gozi_rm3 | 9fdea3c8167bc38dd8e53a51ea4c5ac366a56a342db0b1d638db33938a36c6a9

Analysis

max time kernel
144s
max time network
144s
platform
windows10_x64
resource
win10-en
submitted
09-09-2021 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MpCsDEtv.exe
Size

880KB
MD5

78a60f691996b8c5b360301a28fe32d7
SHA1

2e9b4d897355ab99a003d6eb0962ddd9eef2a7d6
SHA256

9fdea3c8167bc38dd8e53a51ea4c5ac366a56a342db0b1d638db33938a36c6a9
SHA512

88043221a6206e6592665395a5f2736dee463289f356aa15ef384ff514c0fa86b76438e7dd16d24735d622b62d92c9035119bd01f3f771ed97a090e11d5105cd

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{955F0768-11A3-11EC-A248-5E10C034CB3A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909872"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{65D8862A-11A3-11EC-A248-5E10C034CB3A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0322758b0a5d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10865643b0a5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 404add27b0a5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000070535d74f068b2bb96f8c1bed367e9b5b5f061dbfed7d132f2de7061f4ace035000000000e8000000002000020000000b1ecb668de0abfb8e537265ad12750415113b2de655da72ae664ea1a93eb54b9200000003bdf17ea814def232dd8d1c88db1e41c9647e4747326dd3d3f389c4261af8a8240000000210ecec7da11d466f220283a8a6dc060e8779fac368ef2c5d87f90553878ac8476391300834339bd8df748e0fccafa919f73b737ca4c40eda81750a77407a821	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000ffbe1e8fb5f5020224ec5d0d1e0a6b73686047290741ed50716bb8c519ad9315000000000e80000000020000200000000ccbc6fb84d05132ba4f63b3bdb235b3e499b5127aa7e7e3b040df010f93b2d4200000001e70b81484df4b3d3a26700d18472bc68f0ca36c893667c4084c0393cff5a0124000000075b496a445e43e28c941daf49ce4009fb9cf88d35d52bb2147db00ff227ec248e5ccda2eff8bff0bafca128165fdbed23a429e223fdc3a896d3cc3373a245b6d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000657be8ecd44217677765d79404f42d000c0fc2cb8ee2086e58c9cb3bef2b78ee000000000e8000000002000020000000c1d0ed447aa73e0dba23612d4993f9fcec3f6185aa0da3746d0ee3c0c01ea5232000000093e2c77177e162fec6997d3e967ea950dba57fd83d9a756946db742eb60bde0e400000008f0dea0dd2f5bfe5e6bddde9bac91fa3dbdfe041ad88488619b5909d5525a434438214b6b4c76a4d9095d0f6a84c141f5b07edcc37eaf640f0f32a97290a1c64	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40eda728b0a5d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0db892fb0a5d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{52B9CD2B-11A3-11EC-A248-5E10C034CB3A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E6C6BF6-11A3-11EC-A248-5E10C034CB3A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000f6e48dd4f21b4a29231b54e57c797ee12ba833ea9604830c1a83255f1a2ced90000000000e8000000002000020000000585bc910628de3a1fdfa51fb5e138ec39ce98b92e7f588197f387d061703583b20000000833f8d37fe0405595c11b40881c11e6646fdf731e87b081bb60157de980196c64000000002c273d48424d93e4445c2df302a5137a1d9ebdc10b22a05812d9d59edfc3f58e30b94a147ddf1f6eeedcc78e4d6150610b67ed1bf17871d6ec735351e97b554	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000079f754b3e6beee9e1743f08448341edf1247356770ed459ebb88020d17cdd37e000000000e8000000002000020000000815959c0ba3ef510d638dad82bd009b3970b6e92761544c5ee8f848803e8dd3920000000c54b7dcdfb2037dc9b0d675ae7da36fdeda4ecef528dfd480185290ccbdabcec400000000bb14810ac8502bcebebfa55d9b683ea5079a479025539dc08efc00267bc1c2a7824fb8513e53ea248f496e4a67755376aeec8f2cc5eb63718e690f303516852	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a23451b0a5d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "660064863"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2096	iexplore.exe
1756	iexplore.exe
2292	iexplore.exe
3328	iexplore.exe
1972	iexplore.exe
2096	iexplore.exe
1212	iexplore.exe
960	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2096	iexplore.exe
2096	iexplore.exe
3452	IEXPLORE.EXE
3452	IEXPLORE.EXE
1756	iexplore.exe
1756	iexplore.exe
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
2292	iexplore.exe
2292	iexplore.exe
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
3328	iexplore.exe
3328	iexplore.exe
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1972	iexplore.exe
1972	iexplore.exe
3676	IEXPLORE.EXE
3676	IEXPLORE.EXE
2096	iexplore.exe
2096	iexplore.exe
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE
1212	iexplore.exe
1212	iexplore.exe
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
960	iexplore.exe
960	iexplore.exe
2168	IEXPLORE.EXE
2168	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3452	2096	iexplore.exe	82
PID 2096 wrote to memory of 3452	2096	iexplore.exe	82
PID 2096 wrote to memory of 3452	2096	iexplore.exe	82
PID 1756 wrote to memory of 1212	1756	iexplore.exe	84
PID 1756 wrote to memory of 1212	1756	iexplore.exe	84
PID 1756 wrote to memory of 1212	1756	iexplore.exe	84
PID 2292 wrote to memory of 1036	2292	iexplore.exe	86
PID 2292 wrote to memory of 1036	2292	iexplore.exe	86
PID 2292 wrote to memory of 1036	2292	iexplore.exe	86
PID 3328 wrote to memory of 1352	3328	iexplore.exe	88
PID 3328 wrote to memory of 1352	3328	iexplore.exe	88
PID 3328 wrote to memory of 1352	3328	iexplore.exe	88
PID 1972 wrote to memory of 3676	1972	iexplore.exe	90
PID 1972 wrote to memory of 3676	1972	iexplore.exe	90
PID 1972 wrote to memory of 3676	1972	iexplore.exe	90
PID 2096 wrote to memory of 3684	2096	iexplore.exe	92
PID 2096 wrote to memory of 3684	2096	iexplore.exe	92
PID 2096 wrote to memory of 3684	2096	iexplore.exe	92
PID 1212 wrote to memory of 1352	1212	iexplore.exe	94
PID 1212 wrote to memory of 1352	1212	iexplore.exe	94
PID 1212 wrote to memory of 1352	1212	iexplore.exe	94
PID 960 wrote to memory of 2168	960	iexplore.exe	96
PID 960 wrote to memory of 2168	960	iexplore.exe	96
PID 960 wrote to memory of 2168	960	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\MpCsDEtv.exe
"C:\Users\Admin\AppData\Local\Temp\MpCsDEtv.exe"
1⤵
PID:3992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3328 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2096 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1212 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-135-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/1212-133-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/1756-123-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/1972-129-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/2096-121-0x00007FFEA2F30000-0x00007FFEA2F9B000-memory.dmp

Filesize
428KB

Download
memory/2096-131-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/2292-125-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/3328-127-0x00007FFEB02F0000-0x00007FFEB035B000-memory.dmp

Filesize
428KB

Download
memory/3992-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/3992-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3992-118-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/3992-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads