gozi_ifsb | 24b030711a69d5121a177ab5a4d8a27849b763f8bdbd8a37c1346f716c4c221e

General

Target

info-12.20.doc
Size

144KB
MD5

eb89b281323cbba25c8c1080cf2f62ff
SHA1

a3d5cab21da7d69f80c3fc62a16cee52e3398846
SHA256

24b030711a69d5121a177ab5a4d8a27849b763f8bdbd8a37c1346f716c4c221e
SHA512

817c131568474240f0139d688ff362fcf406b189bb6537028005dc0952597e4d9db612677f82f9593eff00053583f9017e2bfcb4545a01a83a5d4f9d8d4b8c8f

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3156	3008	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2140 regsvr32.exe

pid	process
2140	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = de4ef1e88fadd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 68 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000006eae66aafc8e76adb66ac4d20b22d6fff2249679260337b9aac42d9d392590e2000000000e8000000002000020000000a13f679e010af6d87b3ee281cad3363fba432cdc6e88a3b4322487237717c914200000006752e6ce25f6d740afab762828ae3564302f8c24db8b434eaf542d58f454232f40000000aaac48b8407f80347e2dca7ab86a360bc59b2ed7d92892ac8a8f2c701eddb84748fcfff8cb66eb1d273ae1919aecd685cf72f753dd971bc8fba9c4efd810b928	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000061b3b5e97d579d4ec91aff7dd4d46bec17b329d4ed9eabb01f20c7cf94865229000000000e8000000002000020000000873adcadf9dda12090fd6edebba81c5421fc36b13346148c0bcf34323813c1d72000000052741f5b4a9044cdc37d1652d6c3fb623b82670870741de856f4dc45f231e41440000000acf98bab6dd1b0e592043d0dcdb892fa8b102e52dfe547adb631d436f7c8c123b984e8e9dd28f0c6bab0c53584ef8faf4edbcf1a43ea24db3499e8e152a95bda	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8008870f76c9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4287356579"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B0CDDB4-3569-11EB-BEBD-5E321723808D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4287356579"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e9960876c9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30853493"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C833F29-3569-11EB-BEBD-5E321723808D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a8952476c9d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{596BBE20-3569-11EB-BEBD-5E321723808D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000da1528048284fc2d3db504fa4eb17da86d00eaeb29e8d8874803abe4ab6e6b74000000000e8000000002000020000000c64cabc57b2b1d1f95122d8b0e4a66296e4d0d7330869693526c76cba3b5387920000000416436eb8338293a11cd601749bef0fd12dc2493c2e424b0f5c3e6528272a7d840000000b8c2d9aa2fdab09a69b5c622543b6bc66bac3915d5988ee781f2f89a7e59cc7fb37599a334c4f5229733be81db267b2ee4a7d289418e32110e5e26fe9b9eea3b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d0000000002000000000010660000000100002000000050d3590a264db61cfb6f6050f7a2cea2b7344342d85a97cb934ad264d5b2cf5b000000000e8000000002000020000000fb6e8d453e736bd7d9a622daab144ef5d61cc5f6ba49c2e3125f5ba5485a38a620000000df331102035a20d139648ec34313287e05981ec8600ee6aeed9fd1875e5882c640000000c4cb984b2d05949cd0a842e20479975ed56bb4bedcbb86aa9a99c172ff207d4f58c3f82eb65847fee1a724e61caa114cfaea1d2b942f0d4f73fdd182881e78ad	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0ed9d0876c9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3008 WINWORD.EXE
3008 WINWORD.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

1540 iexplore.exe
1908 iexplore.exe
4028 iexplore.exe
3244 iexplore.exe

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1540	iexplore.exe
1908	iexplore.exe
4028	iexplore.exe
3244	iexplore.exe

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
3008	WINWORD.EXE
1540	iexplore.exe
1540	iexplore.exe
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1908	iexplore.exe
1908	iexplore.exe
3784	IEXPLORE.EXE
3784	IEXPLORE.EXE
4028	iexplore.exe
4028	iexplore.exe
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
3244	iexplore.exe
3244	iexplore.exe
648	IEXPLORE.EXE
648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

WINWORD.EXEregsvr32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3008 wrote to memory of 3156	3008	WINWORD.EXE	regsvr32.exe
PID 3008 wrote to memory of 3156	3008	WINWORD.EXE	regsvr32.exe
PID 3156 wrote to memory of 2140	3156	regsvr32.exe	regsvr32.exe
PID 3156 wrote to memory of 2140	3156	regsvr32.exe	regsvr32.exe
PID 3156 wrote to memory of 2140	3156	regsvr32.exe	regsvr32.exe
PID 1540 wrote to memory of 1332	1540	iexplore.exe	IEXPLORE.EXE
PID 1540 wrote to memory of 1332	1540	iexplore.exe	IEXPLORE.EXE
PID 1540 wrote to memory of 1332	1540	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 3784	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 3784	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 3784	1908	iexplore.exe	IEXPLORE.EXE
PID 4028 wrote to memory of 1844	4028	iexplore.exe	IEXPLORE.EXE
PID 4028 wrote to memory of 1844	4028	iexplore.exe	IEXPLORE.EXE
PID 4028 wrote to memory of 1844	4028	iexplore.exe	IEXPLORE.EXE
PID 3244 wrote to memory of 648	3244	iexplore.exe	IEXPLORE.EXE
PID 3244 wrote to memory of 648	3244	iexplore.exe	IEXPLORE.EXE
PID 3244 wrote to memory of 648	3244	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\info-12.20.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 c:\programdata\RrKki.pdf
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\regsvr32.exe
c:\programdata\RrKki.pdf
3⤵
- Loads dropped DLL
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4028 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3244 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\RrKki.pdf
MD5
2b8e31cc34b23a1fa8768fc8e088e5aa

SHA1
ba51f9f5ae3aac40a69309c6f9b77064423f02a0

SHA256
5348c314afb52079c6c35643e8a749c2d51c5447c78f7e28251b0cca4de6797a

SHA512
740c368dde35703b8782261e42bbf3b57e0b05f9c51a2a72010d484cdbbe5c7a36826b37b5189e4c36437f541e3282aa0c071192f7ce4ac8ee4873a5b79fa8fa

Download Submit
\ProgramData\RrKki.pdf
MD5
2b8e31cc34b23a1fa8768fc8e088e5aa

SHA1
ba51f9f5ae3aac40a69309c6f9b77064423f02a0

SHA256
5348c314afb52079c6c35643e8a749c2d51c5447c78f7e28251b0cca4de6797a

SHA512
740c368dde35703b8782261e42bbf3b57e0b05f9c51a2a72010d484cdbbe5c7a36826b37b5189e4c36437f541e3282aa0c071192f7ce4ac8ee4873a5b79fa8fa

Download Submit
memory/648-15-0x0000000000000000-mapping.dmp

Download
memory/1332-12-0x0000000000000000-mapping.dmp

Download
memory/1844-14-0x0000000000000000-mapping.dmp

Download
memory/2140-10-0x0000000000000000-mapping.dmp

Download
memory/3008-5-0x0000015EE367E000-0x0000015EE3683000-memory.dmp

Filesize
20KB

Download
memory/3008-7-0x0000015EE367E000-0x0000015EE3683000-memory.dmp

Filesize
20KB

Download
memory/3008-6-0x0000015EE367E000-0x0000015EE3683000-memory.dmp

Filesize
20KB

Download
memory/3008-2-0x00007FFC9E0E0000-0x00007FFC9E717000-memory.dmp

Filesize
6.2MB

Download
memory/3008-4-0x0000015EE367E000-0x0000015EE3683000-memory.dmp

Filesize
20KB

Download
memory/3008-3-0x0000015EE1385000-0x0000015EE13CF000-memory.dmp

Filesize
296KB

Download
memory/3156-8-0x0000000000000000-mapping.dmp

Download
memory/3784-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads