000010000200000002656fa19ee86eae24ad929d0ea2b3669ba9cf87a97f65ce802f1b9ee630e8714000000000e8000000002000020000000b9d71afb898e19d3be8deeb279939a4a8fdcbf9a576d71a26608ec42a603a712200000000535f8d8f4f8ff426a0d68cd54b4fb43cae8f96950df06d70e785edacf187c0b4000000019421ff21aabca279ce8bcb38e920483232a394b4d0ca094e1049d94689e8c5041a6035d1adebdc034371a973bdc65d0061e8c267a0c8f4c834c73f9ae322d88	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3261FEAF-C5A2-11EA-BF1A-E6B8B64A97D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824879"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "116503086"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3796 PING.EXE

pid	process
3796	PING.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE
3500	iexplore.exe
3500	iexplore.exe
4084	IEXPLORE.EXE
4084	IEXPLORE.EXE
3500	iexplore.exe
3500	iexplore.exe
3180	IEXPLORE.EXE
3180	IEXPLORE.EXE
3500	iexplore.exe
3500	iexplore.exe
4084	IEXPLORE.EXE
4084	IEXPLORE.EXE
3944	EXCEL.EXE
3944	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 api.ipify.org

flow	ioc
24	api.ipify.org

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1515 IoCs

Processes:

svchost.exeWerFault.exepowershell.exeExplorer.EXE

pid	process
3612	svchost.exe
3612	svchost.exe
3612	svchost.exe
3612	svchost.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
1216	WerFault.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 92 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	3612	svchost.exe
Token: SeTcbPrivilege	3612	svchost.exe
Token: SeChangeNotifyPrivilege	3612	svchost.exe
Token: SeCreateTokenPrivilege	3612	svchost.exe
Token: SeBackupPrivilege	3612	svchost.exe
Token: SeRestorePrivilege	3612	svchost.exe
Token: SeIncreaseQuotaPrivilege	3612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3612	svchost.exe
Token: SeImpersonatePrivilege	3612	svchost.exe
Token: SeTcbPrivilege	3612	svchost.exe
Token: SeChangeNotifyPrivilege	3612	svchost.exe
Token: SeCreateTokenPrivilege	3612	svchost.exe
Token: SeBackupPrivilege	3612	svchost.exe
Token: SeRestorePrivilege	3612	svchost.exe
Token: SeIncreaseQuotaPrivilege	3612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3612	svchost.exe
Token: SeImpersonatePrivilege	3612	svchost.exe
Token: SeTcbPrivilege	3612	svchost.exe
Token: SeChangeNotifyPrivilege	3612	svchost.exe
Token: SeCreateTokenPrivilege	3612	svchost.exe
Token: SeBackupPrivilege	3612	svchost.exe
Token: SeRestorePrivilege	3612	svchost.exe
Token: SeIncreaseQuotaPrivilege	3612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3612	svchost.exe
Token: SeImpersonatePrivilege	3612	svchost.exe
Token: SeTcbPrivilege	3612	svchost.exe
Token: SeChangeNotifyPrivilege	3612	svchost.exe
Token: SeCreateTokenPrivilege	3612	svchost.exe
Token: SeBackupPrivilege	3612	svchost.exe
Token: SeRestorePrivilege	3612	svchost.exe
Token: SeIncreaseQuotaPrivilege	3612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3612	svchost.exe
Token: SeImpersonatePrivilege	3612	svchost.exe
Token: SeTcbPrivilege	3612	svchost.exe
Token: SeChangeNotifyPrivilege	3612	svchost.exe
Token: SeCreateTokenPrivilege	3612	svchost.exe
Token: SeBackupPrivilege	3612	svchost.exe
Token: SeRestorePrivilege	3612	svchost.exe
Token: SeIncreaseQuotaPrivilege	3612	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3612	svchost.exe
Token: SeImpersonatePrivilege	3756	svchost.exe
Token: SeTcbPrivilege	3756	svchost.exe
Token: SeChangeNotifyPrivilege	3756	svchost.exe
Token: SeCreateTokenPrivilege	3756	svchost.exe
Token: SeBackupPrivilege	3756	svchost.exe
Token: SeRestorePrivilege	3756	svchost.exe
Token: SeIncreaseQuotaPrivilege	3756	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3756	svchost.exe
Token: SeImpersonatePrivilege	3756	svchost.exe
Token: SeTcbPrivilege	3756	svchost.exe
Token: SeChangeNotifyPrivilege	3756	svchost.exe
Token: SeCreateTokenPrivilege	3756	svchost.exe
Token: SeBackupPrivilege	3756	svchost.exe
Token: SeRestorePrivilege	3756	svchost.exe
Token: SeIncreaseQuotaPrivilege	3756	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3756	svchost.exe
Token: SeImpersonatePrivilege	3756	svchost.exe
Token: SeTcbPrivilege	3756	svchost.exe
Token: SeChangeNotifyPrivilege	3756	svchost.exe
Token: SeCreateTokenPrivilege	3756	svchost.exe
Token: SeBackupPrivilege	3756	svchost.exe
Token: SeRestorePrivilege	3756	svchost.exe
Token: SeIncreaseQuotaPrivilege	3756	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3756	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

BN3464.tmp

pid process

3768 BN3464.tmp
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3944 EXCEL.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3940 regsvr32.exe

pid	process
3768	BN3464.tmp

pid	process
3940	regsvr32.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

regsvr32.exesvchost.exepowershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3940 set thread context of 3612	3940	regsvr32.exe	svchost.exe
PID 3612 set thread context of 3756	3612	svchost.exe	svchost.exe
PID 3952 set thread context of 2988	3952	powershell.exe	Explorer.EXE
PID 2988 set thread context of 3400	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 set thread context of 3412	2988	Explorer.EXE	cmd.exe
PID 2988 set thread context of 3500	2988	Explorer.EXE	iexplore.exe
PID 3412 set thread context of 3796	3412	cmd.exe	PING.EXE
PID 2988 set thread context of 3764	2988	Explorer.EXE	WinMail.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1216 3940 WerFault.exe regsvr32.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3952 powershell.exe
2988 Explorer.EXE
2988 Explorer.EXE
2988 Explorer.EXE
3412 cmd.exe
2988 Explorer.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3796 PING.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2988 Explorer.EXE

pid	pid_target	process	target process
1216	3940	WerFault.exe	regsvr32.exe

pid	process
3952	powershell.exe
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
3412	cmd.exe
2988	Explorer.EXE

pid	process
3796	PING.EXE

pid	process
2988	Explorer.EXE

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	svchost.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3548	3944	regsvr32.exe	EXCEL.EXE

Checks whether UAC is enabled 3 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of UnmapMainImage
PID:2988
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_3.xls"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetWindowsHookEx
  - Enumerates system info in registry
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:3944
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx
    3⤵
    - Suspicious use of WriteProcessMemory
    - Process spawned unexpected child process
    PID:3548
  - - C:\Windows\SysWOW64\regsvr32.exe
      /s /i dDdoiBj.ocx
      4⤵
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:3940
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        Suspicious use of WriteProcessMemory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetThreadContext
        Checks for installed software on the system
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /K
        6⤵
        
        PID:2508
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
      - C:\Users\Admin\AppData\Local\Temp\BN3464.tmp
        
        C:\Users\Admin\AppData\Local\Temp\BN3464.tmp
        6⤵
        Executes dropped EXE
        
        PID:3768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 664
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Program crash
        
        PID:1216
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\\AxInrvps'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
    3⤵
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:3952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmgd0ag0\kmgd0ag0.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4DF.tmp" "c:\Users\Admin\AppData\Local\Temp\kmgd0ag0\CSC399CB494212A4B5C8121185EDD14763.TMP"
        5⤵
        
        PID:3328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0jqfuy0q\0jqfuy0q.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp" "c:\Users\Admin\AppData\Local\Temp\0jqfuy0q\CSC54FAE3EBC43D4F339EA1C8559E6C671F.TMP"
        5⤵
        
        PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN3464.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:3412
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3796
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\897A.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3764
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\49E8.bi1"
  2⤵
  PID:3920
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2100
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\49E8.bi1"
  2⤵
  PID:3848
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\897A.bi1"
  2⤵
  PID:3768
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
PID:3500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:4084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3500 CREDAT:82952 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\0jqfuy0q\0jqfuy0q.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\49E8.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\49E8.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\897A.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\897A.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN3464.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN3464.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB4DF.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\kmgd0ag0\kmgd0ag0.dll

Download Submit
C:\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0jqfuy0q\0jqfuy0q.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0jqfuy0q\0jqfuy0q.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0jqfuy0q\CSC54FAE3EBC43D4F339EA1C8559E6C671F.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmgd0ag0\CSC399CB494212A4B5C8121185EDD14763.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmgd0ag0\kmgd0ag0.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kmgd0ag0\kmgd0ag0.cmdline

Download Submit
\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
memory/1216-19-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1216-23-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1784-40-0x0000000000000000-mapping.dmp

Download
memory/1804-48-0x0000000000000000-mapping.dmp

Download
memory/2100-51-0x0000000000000000-mapping.dmp

Download
memory/2508-7-0x0000000000000000-mapping.dmp

Download
memory/3128-37-0x0000000000000000-mapping.dmp

Download
memory/3180-28-0x0000000000000000-mapping.dmp

Download
memory/3328-33-0x0000000000000000-mapping.dmp

Download
memory/3412-45-0x00000001002D2000-mapping.dmp

Download
memory/3412-44-0x0000000000000000-mapping.dmp

Download
memory/3548-0-0x0000000000000000-mapping.dmp

Download
memory/3612-5-0x00000000003E2960-mapping.dmp

Download
memory/3612-4-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/3612-6-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/3756-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/3756-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/3756-9-0x000000000BC01067-mapping.dmp

Download
memory/3764-58-0x0000000000000000-mapping.dmp

Download
memory/3764-59-0x000000499E78E000-mapping.dmp

Download
memory/3764-50-0x0000000000000000-mapping.dmp

Download
memory/3768-15-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3768-11-0x0000000000000000-mapping.dmp

Download
memory/3768-53-0x0000000000000000-mapping.dmp

Download
memory/3792-30-0x0000000000000000-mapping.dmp

Download
memory/3796-47-0x000000C3E8AF7000-mapping.dmp

Download
memory/3796-46-0x0000000000000000-mapping.dmp

Download
memory/3848-52-0x0000000000000000-mapping.dmp

Download
memory/3920-49-0x0000000000000000-mapping.dmp

Download
memory/3940-25-0x0000000000000000-mapping.dmp

Download
memory/3940-20-0x0000000000000000-mapping.dmp

Download
memory/3940-21-0x0000000000000000-mapping.dmp

Download
memory/3940-22-0x0000000000000000-mapping.dmp

Download
memory/3940-24-0x0000000000000000-mapping.dmp

Download
memory/3940-26-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/3940-2-0x0000000000000000-mapping.dmp

Download
memory/3952-29-0x0000000000000000-mapping.dmp

Download
memory/4084-27-0x0000000000000000-mapping.dmp

Download