gozi_ifsb | 00af5f13551c5e20fe29ec3d12dca555a56cd1edcd0a8633373872334de485ae

General

Target

p1cture3.dll
Size

133KB
MD5

363430ba47c7d69f75e9bc90dbbc1d8c
SHA1

47fe41dd67e0245c1ece8fcd2c10c713823db833
SHA256

00af5f13551c5e20fe29ec3d12dca555a56cd1edcd0a8633373872334de485ae
SHA512

4e081eb20aaaa487e9047f29b12b508d62fd77517652088d86e310d7d55492ecc4fb2033778cc0e9ce863ae00f7a36aeefa52a24e1e520897b53f8206abca785

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 7fd9c04391add601	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 68 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1515069744"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1515069744"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30856519"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{859D0B5A-413A-11EB-B59A-CAD1272A8716} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8E91C2D-413A-11EB-B59A-CAD1272A8716} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000c5fe2f855e95b341171c44b8d785d54e3244d796ca3a88ea90ad62506459d484000000000e8000000002000020000000953ee1576766ee28452e16bf38a3cc2779fe218f0e4e15a8ba3d53e479b8eb412000000070096fcc6260a1c775ca1befd08408dcf778e15f8d358b4192de238f2151e2e34000000055004e42d510363e67a9f56bf91f8064824ff2d09eaa04c445c16ce18f2304a015c812b717a7f15c5f000a8884149457e37aaf89f64257b5c0946af3a232c58f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5F559E7-413A-11EB-B59A-CAD1272A8716} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000f711d8e58a99d13f3f0efabfde76826fc8e629fd368efc469541d826938a0fd6000000000e80000000020000200000003c3eaf8ba5c4fceb28eec07b4d9ea257167383740af02817e109310797968a732000000042bb7f93a90c6df069c2205a0e60df6ad66bb1d3ce2acd30bcbdd638affca72e40000000c8267f82d72c02ad6fd4d48db0508419339d0e783c3177bbba2828db2fbf94253e735425d748891e2729045d01ff42ccd5139293c2b4d581a4f35fd6addb2763	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a6276547d5d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB3AD582-413A-11EB-B59A-CAD1272A8716} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0b24c8147d5d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06fe36b47d5d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a00000000020000000000106600000001000020000000fd61bf497d720a87cabbadcc86a5f8017912d7fd441173869c56df055738049e000000000e80000000020000200000003ed089e2423af8a2b38792bfd5f9b48bb65fdaacf9bb4f5fbebfc2462ffa6dad20000000f84a538ed35c520222c80576d953d2746cced4c1ca6c7dc20291c01533d60f6440000000ad3c16b60a1c63f237bbfa1af8b01ee211425a24105b066e6c6b7c85640f235c6fbf37836af70e23c6e5b852ba2f7a746a21f4aec07999ff1d55376435d466fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30856519"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ac086547d5d601	iexplore.exe

Suspicious use of FindShellTrayWindow 1558 IoCs

Processes:

regsvr32.exe

pid	process
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe

Suspicious use of SendNotifyMessage 1554 IoCs

Processes:

regsvr32.exe

pid	process
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe
4940	regsvr32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
3424	iexplore.exe
3424	iexplore.exe
3256	IEXPLORE.EXE
3256	IEXPLORE.EXE
1556	iexplore.exe
1556	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
2528	iexplore.exe
2528	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
4428	iexplore.exe
4428	iexplore.exe
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4688 wrote to memory of 4940	4688	regsvr32.exe	regsvr32.exe
PID 4688 wrote to memory of 4940	4688	regsvr32.exe	regsvr32.exe
PID 4688 wrote to memory of 4940	4688	regsvr32.exe	regsvr32.exe
PID 3424 wrote to memory of 3256	3424	iexplore.exe	IEXPLORE.EXE
PID 3424 wrote to memory of 3256	3424	iexplore.exe	IEXPLORE.EXE
PID 3424 wrote to memory of 3256	3424	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 1816	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 1816	1556	iexplore.exe	IEXPLORE.EXE
PID 1556 wrote to memory of 1816	1556	iexplore.exe	IEXPLORE.EXE
PID 2528 wrote to memory of 2836	2528	iexplore.exe	IEXPLORE.EXE
PID 2528 wrote to memory of 2836	2528	iexplore.exe	IEXPLORE.EXE
PID 2528 wrote to memory of 2836	2528	iexplore.exe	IEXPLORE.EXE
PID 4428 wrote to memory of 4424	4428	iexplore.exe	IEXPLORE.EXE
PID 4428 wrote to memory of 4424	4428	iexplore.exe	IEXPLORE.EXE
PID 4428 wrote to memory of 4424	4428	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\p1cture3.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\p1cture3.dll
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3424

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3424 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4428 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-4-0x0000000000000000-mapping.dmp

Download
memory/2836-5-0x0000000000000000-mapping.dmp

Download
memory/3256-3-0x0000000000000000-mapping.dmp

Download
memory/4424-6-0x0000000000000000-mapping.dmp

Download
memory/4940-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads