gozi_rm3 | 983b4248feffd69b25e3c94a986a80c5f50b98cda07d3346eb397b854c9e2351

Analysis

max time kernel
146s
max time network
159s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983b4248feffd69b25e3c94a986a80c5f50b98cda07d3346eb397b854c9e2351.exe
Size

880KB
MD5

a08d2bdd531364eca4c4b17675804042
SHA1

4e4b9615527dfde4c32ad281bdb8f9f9d08151e6
SHA256

983b4248feffd69b25e3c94a986a80c5f50b98cda07d3346eb397b854c9e2351
SHA512

af9df06fe31cca6969d469a75e4d3ce54d922c654188455d1b1622efe68a500002ffc3593b6ce79f6c8ceb51e701b1bf7d84acd331745c935cd23e823c76dc82

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3967217511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae867087824190000000000200000000001066000000010000200000001c963f9a1618d0a3f1408bd5577acb7d08c338c018bd519e423eee73ba196d49000000000e8000000002000020000000d7f3af8206f34f92bf53f7f8e1396491e5d576ff4bc082adb9c6aca873333e232000000039398de14315562bd85b014a45a7ae034ad89e8dcfcc991dec4ea585fd552045400000003106769d8ff189b183926284ab1548599909cbe659a3ef4f84920ab2ba2862414971e9703926d1b10aac79aa273acbdc9784d541683096be56137aa997dd074d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0215ef515a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{407D890C-1209-11EC-B2DB-6AC8DF09D482} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae86708782419000000000020000000000106600000001000020000000c2e0c9217cff351f79bf197bc63cf3fc5bb4115e34039feb686eb074e971dcc8000000000e8000000002000020000000d3ceaa956c03662c1663a5b6743ad9cef9ca8ef9868fec0f062f737bbb83cf86200000009e0864c9eae9fa94fe6ee129171ee8ca31b014d004839a390e3e6f9fee77128840000000ec5ff146b96433630dc49052ee8f29d6b9afc5a0d1c9145989f84b3613b8875741f062e05d4d8e92f150ffdef03c149b66369768b7bf564f1445b1760389dc22	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae86708782419000000000020000000000106600000001000020000000e27742a4c3a8f29042f92a88cd47eac37250a0441527a99468067b852cff3794000000000e80000000020000200000004ebbb8e079b7792a02a7b4c23a7cca558770f478481d51e752d3ae213a14fa0b20000000275ffdd4fac0d44aac423455ec1370b4a79367fb898db9ecc7e4e2916ffa8a3040000000c41b212c6f86aec5ee2f10b12146776334701722b88a6777a6cefa4f22519992ecc511f7f70fad5a796e26ce65efbdd10ddeb94a3c7fc15390c15747739bb7bd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae86708782419000000000020000000000106600000001000020000000455e0581b3e45d241834927300130ddc2b41d7cc662dd2386af6023545fe409d000000000e80000000020000200000004f0d3c2ae7b15723d1e66e0787235c3ff8de956ae715418f496883e96d717cbf200000008df348a3d1c63d29684d751cb5c6f6871e82cebc52f1d4b70cd3b9d7ccdf49af40000000d8fb1ec3794be63ddca5b8c7a2afaa03d4c717e6ee8dd5df4781f1a5fe49c8a6cecd630d46cda14a8f4349a2664a372bf0bbb7beb018e5e12cf4f7bdcc3b60ea	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B657104-1209-11EC-B2DB-6AC8DF09D482} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f25f0316a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae867087824190000000000200000000001066000000010000200000004bb8dec31c036c95069c688ebdd1a6254f097fdb7f5632fa5ff7fd41d3886c92000000000e800000000200002000000076d786a1a91fac6660525e06d0424a93f349de1afb618180a238a8e6cbba335020000000eb0f05290a476717be5185b2f9796a1fbc0c8d8b23b23f06240d48c14dfdf83b4000000048537ab1ec32a3988145a8642319ca158a0b961e71339aac481b3d06768b655c7ec341e2b4bf0424e96ebc77e2c38d69c30546abd0028449ad8a6c987aebf03b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3282DE12-1209-11EC-B2DB-6AC8DF09D482} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17D8F0F1-1209-11EC-B2DB-6AC8DF09D482} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c563fc15a6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f5abee15a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fa047d5d79fde489fae867087824190000000000200000000001066000000010000200000002a4828e2a480138a4e386cb1ef928d6cc46fecf98d28831e092fa45a88ad7e0d000000000e80000000020000200000003df2789827f5fb5dcc7c5c5237f8dc2e8f509f205890afab93ba6ea9e04d1f05200000002a65ba4f0ef9cd63cace4ba02fbca4881dd4391b2d2bdbe642ea322bfaf8dcdd40000000e577f6a2abcc049dbd5f3de44f26e538616d71af722ae6bd9c4b5ca3d58f0f12efb5cabe6ef2180773d64c86f981e195620ac6c924ea907fe296e3e7c540b2b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3116	iexplore.exe
1424	iexplore.exe
1308	iexplore.exe
3896	iexplore.exe
516	iexplore.exe
2172	iexplore.exe
3384	iexplore.exe
2784	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3116	iexplore.exe
3116	iexplore.exe
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1424	iexplore.exe
1424	iexplore.exe
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
1308	iexplore.exe
1308	iexplore.exe
820	IEXPLORE.EXE
820	IEXPLORE.EXE
3896	iexplore.exe
3896	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
516	iexplore.exe
516	iexplore.exe
3944	IEXPLORE.EXE
3944	IEXPLORE.EXE
2172	iexplore.exe
2172	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
3384	iexplore.exe
3384	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2784	iexplore.exe
2784	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 1592	3116	iexplore.exe	81
PID 3116 wrote to memory of 1592	3116	iexplore.exe	81
PID 3116 wrote to memory of 1592	3116	iexplore.exe	81
PID 1424 wrote to memory of 2824	1424	iexplore.exe	83
PID 1424 wrote to memory of 2824	1424	iexplore.exe	83
PID 1424 wrote to memory of 2824	1424	iexplore.exe	83
PID 1308 wrote to memory of 820	1308	iexplore.exe	85
PID 1308 wrote to memory of 820	1308	iexplore.exe	85
PID 1308 wrote to memory of 820	1308	iexplore.exe	85
PID 3896 wrote to memory of 2652	3896	iexplore.exe	87
PID 3896 wrote to memory of 2652	3896	iexplore.exe	87
PID 3896 wrote to memory of 2652	3896	iexplore.exe	87
PID 516 wrote to memory of 3944	516	iexplore.exe	89
PID 516 wrote to memory of 3944	516	iexplore.exe	89
PID 516 wrote to memory of 3944	516	iexplore.exe	89
PID 2172 wrote to memory of 2088	2172	iexplore.exe	91
PID 2172 wrote to memory of 2088	2172	iexplore.exe	91
PID 2172 wrote to memory of 2088	2172	iexplore.exe	91
PID 3384 wrote to memory of 2648	3384	iexplore.exe	93
PID 3384 wrote to memory of 2648	3384	iexplore.exe	93
PID 3384 wrote to memory of 2648	3384	iexplore.exe	93
PID 2784 wrote to memory of 2652	2784	iexplore.exe	95
PID 2784 wrote to memory of 2652	2784	iexplore.exe	95
PID 2784 wrote to memory of 2652	2784	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\983b4248feffd69b25e3c94a986a80c5f50b98cda07d3346eb397b854c9e2351.exe
"C:\Users\Admin\AppData\Local\Temp\983b4248feffd69b25e3c94a986a80c5f50b98cda07d3346eb397b854c9e2351.exe"
1⤵
PID:660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3116 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3896 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:516 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3384 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-128-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download
memory/660-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/660-116-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/660-118-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/660-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1308-124-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download
memory/1424-122-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download
memory/2172-130-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download
memory/2784-134-0x00007FFDE9990000-0x00007FFDE99FB000-memory.dmp

Filesize
428KB

Download
memory/3116-120-0x00007FFDE73E0000-0x00007FFDE744B000-memory.dmp

Filesize
428KB

Download
memory/3384-132-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download
memory/3896-126-0x00007FFDE74D0000-0x00007FFDE753B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads