gozi_rm3 | d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
23-04-2021 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ursnif_23032021.dll
Size

60KB
MD5

fd52ace064492971c79ae679d1326aef
SHA1

b8fb62eaf0415586a1949863c1981d543199179b
SHA256

d160a82b9eb5124d9a5da6ded92f40635464cbcdf357feb471a7e87fc56a8339
SHA512

1249c6d8f72e45631d47bf27489761963bd2148e0c0ec1743973bbf386268cd2a9be65bc8fa6d1d9a38ada8b35e8e78f6f02a0780af12d50c461ddeec12ca10b

Score

10^/10

gozi_rm3 210307 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

exe_type
loader

Extracted

Family

gozi_rm3

Botnet

210307

https://thetopdomain.xyz

Attributes

build
300960
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4061cacd5f38d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1650D2C1-A453-11EB-877E-5A2E4D66E8CF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A64A9C1-A453-11EB-877E-5A2E4D66E8CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E5976C1-A453-11EB-877E-5A2E4D66E8CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

584 iexplore.exe
1512 iexplore.exe
1660 iexplore.exe
1512 iexplore.exe
1960 iexplore.exe
1620 iexplore.exe
1216 iexplore.exe
660 iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
584	iexplore.exe
584	iexplore.exe
336	IEXPLORE.EXE
336	IEXPLORE.EXE
1512	iexplore.exe
1512	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1512	iexplore.exe
1512	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1960	iexplore.exe
1960	iexplore.exe
1016	IEXPLORE.EXE
1016	IEXPLORE.EXE
1620	iexplore.exe
1620	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1216	iexplore.exe
1216	iexplore.exe
400	IEXPLORE.EXE
400	IEXPLORE.EXE
660	iexplore.exe
660	iexplore.exe
1996	IEXPLORE.EXE
1996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 2020 wrote to memory of 1268	2020	regsvr32.exe	regsvr32.exe
PID 584 wrote to memory of 336	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 336	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 336	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 336	584	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1716	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1716	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1716	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1716	1512	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 1548	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 1548	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 1548	1660	iexplore.exe	IEXPLORE.EXE
PID 1660 wrote to memory of 1548	1660	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1492	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1492	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1492	1512	iexplore.exe	IEXPLORE.EXE
PID 1512 wrote to memory of 1492	1512	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1016	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1016	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1016	1960	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 1016	1960	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1616	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1616	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1616	1620	iexplore.exe	IEXPLORE.EXE
PID 1620 wrote to memory of 1616	1620	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 400	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 400	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 400	1216	iexplore.exe	IEXPLORE.EXE
PID 1216 wrote to memory of 400	1216	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1996	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1996	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1996	660	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 1996	660	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ursnif_23032021.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ursnif_23032021.dll
2⤵
PID:1268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
d1b1f562e42dd37c408c0a3c7ccfe189

SHA1
c01e61a5c5f44fb038228b7e542f6a8d7c8c283d

SHA256
7f468f04fe5a1b0616685f157a4285090b6ed3858d4cd9efe915aaeed83c158e

SHA512
404d279fabd4886008e47e9138f799cf398f0aa4c8556192d6e45dbcde99eac2cd65c47b9e0b88bd6d3a6529818f6048a23a197a913fb917b19dffbbd5d75850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
a326af7df7d20ebd8b97452355c7ac2b

SHA1
14fce5939455e9e7d1188498310c7e0c7d7ab117

SHA256
957d73e1b134928ef6533ce6378c26b0204269fbf12541209fe5ed448fec9159

SHA512
45b51cfe5e968479736465e307e71ff396c2e78894626f3d075877c4fcb70eacdbc0fac7f1772ac6120b799c15ff27affd7379391752f19dbe8a30f7063977d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
de025e14c6490bf693ce8c938977341f

SHA1
ec384cd1d0907954dce7adbd077ea6e084ec2885

SHA256
28b2e03455a4e5b394963ea256e2649476fc353025db4cbc15498603550b1baa

SHA512
52c589302863501a983c0e38310d4c45f5bbf3e5bcb5c515566f9e010e748548b6f53cad28f3efdd428627e4943ebfe92f961132024ff8a0239dc9456fa24a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
736fcb05be274e16c6faf8c734b69f63

SHA1
ef2a1daedd1169ebf784374bc04ee8aa038541eb

SHA256
8e92faf21a7fe45109c82426e03cb7a35950dea44763c263a55e71011c8e6385

SHA512
a14b0c0108de7deabd0d9c4e62ddf53f0fb2b34595fc5610b5d37f016e202200acfaca92520c111057754d6106467a01d95ed69dc5917c07ab1b44ae90cff75c

Download Submit
memory/336-65-0x0000000000000000-mapping.dmp

Download
memory/400-85-0x0000000000000000-mapping.dmp

Download
memory/1016-81-0x0000000000000000-mapping.dmp

Download
memory/1268-62-0x0000000000390000-0x00000000003A3000-memory.dmp

Filesize
76KB

Download
memory/1268-61-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1268-60-0x0000000000000000-mapping.dmp

Download
memory/1268-67-0x00000000003B0000-0x00000000003B2000-memory.dmp

Filesize
8KB

Download
memory/1492-79-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/1492-77-0x0000000000000000-mapping.dmp

Download
memory/1548-75-0x0000000000000000-mapping.dmp

Download
memory/1616-83-0x0000000000000000-mapping.dmp

Download
memory/1716-68-0x0000000000000000-mapping.dmp

Download
memory/1996-89-0x0000000000000000-mapping.dmp

Download
memory/1996-91-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download