gozi_ifsb | e93eff9fcefc1e4cff03a218144e16b5632ca85fbf4f9a3ac726d6b1b0b5b256

Analysis

max time kernel
1193s
max time network
1195s
platform
windows10_x64
resource
win10-en
submitted
07-09-2021 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

5B
MD5

53f31a089339194f333d2e3995dbb05e
SHA1

d929c82d2ee727ccbea9c50c669a71075249899f
SHA256

86b0c5a1e2b73b08fd54c727f4458649ed9fe3ad1b6e8ac9460c070113509a1e
SHA512

d6f0e8c65e1fe60e81be2aee69b09b9a5df7519dff082cc4e51a705fb044a34db7198b40d480df0a048e32a7d2cf0c4090d64af123a5d852c21c8a35de4ff3fc

Score

10^/10

gozi_ifsb 1500 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1500

atl.bigbigpoppa.com

pop.urlovedstuff.com

Attributes

build
250211
exe_type
loader
server_id
580

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

calc.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 1028 calc.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1028	calc.exe

Blocklisted process makes network request 39 IoCs

Processes:

rundll32.exe

flow	pid	process
23	1036	rundll32.exe
25	1036	rundll32.exe
26	1036	rundll32.exe
27	1036	rundll32.exe
28	1036	rundll32.exe
29	1036	rundll32.exe
30	1036	rundll32.exe
31	1036	rundll32.exe
32	1036	rundll32.exe
33	1036	rundll32.exe
34	1036	rundll32.exe
35	1036	rundll32.exe
36	1036	rundll32.exe
37	1036	rundll32.exe
38	1036	rundll32.exe
39	1036	rundll32.exe
40	1036	rundll32.exe
41	1036	rundll32.exe
42	1036	rundll32.exe
43	1036	rundll32.exe
44	1036	rundll32.exe
45	1036	rundll32.exe
46	1036	rundll32.exe
47	1036	rundll32.exe
48	1036	rundll32.exe
49	1036	rundll32.exe
50	1036	rundll32.exe
51	1036	rundll32.exe
52	1036	rundll32.exe
53	1036	rundll32.exe
55	1036	rundll32.exe
57	1036	rundll32.exe
58	1036	rundll32.exe
59	1036	rundll32.exe
60	1036	rundll32.exe
61	1036	rundll32.exe
62	1036	rundll32.exe
63	1036	rundll32.exe
64	1036	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1036 rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2274612954.pri explorer.exe

pid	process
1036	rundll32.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	explorer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.execmd.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "VBSFile"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 50003100000000002153986b10004c6f63616c003c0009000400efbe2153c9682153986b2e000000345301000000010000000000000000000000000000006960f7004c006f00630061006c00000014000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 4e0031000000000027536c82100054656d7000003a0009000400efbe2153c96827536c822e0000003553010000000100000000000000000000000000000007455f00540065006d007000000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000002153c96812004170704461746100400009000400efbe2153c9682153c9682e000000215301000000010000000000000000000000000000002fbcb0004100700070004400610074006100000016000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000002153dc72100041646d696e003c0009000400efbe2153c9682153dc722e0000001653010000000100000000000000000000000000000019888600410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000002153c9681100557365727300640009000400efbe724a0b5d2153c9682e000000320500000000010000000000000000003a0000000000701ed20055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

2060 explorer.exe

pid	process
2060	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
936	powershell.exe
936	powershell.exe
936	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2060 explorer.exe

pid	process
2060	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exe7zG.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeRestorePrivilege	2596	7zG.exe
Token: 35	2596	7zG.exe
Token: SeSecurityPrivilege	2596	7zG.exe
Token: SeSecurityPrivilege	2596	7zG.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2596 7zG.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

explorer.exeOpenWith.exe

pid process

2060 explorer.exe
2060 explorer.exe
3204 OpenWith.exe

pid	process
2596	7zG.exe

pid	process
2060	explorer.exe
2060	explorer.exe
3204	OpenWith.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

powershell.execmd.exeexplorer.exepowershell.execmd.exerundll32.exe

description	pid	process	target process
PID 936 wrote to memory of 1196	936	powershell.exe	cmd.exe
PID 936 wrote to memory of 1196	936	powershell.exe	cmd.exe
PID 1196 wrote to memory of 2096	1196	cmd.exe	explorer.exe
PID 1196 wrote to memory of 2096	1196	cmd.exe	explorer.exe
PID 2060 wrote to memory of 2596	2060	explorer.exe	7zG.exe
PID 2060 wrote to memory of 2596	2060	explorer.exe	7zG.exe
PID 1196 wrote to memory of 2616	1196	cmd.exe	cscript.exe
PID 1196 wrote to memory of 2616	1196	cmd.exe	cscript.exe
PID 1196 wrote to memory of 3868	1196	cmd.exe	notepad.exe
PID 1196 wrote to memory of 3868	1196	cmd.exe	notepad.exe
PID 2060 wrote to memory of 3372	2060	explorer.exe	WScript.exe
PID 2060 wrote to memory of 3372	2060	explorer.exe	WScript.exe
PID 2716 wrote to memory of 3032	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	powershell.exe	cmd.exe
PID 3032 wrote to memory of 2184	3032	cmd.exe	powershell.exe
PID 3032 wrote to memory of 2184	3032	cmd.exe	powershell.exe
PID 3032 wrote to memory of 2096	3032	cmd.exe	powershell.exe
PID 3032 wrote to memory of 2096	3032	cmd.exe	powershell.exe
PID 3032 wrote to memory of 2440	3032	cmd.exe	rundll32.exe
PID 3032 wrote to memory of 2440	3032	cmd.exe	rundll32.exe
PID 2440 wrote to memory of 1036	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1036	2440	rundll32.exe	rundll32.exe
PID 2440 wrote to memory of 1036	2440	rundll32.exe	rundll32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\explorer.exe
    explorer .
    3⤵
    PID:2096
- - C:\Windows\system32\cscript.exe
    cscript 1.vbs
    3⤵
    PID:2616
- - C:\Windows\system32\notepad.exe
    notepad 1.txt
    3⤵
    PID:3868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\1\" -spe -an -ai#7zMap20883:82:7zEvent24520
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2596
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\98915.txt"
  2⤵
  PID:3372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c get-filehash -algo sha256 Jason.bin
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c get-filehash -algo sha256 Janos.bin
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\system32\rundll32.exe
    rundll32 Janos.bin,DllRegisterServer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 Janos.bin,DllRegisterServer
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:1036

C:\Windows\system32\calc.exe
calc.exe
1⤵
- Process spawned unexpected child process
- Modifies registry class
PID:2924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5
f93bd7d721758b9a4f242b4643201bb8

SHA1
f418c2a282f3f5428cdb7c9d35cca502b21aac4a

SHA256
48fed95ae39b31ffcdb9323cf9eb4cf2a7cbbf51773a46625365942b908866dd

SHA512
8b0e2bfd98a11b7944ea2a47f9d85166e85fc04970460191f761d7e0e5c079806ebcfd7ecc774ef1cb293f504a916fdbac9722b728f79b88c6ea1ce9ea9a75a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
fee2f5cdf424dcbd216c6099664c45de

SHA1
170fba8e1db81ed6a63d4dc358be0dfa334b1fda

SHA256
47824ae9f708546cdb0e20b2fd294eeca0270f96f38b33ce794913f5b2464657

SHA512
274fccb01804c98c4e267722f463fe531e46d0cce7c107259bbdd6af9d58839f572fe6684494d46add1383fdc526dcdd8fecfe2f881e8c6ac215499a9c30ac40

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\1.txt

MD5
432ee3697333147d2a0d894260145a10

SHA1
d62becb24ccb991eecea420e2953a01b2003a8a2

SHA256
c5003cf7d3f9c4060035f778bb99b0587a21df40643ce8d78a042953e52baa95

SHA512
9585aefb53beb1b65c17410c6c35b631895de369fb7c2641ccb7bdce1c20bc18c1f2fa9703f723efde9f0d3068e8f232e79c0f506faa63904752cba498cbc4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\1.vbs

MD5
3c464445b71c82c22643ef4487a60b4e

SHA1
badb3bcb867bc8f38a14c10a1b7f3d657b0384ec

SHA256
33a3aed542dbc22eaf74a6f7c1cb9dbd0beefd323af8ef067be74945e798463e

SHA512
dae017d4e64f9bc831ce184bc5a4f991e2306bedb15f00038ca39486694ca274cb97d163bcf0cef4b2d12df3279d0fad0eeb2a24dde5bf15205b1cab5bd43593

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\start[710980].vbs

MD5
207568c3acb35b681b9ebd15881ba124

SHA1
c7f0f8b2dedef6e44fa8d5083d7f162bc2a6d8c2

SHA256
7c942f875e29c8ac867f4d4cf98610d6ad1c2292812e0d072f729c422ed32487

SHA512
76bd367710c6fae7f540c527f2083b05a05f883e68274a5f88ed3a0153a0919f8a10a056ab2e4ced842b767c0d86e6fb85a93af1ea7fe35b855e4662c7006be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Janos.bin

MD5
3ee784b20a405a7b032728a7bcac456c

SHA1
d1b224481e428fc86e9c55e2ff138b30b5cfbfab

SHA256
3fd290e335098184c8c2973272660f506c89f329a37cf590608863d002333386

SHA512
7f5dd561e321b3787e65b478aab720ac8aeb95034567c3b942184b6f35f011474415ba5714488a968815a7351e0c44b129d686877392225a2aeca361aab7adac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

MD5
96a5b608546e746260bccc0c7e7ef54b

SHA1
9e7c0ff2701aeb81f8fcad71a65653aaf41a3aab

SHA256
f0edd6eb312cba7446d58766c2b8b99d3210e240a7e32b77b4f11c5098286624

SHA512
e26b8a5e27839af0dcd5e756d9e9ef9471c356c3154b12fe668949d7c1ef9050039cbe64802166e432fa0e2b3ea3850e6c037a8de48e7bb4243a81a4271e23eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
59c24265037836a8dc65ce2d4fb4e300

SHA1
614b0386de656ab5ac953781bab42b2fdc952c0c

SHA256
05e799a1892667611f180937ec5d1f63fa32b285accb90f58ba37cace4e58334

SHA512
dfdfde229d4648e85ce4a8674fbaa5e73ddc36b0f6d58135a6dcd582b575941a5fad4fff61daeb17addd3e248382929e58a6dad392997ec36bada7e6c56bfc74

Download Submit
C:\Users\Admin\Downloads\98915.txt

MD5
207568c3acb35b681b9ebd15881ba124

SHA1
c7f0f8b2dedef6e44fa8d5083d7f162bc2a6d8c2

SHA256
7c942f875e29c8ac867f4d4cf98610d6ad1c2292812e0d072f729c422ed32487

SHA512
76bd367710c6fae7f540c527f2083b05a05f883e68274a5f88ed3a0153a0919f8a10a056ab2e4ced842b767c0d86e6fb85a93af1ea7fe35b855e4662c7006be4

Download Submit
\Users\Admin\AppData\Local\Temp\Janos.bin

MD5
3ee784b20a405a7b032728a7bcac456c

SHA1
d1b224481e428fc86e9c55e2ff138b30b5cfbfab

SHA256
3fd290e335098184c8c2973272660f506c89f329a37cf590608863d002333386

SHA512
7f5dd561e321b3787e65b478aab720ac8aeb95034567c3b942184b6f35f011474415ba5714488a968815a7351e0c44b129d686877392225a2aeca361aab7adac

Download Submit
memory/936-152-0x0000023C41E93000-0x0000023C41E95000-memory.dmp

Filesize
8KB

Download
memory/936-120-0x0000023C41E60000-0x0000023C41E61000-memory.dmp

Filesize
4KB

Download
memory/936-151-0x0000023C41E90000-0x0000023C41E92000-memory.dmp

Filesize
8KB

Download
memory/936-150-0x0000023C5C4C0000-0x0000023C5C4C1000-memory.dmp

Filesize
4KB

Download
memory/936-139-0x0000023C5C400000-0x0000023C5C401000-memory.dmp

Filesize
4KB

Download
memory/1036-300-0x0000000000000000-mapping.dmp

Download
memory/1036-304-0x0000000073BC0000-0x0000000073BCE000-memory.dmp

Filesize
56KB

Download
memory/1036-305-0x0000000073BC0000-0x0000000073C28000-memory.dmp

Filesize
416KB

Download
memory/1036-306-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1196-167-0x0000000000000000-mapping.dmp

Download
memory/2096-298-0x00000290D6BE6000-0x00000290D6BE8000-memory.dmp

Filesize
8KB

Download
memory/2096-291-0x00000290D6BE3000-0x00000290D6BE5000-memory.dmp

Filesize
8KB

Download
memory/2096-290-0x00000290D6BE0000-0x00000290D6BE2000-memory.dmp

Filesize
8KB

Download
memory/2096-170-0x0000000000000000-mapping.dmp

Download
memory/2096-272-0x0000000000000000-mapping.dmp

Download
memory/2184-270-0x000001B57F216000-0x000001B57F218000-memory.dmp

Filesize
8KB

Download
memory/2184-269-0x000001B57F213000-0x000001B57F215000-memory.dmp

Filesize
8KB

Download
memory/2184-268-0x000001B57F218000-0x000001B57F219000-memory.dmp

Filesize
4KB

Download
memory/2184-267-0x000001B57F210000-0x000001B57F212000-memory.dmp

Filesize
8KB

Download
memory/2184-242-0x0000000000000000-mapping.dmp

Download
memory/2440-299-0x0000000000000000-mapping.dmp

Download
memory/2596-171-0x0000000000000000-mapping.dmp

Download
memory/2616-172-0x0000000000000000-mapping.dmp

Download
memory/2716-235-0x00000250BA9E8000-0x00000250BA9E9000-memory.dmp

Filesize
4KB

Download
memory/2716-234-0x00000250A2830000-0x00000250A2831000-memory.dmp

Filesize
4KB

Download
memory/2716-233-0x00000250BA9E6000-0x00000250BA9E8000-memory.dmp

Filesize
8KB

Download
memory/2716-196-0x00000250BA9E3000-0x00000250BA9E5000-memory.dmp

Filesize
8KB

Download
memory/2716-194-0x00000250BA9E0000-0x00000250BA9E2000-memory.dmp

Filesize
8KB

Download
memory/3032-241-0x0000000000000000-mapping.dmp

Download
memory/3372-178-0x0000000000000000-mapping.dmp

Download
memory/3868-174-0x0000000000000000-mapping.dmp

Download