gozi_rm3 | eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605

Resubmissions

19-04-2021 09:51

210419-vsfnbxzjyn 10

Analysis

max time kernel
141s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
19-04-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

selected-jobs.xls
Size

1.9MB
MD5

4ab1efff60052e63eaace56a29413b62
SHA1

6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866
SHA256

eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605
SHA512

a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055

Score

10^/10

gozi_rm3 210306 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

210306

https://getroad.xyz

Attributes

build
300960
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1796	3164	rundll32.exe	67

Blocklisted process makes network request 1 IoCs

flow	pid	Process
39	1808	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
1808	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36EA96B1-A106-11EB-B2DB-FE963E078230} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "190219117"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30881043"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa000000000200000000001066000000010000200000001fd2c0e04e5b665fa829bace744b83862c8a812cdfd87003c1760030088ac1bd000000000e80000000020000200000008420ce4e861f4e1c88c51e3802c7deeaa2abe3292c9724f3f68624137a9ed8afa0000000d8c0455dcb4d93937f6abf88ff52d404b0620f70877210a92d50b0cc87096dca0d563083675d0fcd521720718855ba89e80232842f4c3dba2c74ec6dbb47423aad2b1e714cd8bd636a14d184df85fc6776bca103cca55486b5a84b0135224893ea1a7ba6abd9063bc2d5cd3365c9c03bd00ac3a6d4bad3ef5fb1555149b8e7be1faa1017b44a12a54875c0a94460c3dcb3c1e225e577d0b4d7c4a05ae0f9f00640000000253d183ee39865f7fa3d3332639849546b0b28e09d79a27e1e3605fddd79facc006331d7f74b2a2c5378c4f984994e03ca1d5f5219bbfc80f51b39c1b5ffe2ff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D801454-A106-11EB-B2DB-FE963E078230} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02515141335d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{523B6806-A106-11EB-B2DB-FE963E078230} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa00000000020000000000106600000001000020000000da3c291fd661b527b180c419d26477154f9e7193c7f048ab375c1639facd0da7000000000e8000000002000020000000758602c491edc90f54eceb358c164524f6ce6707ec097a81f9b4dd68e80f2f32a000000036583b21fa73631c013eb5c67425b4910611a054c938952fa7f5d70c7e216c6a09dfcfbab31e2af4e672058635ae4a995bc0bb4e301f1ac3065932050b62e0815b25b4be0e6a2477bf5b532a8beb9189fcfdd4d99981a74dcce76de0492b51776fd11c6600fe789c1dd5fc3c678551d4536c7c0d18662277a1e21b6a6889321e97b89f06c6ce51f3258710d1c20b73751e06c9b3285155e66bf063a3240177b4400000000220e1aaee50fde0b25557e1e102c2d325b28f5ac8ebc6c29ab0ca059a2d2762cd325cbd6fa112c43d6eb0ebb3998947ee0c76d50b3cb0ec4cd064f00f0fcc8b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa000000000200000000001066000000010000200000009d190711611e1c45857c7c81311da512ca3029e2e6fdc8fdb5392b77accce269000000000e800000000200002000000067c9d547ed3dd935c029547d1cb9f96d104b06aea27938c6bac9ebaa69ff3db9a0000000936efde3bcf6f4fa60d0adffecc190c3c317ddb3a7d268ad1792fded0f5ccc4e25e229c98c9fb0f0ee6c80810a38760a9b4427775365d1ad1f5b720904e2b4b95e48b096b6fcf227bcc478f8a2c0ca507f9254647936a61178bc2330c146c7993543df71c906209f555c14a669c0803dee6c423b73e28b63968465d92e050f4c429c4c0b6b2a9520415a5a90213f08a583a7da9b65d25118e180d2db32ed74ca400000000d64bbc8e198319afa2d6db7a73c46e59895ac5d095411c11f1a2930336f3d798457b40de881a08f773e9f4e9405f21c3676426bf76a160aa1c556bf8e080d20	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 209e92151335d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007c369e1f7dd80e4a838305ff88bb1ffa00000000020000000000106600000001000020000000f2940247d8b9af8467f1fe3b30212b2999b593b0e3283b3fb5d046d7f2e65fd0000000000e80000000020000200000001f50c5366fd3aa40eb3df62a4d22605a73c943e057a3c5755df908ba5f85ac3ba0000000224eeaf73241c791d046db7fc366649d39de252c90693b94ac4cea5dc7d18b54b9494871b32d74bada7ddfd5c88ace79ff2461cbb9196cdb9a583de2f6fcf5062b52bc0ce75f73eb22a4b3354a721a92ccff196a6fe83d319844afb8ca1ed13d968455ded174fe710f0b0052efba2fb1aa866e7e139f7a72e3c45e00ecb21a809ab0294b3e8108189317628f40d29c57c7699af64546227fb504dedf5c1d1dba400000001140f9f2250f30bba657bbc21be266555648b30dab26e837fdff513851a5904e11a9f61ebac28295b05aa1585ca6933332118156e40ac0cf30dfb1489617c63a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30881043"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e7fa131335d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "190219117"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3164	EXCEL.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2292	iexplore.exe
2364	iexplore.exe
2844	iexplore.exe
2232	iexplore.exe
2560	iexplore.exe
2592	iexplore.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
2292	iexplore.exe
2292	iexplore.exe
3156	IEXPLORE.EXE
3156	IEXPLORE.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
2364	iexplore.exe
2364	iexplore.exe
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
2844	iexplore.exe
2844	iexplore.exe
188	IEXPLORE.EXE
188	IEXPLORE.EXE
2232	iexplore.exe
2232	iexplore.exe
3076	IEXPLORE.EXE
3076	IEXPLORE.EXE
2560	iexplore.exe
2560	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2592	iexplore.exe
2592	iexplore.exe
492	IEXPLORE.EXE
492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 1796	3164	EXCEL.EXE	77
PID 3164 wrote to memory of 1796	3164	EXCEL.EXE	77
PID 1796 wrote to memory of 1808	1796	rundll32.exe	78
PID 1796 wrote to memory of 1808	1796	rundll32.exe	78
PID 1796 wrote to memory of 1808	1796	rundll32.exe	78
PID 2292 wrote to memory of 3156	2292	iexplore.exe	85
PID 2292 wrote to memory of 3156	2292	iexplore.exe	85
PID 2292 wrote to memory of 3156	2292	iexplore.exe	85
PID 2364 wrote to memory of 2272	2364	iexplore.exe	87
PID 2364 wrote to memory of 2272	2364	iexplore.exe	87
PID 2364 wrote to memory of 2272	2364	iexplore.exe	87
PID 2844 wrote to memory of 188	2844	iexplore.exe	89
PID 2844 wrote to memory of 188	2844	iexplore.exe	89
PID 2844 wrote to memory of 188	2844	iexplore.exe	89
PID 2232 wrote to memory of 3076	2232	iexplore.exe	91
PID 2232 wrote to memory of 3076	2232	iexplore.exe	91
PID 2232 wrote to memory of 3076	2232	iexplore.exe	91
PID 2560 wrote to memory of 2628	2560	iexplore.exe	93
PID 2560 wrote to memory of 2628	2560	iexplore.exe	93
PID 2560 wrote to memory of 2628	2560	iexplore.exe	93
PID 2592 wrote to memory of 492	2592	iexplore.exe	95
PID 2592 wrote to memory of 492	2592	iexplore.exe	95
PID 2592 wrote to memory of 492	2592	iexplore.exe	95

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\selected-jobs.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\SYSTEM32\rundll32.exe
  rundll32 ..\ismvxl.woc,DllRegisterServer
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 ..\ismvxl.woc,DllRegisterServer
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-184-0x0000000002FF0000-0x0000000002FFF000-memory.dmp

Filesize
60KB

Download
memory/1808-183-0x0000000002FD0000-0x0000000002FDC000-memory.dmp

Filesize
48KB

Download
memory/3164-119-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

Filesize
64KB

Download
memory/3164-118-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

Filesize
64KB

Download
memory/3164-123-0x0000025CE5100000-0x0000025CE6FF5000-memory.dmp

Filesize
31.0MB

Download
memory/3164-117-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

Filesize
64KB

Download
memory/3164-116-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

Filesize
64KB

Download
memory/3164-122-0x00007FFB9C6D0000-0x00007FFB9D7BE000-memory.dmp

Filesize
16.9MB

Download
memory/3164-114-0x00007FF6011A0000-0x00007FF604756000-memory.dmp

Filesize
53.7MB

Download
memory/3164-115-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads