f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2

General

Target

Zbicswp.exe
Size

984KB
MD5

622dca0ee8175c9a20456d8892d35a80
SHA1

d45a2f22186a3b494ef1237028b29eea72cc9cca
SHA256

f01669ff0af4c1b8f4f15985fae94c302537ed8affc5b2fe01534594036218f2
SHA512

094ce631693c4c83ebf1d2728e99eb36cf65cdc6a63336cfba982b4ca0332496247f114760c1150aaecd4dc48caf23b386aefef4ffb14f7439407585fd16ec28

Score

8^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3820	ieinstal.exe
3820	ieinstal.exe
3820	ieinstal.exe
3820	ieinstal.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	ieinstal.exe
Token: SeDebugPrivilege	3796	rundll32.exe
Token: SeShutdownPrivilege	2972	Explorer.EXE
Token: SeCreatePagefilePrivilege	2972	Explorer.EXE
Token: SeShutdownPrivilege	2972	Explorer.EXE
Token: SeCreatePagefilePrivilege	2972	Explorer.EXE
Token: SeShutdownPrivilege	2972	Explorer.EXE
Token: SeCreatePagefilePrivilege	2972	Explorer.EXE
Token: SeShutdownPrivilege	2972	Explorer.EXE
Token: SeCreatePagefilePrivilege	2972	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3820	ieinstal.exe
3820	ieinstal.exe
3820	ieinstal.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe
3796	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3820 set thread context of 2972	3820	ieinstal.exe	56
PID 3796 set thread context of 2972	3796	rundll32.exe	56

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 3612 wrote to memory of 3820	3612	Zbicswp.exe	67
PID 2972 wrote to memory of 3796	2972	Explorer.EXE	68
PID 2972 wrote to memory of 3796	2972	Explorer.EXE	68
PID 2972 wrote to memory of 3796	2972	Explorer.EXE	68
PID 3796 wrote to memory of 3752	3796	rundll32.exe	69
PID 3796 wrote to memory of 3752	3796	rundll32.exe	69
PID 3796 wrote to memory of 3752	3796	rundll32.exe	69
PID 3796 wrote to memory of 3548	3796	rundll32.exe	71
PID 3796 wrote to memory of 3548	3796	rundll32.exe	71
PID 3796 wrote to memory of 3548	3796	rundll32.exe	71

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\9RDTLLQ8WL8 = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	rundll32.exe

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\Zbicswp.exe
  "C:\Users\Admin\AppData\Local\Temp\Zbicswp.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    PID:3820
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Adds Run key to start application
  - Adds policy Run key to start application
  - Modifies Internet Explorer settings
  PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3548-10-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

Filesize
588KB

Download
memory/3548-11-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

Filesize
588KB

Download
memory/3548-12-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

Filesize
588KB

Download
memory/3612-0-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/3796-7-0x0000000006350000-0x0000000006494000-memory.dmp

Filesize
1.3MB

Download
memory/3796-4-0x0000000000340000-0x0000000000353000-memory.dmp

Filesize
76KB

Download
memory/3796-3-0x0000000000340000-0x0000000000353000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads