pony | ee2dc4300f18802a18616e9e5434b2a0d438c819d2229d3724fa266ae881dbf7

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10v200430
submitted
14-07-2020 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tr_0.xls
Size

90KB
MD5

08f03e9133419730830daa1d5c05f2ea
SHA1

0fbe4abe79048fb25f00e11c3f53b9729ea2019b
SHA256

ee2dc4300f18802a18616e9e5434b2a0d438c819d2229d3724fa266ae881dbf7
SHA512

d272fc170333bca041dba873120303694f99bd6f89e32b73597ad8cb6da63e54b45e1f15c34ca8494369d091693c456076374f3fb58c66ce08d1f5140e2745c1

Score

10^/10

discovery rat spyware stealer pony banker trojan gozi_ifsb ursnif

Malware Config

Signatures

Suspicious use of SetThreadContext 8 IoCs

Processes:

regsvr32.exesvchost.exepowershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3992 set thread context of 2528	3992	regsvr32.exe	svchost.exe
PID 2528 set thread context of 868	2528	svchost.exe	svchost.exe
PID 3988 set thread context of 3012	3988	powershell.exe	Explorer.EXE
PID 3012 set thread context of 3448	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 set thread context of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 set thread context of 1612	3012	Explorer.EXE	iexplore.exe
PID 1540 set thread context of 3916	1540	cmd.exe	PING.EXE
PID 3012 set thread context of 2176	3012	Explorer.EXE	WinMail.exe

Executes dropped EXE 1 IoCs

Processes:

BN818A.tmp

pid process

1176 BN818A.tmp
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

1612 iexplore.exe
1612 iexplore.exe
1612 iexplore.exe

pid	process
1176	BN818A.tmp

pid	process
1612	iexplore.exe
1612	iexplore.exe
1612	iexplore.exe

Checks whether UAC is enabled 3 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE
1612	iexplore.exe
1612	iexplore.exe
3712	IEXPLORE.EXE
3712	IEXPLORE.EXE
1612	iexplore.exe
1612	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
1612	iexplore.exe
1612	iexplore.exe
3712	IEXPLORE.EXE
3712	IEXPLORE.EXE
2536	EXCEL.EXE
2536	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2536 EXCEL.EXE

Suspicious use of WriteProcessMemory 76 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 2536 wrote to memory of 3972	2536	EXCEL.EXE	regsvr32.exe
PID 2536 wrote to memory of 3972	2536	EXCEL.EXE	regsvr32.exe
PID 3972 wrote to memory of 3992	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 3992	3972	regsvr32.exe	regsvr32.exe
PID 3972 wrote to memory of 3992	3972	regsvr32.exe	regsvr32.exe
PID 3992 wrote to memory of 2528	3992	regsvr32.exe	svchost.exe
PID 3992 wrote to memory of 2528	3992	regsvr32.exe	svchost.exe
PID 3992 wrote to memory of 2528	3992	regsvr32.exe	svchost.exe
PID 3992 wrote to memory of 2528	3992	regsvr32.exe	svchost.exe
PID 3992 wrote to memory of 2528	3992	regsvr32.exe	svchost.exe
PID 2528 wrote to memory of 1060	2528	svchost.exe	cmd.exe
PID 2528 wrote to memory of 1060	2528	svchost.exe	cmd.exe
PID 2528 wrote to memory of 1060	2528	svchost.exe	cmd.exe
PID 2528 wrote to memory of 868	2528	svchost.exe	svchost.exe
PID 2528 wrote to memory of 868	2528	svchost.exe	svchost.exe
PID 2528 wrote to memory of 868	2528	svchost.exe	svchost.exe
PID 2528 wrote to memory of 868	2528	svchost.exe	svchost.exe
PID 2528 wrote to memory of 868	2528	svchost.exe	svchost.exe
PID 2528 wrote to memory of 1176	2528	svchost.exe	BN818A.tmp
PID 2528 wrote to memory of 1176	2528	svchost.exe	BN818A.tmp
PID 2528 wrote to memory of 1176	2528	svchost.exe	BN818A.tmp
PID 1612 wrote to memory of 3712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 3712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 3712	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 2524	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 2524	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 2524	1612	iexplore.exe	IEXPLORE.EXE
PID 2388 wrote to memory of 3988	2388	mshta.exe	powershell.exe
PID 2388 wrote to memory of 3988	2388	mshta.exe	powershell.exe
PID 3988 wrote to memory of 4084	3988	powershell.exe	csc.exe
PID 3988 wrote to memory of 4084	3988	powershell.exe	csc.exe
PID 4084 wrote to memory of 3340	4084	csc.exe	cvtres.exe
PID 4084 wrote to memory of 3340	4084	csc.exe	cvtres.exe
PID 3988 wrote to memory of 1016	3988	powershell.exe	csc.exe
PID 3988 wrote to memory of 1016	3988	powershell.exe	csc.exe
PID 1016 wrote to memory of 592	1016	csc.exe	cvtres.exe
PID 1016 wrote to memory of 592	1016	csc.exe	cvtres.exe
PID 3988 wrote to memory of 3012	3988	powershell.exe	Explorer.EXE
PID 3988 wrote to memory of 3012	3988	powershell.exe	Explorer.EXE
PID 3988 wrote to memory of 3012	3988	powershell.exe	Explorer.EXE
PID 3988 wrote to memory of 3012	3988	powershell.exe	Explorer.EXE
PID 3012 wrote to memory of 3448	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 3448	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3448	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 3448	3012	Explorer.EXE	RuntimeBroker.exe
PID 3012 wrote to memory of 1612	3012	Explorer.EXE	iexplore.exe
PID 3012 wrote to memory of 1612	3012	Explorer.EXE	iexplore.exe
PID 3012 wrote to memory of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1540	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 1612	3012	Explorer.EXE	iexplore.exe
PID 3012 wrote to memory of 1612	3012	Explorer.EXE	iexplore.exe
PID 1540 wrote to memory of 3916	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3916	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3916	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3916	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3916	1540	cmd.exe	PING.EXE
PID 3012 wrote to memory of 3972	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 3972	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2112	3012	Explorer.EXE	cmd.exe
PID 3012 wrote to memory of 2112	3012	Explorer.EXE	cmd.exe
PID 2112 wrote to memory of 3440	2112	cmd.exe	nslookup.exe

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3916 PING.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3988 powershell.exe
3012 Explorer.EXE
3012 Explorer.EXE
3012 Explorer.EXE
1540 cmd.exe
3012 Explorer.EXE

pid	process
3916	PING.EXE

pid	process
3988	powershell.exe
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
1540	cmd.exe
3012	Explorer.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c02000000000020000000000106600000001000020000000aaea2701697d5e7829e12bcff5970d652364d8093f1d9fae657dae7038a5b511000000000e80000000020000200000001c6d1cb36a81b274970d0593eabd647b8a35f0ea4ac0f429c8856ac0a895758920000000496f1e057d32da9967b79bfcff05ca93f734ea3b606ea3bc3890f970ae21737240000000ab1e433fd15e7488fd54d0f006fd7c4a46879b93f00caba29d76c4094f38dec9428d985d3a094b24b9fce71ccf5da50774de1956937e05b1bc2680057309ac9a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "87140670"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "94015362"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824879"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "87140670"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3093A855-C5A2-11EA-BF1A-C2BFAC877F24} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824879"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c0200000000002000000000010660000000100002000000005e472e085ace37aecffabc85ae721d657e424a5bec2a80bc7b97ac17f037371000000000e8000000002000020000000c7e8a8989615af01853c33ec2c2443c71456c08f90a4077cb2cad2a48bf03e5520000000825173996454a9ab3e39981e46a7602029e938fcbfd39520691f62f2eac1407d40000000db1e86b5f9741deac45565fc829e2531670de2473e92fddae0a99554ac120a384a2279877d8e2be260815a85862071f4ba3d0e9f9623bd4bf51209bd2af02888	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824879"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40de9bf6ae59d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80aeb7f7ae59d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious behavior: EnumeratesProcesses 1494 IoCs

Processes:

svchost.exeWerFault.exepowershell.exeExplorer.EXE

pid	process
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE
3012	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 92 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	2528	svchost.exe
Token: SeTcbPrivilege	2528	svchost.exe
Token: SeChangeNotifyPrivilege	2528	svchost.exe
Token: SeCreateTokenPrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeImpersonatePrivilege	2528	svchost.exe
Token: SeTcbPrivilege	2528	svchost.exe
Token: SeChangeNotifyPrivilege	2528	svchost.exe
Token: SeCreateTokenPrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeImpersonatePrivilege	2528	svchost.exe
Token: SeTcbPrivilege	2528	svchost.exe
Token: SeChangeNotifyPrivilege	2528	svchost.exe
Token: SeCreateTokenPrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeImpersonatePrivilege	2528	svchost.exe
Token: SeTcbPrivilege	2528	svchost.exe
Token: SeChangeNotifyPrivilege	2528	svchost.exe
Token: SeCreateTokenPrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeImpersonatePrivilege	2528	svchost.exe
Token: SeTcbPrivilege	2528	svchost.exe
Token: SeChangeNotifyPrivilege	2528	svchost.exe
Token: SeCreateTokenPrivilege	2528	svchost.exe
Token: SeBackupPrivilege	2528	svchost.exe
Token: SeRestorePrivilege	2528	svchost.exe
Token: SeIncreaseQuotaPrivilege	2528	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2528	svchost.exe
Token: SeImpersonatePrivilege	868	svchost.exe
Token: SeTcbPrivilege	868	svchost.exe
Token: SeChangeNotifyPrivilege	868	svchost.exe
Token: SeCreateTokenPrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeImpersonatePrivilege	868	svchost.exe
Token: SeTcbPrivilege	868	svchost.exe
Token: SeChangeNotifyPrivilege	868	svchost.exe
Token: SeCreateTokenPrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeImpersonatePrivilege	868	svchost.exe
Token: SeTcbPrivilege	868	svchost.exe
Token: SeChangeNotifyPrivilege	868	svchost.exe
Token: SeCreateTokenPrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2320 3992 WerFault.exe regsvr32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3012 Explorer.EXE

pid	pid_target	process	target process
2320	3992	WerFault.exe	regsvr32.exe

pid	process
3012	Explorer.EXE

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org

flow	ioc
22	api.ipify.org

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3972	2536	regsvr32.exe	EXCEL.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3992 regsvr32.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

3916 PING.EXE

pid	process
3992	regsvr32.exe

pid	process
3916	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3012
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_0.xls"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  - Enumerates system info in registry
  - Checks processor information in registry
  PID:2536
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx
    3⤵
    - Suspicious use of WriteProcessMemory
    - Process spawned unexpected child process
    PID:3972
  - - C:\Windows\SysWOW64\regsvr32.exe
      /s /i dDdoiBj.ocx
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      PID:3992
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Checks for installed software on the system
        
        PID:2528
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /K
        6⤵
        
        PID:1060
      - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
      - C:\Users\Admin\AppData\Local\Temp\BN818A.tmp
        
        C:\Users\Admin\AppData\Local\Temp\BN818A.tmp
        6⤵
        Executes dropped EXE
        
        PID:1176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 664
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Program crash
        
        PID:2320
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\\AxInrvps'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: EnumeratesProcesses
    PID:3988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkw3v1d0\rkw3v1d0.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1.tmp" "c:\Users\Admin\AppData\Local\Temp\rkw3v1d0\CSC95A3117E6C264A34A81E66F7548F66B3.TMP"
        5⤵
        
        PID:3340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r1a23ul4\r1a23ul4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D6.tmp" "c:\Users\Admin\AppData\Local\Temp\r1a23ul4\CSCF7E314EF43EC40C3A0BB1DA3C5DA873.TMP"
        5⤵
        
        PID:592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN818A.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  PID:1540
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:3916
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F5F7.bi1"
  2⤵
  PID:3972
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3536
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\E301.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3440
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E301.bi1"
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F5F7.bi1"
  2⤵
  PID:3988
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:2176

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
PID:1612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:82945 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:3712
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:82950 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  PID:2524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN818A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN818A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\E301.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E301.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5F7.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5F7.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\r1a23ul4\r1a23ul4.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkw3v1d0\rkw3v1d0.dll

Download Submit
C:\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1a23ul4\CSCF7E314EF43EC40C3A0BB1DA3C5DA873.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1a23ul4\r1a23ul4.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r1a23ul4\r1a23ul4.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkw3v1d0\CSC95A3117E6C264A34A81E66F7548F66B3.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkw3v1d0\rkw3v1d0.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkw3v1d0\rkw3v1d0.cmdline

Download Submit
\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
memory/592-88-0x0000000000000000-mapping.dmp

Download
memory/868-9-0x000000000BC01067-mapping.dmp

Download
memory/868-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/868-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1016-85-0x0000000000000000-mapping.dmp

Download
memory/1060-7-0x0000000000000000-mapping.dmp

Download
memory/1176-14-0x0000000000FE6000-0x0000000000FE7000-memory.dmp

Filesize
4KB

Download
memory/1176-11-0x0000000000000000-mapping.dmp

Download
memory/1176-15-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1540-93-0x0000000A70B8B000-mapping.dmp

Download
memory/1540-92-0x0000000000000000-mapping.dmp

Download
memory/2112-97-0x0000000000000000-mapping.dmp

Download
memory/2176-107-0x0000001580078000-mapping.dmp

Download
memory/2176-106-0x0000000000000000-mapping.dmp

Download
memory/2320-19-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2320-24-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/2524-76-0x0000000000000000-mapping.dmp

Download
memory/2528-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2528-5-0x0000000000402960-mapping.dmp

Download
memory/2528-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3024-100-0x0000000000000000-mapping.dmp

Download
memory/3340-81-0x0000000000000000-mapping.dmp

Download
memory/3440-98-0x0000000000000000-mapping.dmp

Download
memory/3536-99-0x0000000000000000-mapping.dmp

Download
memory/3712-75-0x0000000000000000-mapping.dmp

Download
memory/3916-94-0x0000000000000000-mapping.dmp

Download
memory/3916-95-0x000000982A20B000-mapping.dmp

Download
memory/3972-0-0x0000000000000000-mapping.dmp

Download
memory/3972-96-0x0000000000000000-mapping.dmp

Download
memory/3988-77-0x0000000000000000-mapping.dmp

Download
memory/3988-101-0x0000000000000000-mapping.dmp

Download
memory/3992-21-0x0000000000000000-mapping.dmp

Download
memory/3992-20-0x0000000000000000-mapping.dmp

Download
memory/3992-22-0x0000000000000000-mapping.dmp

Download
memory/3992-72-0x0000000000000000-mapping.dmp

Download
memory/3992-73-0x0000000000000000-mapping.dmp

Download
memory/3992-74-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3992-2-0x0000000000000000-mapping.dmp

Download
memory/4084-78-0x0000000000000000-mapping.dmp

Download