gozi_rm3 | 041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60.exe
Size

880KB
MD5

2926d2ff62efaa0fbfdcc3fb7e77c6d2
SHA1

dc5ebad8503139f8ce84927fda0ec9adb5b77200
SHA256

041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60
SHA512

1c122a0a63f010e55765f32c0495611c48eec7f7f076a3644e4ddc37763b5c6984e3ef62cf27f3e2b771b8b3a4917e998a88e1ec94e679cdc891e490cc20ec07

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2025a92805a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4269487286"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903629ff04a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00bdcff04a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000cfcb928758ad99322c48b9e4eaac4775f03dcc3444e025168db8e159bf659360000000000e8000000002000020000000bc81bd921037969ad463b7b2e4e17239ae5fd0b94bb2ff361e51d8e8908ad0dc20000000e121b8e27b2229a9ff3592a0d322b4fe9141b9174a27b2c852d6435b4df7e016400000006098a523a67959f576d07d7304ad0654bc2db84e8fad9eaec468d4e3c2593dfd8d521a48a43e1f277dae3336713f372f03161af2b6ec6ebfb6e65ec5ff736d60	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000004833fc6106e31b72c4565605f8f8f1b0f3b30620fe3d6340bbaaae0fb8843d14000000000e8000000002000020000000ebc5e9c28cdb22d3c5d8c101f3deac4cb748564c4eabf3dc5997a1c2945cc9e12000000092e587d82794d3b14515405d3080b8631d94825f79228428242e182d52b2e6c240000000ba52d03201fc7531c6cfdec8616e528022010cdbbdbd46889de6665aa170a1677c6a0faa60885e8f45c3c05fbb95bf654624db030fa749e0226848c521a0c523	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000008d3069115dd7129ada4875accedab26d395e9837adb9e51ade8cfaa9bcaf830b000000000e80000000020000200000000ee9d0e188d022dad5ff76fd2e957e14b38a60b6c85575ace7974d41ec6ea33120000000c9296bbb2abf9923b242de071eadee55371c31bc6c1f68feaff82e13e2d5acfd400000006af03292cabdc3ffdecabe325f31b8e4c75342cb409aecbee3b37f5db1814a3ed0e75effd255d85ffa24d7005fbfcdfa22908d86f8ed8a06494f24b559dfc582	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57EFC7A9-11F8-11EC-A248-4211C2EE8361} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000354226ca5cda9eec7faee06190645d0f3c92bb4b15e00930bd8646cdff66dff3000000000e8000000002000020000000bedcfa7ffac9fbd3840bd30cf0981ec83171c9164492b714d9b90327ff21a885200000001b034fd3b91a99116b7d304be5c3cb9fcc2e96ae3e49a5428f54f4b34cb91fd2400000009f06862df9261950d10ec5bf6d26260749427a1a4484d5e373deead97027580d0d582dbd34d728bccd723b383da183d12b8ad728a0e3310312a2935a2ea1577e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2020e40605a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000015412ae60c07de3f87d0b2116218977fdb8feacde375a772bcd4f1a5693eb5c000000000e800000000200002000000074a5408e90131ec2d6aba4e18dd0e72bbaf9985e495067375f4bb09f58ae254720000000501b722dcd7915be226b83724ea43df26b74e3c11eaaecb2766e4da3fd25c836400000001ef15a43c8856d6406a2ed28e611a722da1cb66adb185ccaddac2596c9f7a32babe5aaad214e15dbe0b765aa99b2a55e7eafc0024cfcb4650dee1c83a4a3e348	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CD11ED1-11F8-11EC-A248-4211C2EE8361} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
540	iexplore.exe
1204	iexplore.exe
2396	iexplore.exe
3392	iexplore.exe
4600	iexplore.exe
3976	iexplore.exe
4324	iexplore.exe
680	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
540	iexplore.exe
540	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1204	iexplore.exe
1204	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
2396	iexplore.exe
2396	iexplore.exe
4112	IEXPLORE.EXE
4112	IEXPLORE.EXE
3392	iexplore.exe
3392	iexplore.exe
3476	IEXPLORE.EXE
3476	IEXPLORE.EXE
4600	iexplore.exe
4600	iexplore.exe
5080	IEXPLORE.EXE
5080	IEXPLORE.EXE
3976	iexplore.exe
3976	iexplore.exe
4064	IEXPLORE.EXE
4064	IEXPLORE.EXE
4324	iexplore.exe
4324	iexplore.exe
3184	IEXPLORE.EXE
3184	IEXPLORE.EXE
680	iexplore.exe
680	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 204	540	iexplore.exe	82
PID 540 wrote to memory of 204	540	iexplore.exe	82
PID 540 wrote to memory of 204	540	iexplore.exe	82
PID 1204 wrote to memory of 1584	1204	iexplore.exe	84
PID 1204 wrote to memory of 1584	1204	iexplore.exe	84
PID 1204 wrote to memory of 1584	1204	iexplore.exe	84
PID 2396 wrote to memory of 4112	2396	iexplore.exe	86
PID 2396 wrote to memory of 4112	2396	iexplore.exe	86
PID 2396 wrote to memory of 4112	2396	iexplore.exe	86
PID 3392 wrote to memory of 3476	3392	iexplore.exe	88
PID 3392 wrote to memory of 3476	3392	iexplore.exe	88
PID 3392 wrote to memory of 3476	3392	iexplore.exe	88
PID 4600 wrote to memory of 5080	4600	iexplore.exe	90
PID 4600 wrote to memory of 5080	4600	iexplore.exe	90
PID 4600 wrote to memory of 5080	4600	iexplore.exe	90
PID 3976 wrote to memory of 4064	3976	iexplore.exe	92
PID 3976 wrote to memory of 4064	3976	iexplore.exe	92
PID 3976 wrote to memory of 4064	3976	iexplore.exe	92
PID 4324 wrote to memory of 3184	4324	iexplore.exe	94
PID 4324 wrote to memory of 3184	4324	iexplore.exe	94
PID 4324 wrote to memory of 3184	4324	iexplore.exe	94
PID 680 wrote to memory of 2312	680	iexplore.exe	96
PID 680 wrote to memory of 2312	680	iexplore.exe	96
PID 680 wrote to memory of 2312	680	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60.exe
"C:\Users\Admin\AppData\Local\Temp\041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60.exe"
1⤵
PID:4564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:540 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3476

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4324 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3184

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:680 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-121-0x00007FFF5AF40000-0x00007FFF5AFAB000-memory.dmp

Filesize
428KB

Download
memory/680-135-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/1204-123-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/2396-125-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/3392-127-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/3976-131-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/4324-133-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download
memory/4564-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4564-120-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/4564-118-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/4564-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/4600-129-0x00007FFF68250000-0x00007FFF682BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads