gozi_ifsb | af5030e85147368bd9ad59c09a39cbf28ecde7c7fb93e5b659346f424b3593f3

General

Target

p1cture3.jpg.dll
Size

114KB
MD5

06767d3cc0087dc7b1adc149b0f1f7d5
SHA1

0cdffab8da2e54c119426026e02d89680224c38f
SHA256

af5030e85147368bd9ad59c09a39cbf28ecde7c7fb93e5b659346f424b3593f3
SHA512

8e3a11116bee673486f6ac90ea4685a8bdc79cdb6880fda9cd92f81f902f9ec12f9b2dfa758305247f5edf908aa44ad9854a292446c2b726fe6c34b452fe0783

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

regsvr32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	regsvr32.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = de4ef1e88fadd601	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 68 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C790324B-5974-11EB-BEBD-D20AA236B192} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000814affae5ce6103e3c8c267e4256c64bd9f60f7e04a5e116dd2eef03c8108006000000000e800000000200002000000038b64bf6bb5c36038cb575d73c497c30de5788dab6058a4d654a2fbf928ea5cb20000000a4d867e85fbbe0ec9f512d70d7425a31bd5841459046386feaad5c8b13d699144000000055e0dcca454c51a9b106358dde1b8327a50095230b19a05f555c7b1a40e3b45719c3565a82b81e28c3055a889816ad428e76210cc13db8f3d853e958c0dd0455	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ed1ea581edd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909ab1d181edd601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2616054161"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30862721"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000007f5eb3d6e22875ffddf76ce66a9af813be155b76fe80bebd9090fefcce61a218000000000e80000000020000200000004ef212ce51bf7164f6703010cc66158312c15490689df2a2d6755e823a8be00720000000115b402e3f0b96dd6d3d4d31402515a499254f7b4d06cfe5b467e3beab60271c4000000097b178906f00aac0314a67b1e9c823882bdb470efe43f04cd3e807ffb6010dbb30a1a954c26fc26c4bf585c27ef5120c833b73e0a3179cfb277ee1b728633371	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01926a581edd601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b01397bc81edd601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d00000000020000000000106600000001000020000000eb9d02f6cc516b5fbd7a2659401edea45d7672bcb534a9eaef9e7af984c5b72a000000000e80000000020000200000007868be08b54a021ab85242027a593bc5ad65d0c01961b135f1be52afcf47e68c2000000045d714360e9f2ecb4d4bf74c914042858f8b18da4391d267340862e4489cb363400000004a063b3a1d4103612f8598ccadab783a409e014432c03207200c75413a014b8ca8c5a75ef043416cef78c741395ff2a168f374d6f94d734ca40a458b7afbc1ac	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30862721"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f83ea431a1a9554d9899d7aad776ea2d000000000200000000001066000000010000200000004e175676dbdffb6305631932245460067182db3ac786854034fcb56958f60e09000000000e8000000002000020000000f251c1c20fe6ba63bbd103291c2d0ad996d1358db9b8a622ab86128d3f76cb55200000008fa748c9f36da05503098b3523327a0b5e4e387f2668ee8f41d61f11e273a9ed40000000c4c9f9013c06f3005295494c611430b85dcdeda241c6aace26859b8fab1ecd25ddf653fe7bdca55e910c0c6627556ca160385b17657945d80491aa3266a34863	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2616054161"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BB554C9-5975-11EB-BEBD-D20AA236B192} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 660 IoCs

Processes:

regsvr32.exe

pid	process
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe

Suspicious use of SendNotifyMessage 656 IoCs

Processes:

regsvr32.exe

pid	process
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe
4832	regsvr32.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4240	iexplore.exe
4240	iexplore.exe
3828	IEXPLORE.EXE
3828	IEXPLORE.EXE
4548	iexplore.exe
4548	iexplore.exe
4584	IEXPLORE.EXE
4584	IEXPLORE.EXE
1184	iexplore.exe
1184	iexplore.exe
1472	IEXPLORE.EXE
1472	IEXPLORE.EXE
2172	iexplore.exe
2172	iexplore.exe
2932	IEXPLORE.EXE
2932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4716 wrote to memory of 4832	4716	regsvr32.exe	regsvr32.exe
PID 4716 wrote to memory of 4832	4716	regsvr32.exe	regsvr32.exe
PID 4716 wrote to memory of 4832	4716	regsvr32.exe	regsvr32.exe
PID 4240 wrote to memory of 3828	4240	iexplore.exe	IEXPLORE.EXE
PID 4240 wrote to memory of 3828	4240	iexplore.exe	IEXPLORE.EXE
PID 4240 wrote to memory of 3828	4240	iexplore.exe	IEXPLORE.EXE
PID 4548 wrote to memory of 4584	4548	iexplore.exe	IEXPLORE.EXE
PID 4548 wrote to memory of 4584	4548	iexplore.exe	IEXPLORE.EXE
PID 4548 wrote to memory of 4584	4548	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1472	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1472	1184	iexplore.exe	IEXPLORE.EXE
PID 1184 wrote to memory of 1472	1184	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2932	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2932	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2932	2172	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\p1cture3.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\p1cture3.jpg.dll
2⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4240 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4548 CREDAT:82945 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1184 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-8-0x0000000000000000-mapping.dmp

Download
memory/2932-9-0x0000000000000000-mapping.dmp

Download
memory/3828-6-0x0000000000000000-mapping.dmp

Download
memory/4584-7-0x0000000000000000-mapping.dmp

Download
memory/4832-2-0x0000000000000000-mapping.dmp

Download
memory/4832-3-0x0000000000651000-0x0000000000657000-memory.dmp

Filesize
24KB

Download
memory/4832-5-0x0000000000650000-0x0000000000675000-memory.dmp

Filesize
148KB

Download
memory/4832-4-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads