gozi_rm3 | 1fd238418ac4555bbad917983054d445b1134f135f610d0bce3b80919b75ed77

Analysis

max time kernel
150s
max time network
162s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fd238418ac4555bbad917983054d445b1134f135f610d0bce3b80919b75ed77.exe
Size

880KB
MD5

38bd49ed803d8d74ffbf1f93931d7c78
SHA1

52ff7462e7b4b65803f1ebc4615655c8b80eac16
SHA256

1fd238418ac4555bbad917983054d445b1134f135f610d0bce3b80919b75ed77
SHA512

775e9bcd7db808cd3a0285c14b4f67a4bc33c4c4c6f43e8045c8f8b89c41a705f008c7241107d0409e0a10566a1666acc303493d4a6c39235c82b1e0e9867530

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909981"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25FAD265-1211-11EC-B2DB-F634F559A0EA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d2e8db1da6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f00000000020000000000106600000001000020000000ac4d7bcf17705fbb38c1d288540adf479eb864102e00d92a0b47caf7b1d4d951000000000e8000000002000020000000356601af4e176de8231f313d3450e68a1facb0b644c0fb3e990d6d1cf425421b200000002c662146b66f016a7360b2cc983a5417812ed6c55824f7e9fbd64b701bd34e0440000000e2f70bf097889bc1fb02291344295895a620ca70d7b7ea662ba32320a97f6f7468b03e7e012d464c4ca1fd07c1a1cbe5541ded5d6ebdcc0afcf2ffd43271d446	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f000000000200000000001066000000010000200000002d4ffb4f71e73a17646d1d3462a8599e6aaea1311c70e1c27d989307583f3a74000000000e800000000200002000000025b289666bd9237c0cfae7f6a641d83464b1122d01191e7cc0a2a54decba15bd20000000dec8fd3d58f42594f6bdeaa607708cbc96fe835d7ba9eec9811e8940b91ce120400000002bd8f89429e6a2243b6437ac98e56a0a9fda34cd27a32a7bc00c8f7f0dfa352a29f24dc1f1c244ea7488b95aa199a67cefd0f455447c1e787cf3d99350926a44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18FCE179-1211-11EC-B2DB-F634F559A0EA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5B596FD-1210-11EC-B2DB-F634F559A0EA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10ee19cd1da6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f00000000020000000000106600000001000020000000701f5c2fa5ddcffc0e76fe8c707fcfd5e8521d739ccdba416511fdefd7d8e412000000000e80000000020000200000009c220c5fbb9f9409ea87e201b0bc8e099b4a168bb927071c0c146c70084fdb9720000000e141e370071593f159c0a1d69e9e2d6c47b4e317d71cd968bdfbcbc702e01c2d400000003c1ac61a9817b37252efdaf176f9030c6aa91bf7f22c81a423a0b9a418ce8dcfd98568265f3332a4add845870a876ffe6888e59d592d666db37df198e5bf3675	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f000000000200000000001066000000010000200000007a580a03e215ecc6826bf69a5aaca937f59b85da8c86b6d0f8d64fd3137c4b79000000000e8000000002000020000000ed7d1df0dc8f5299a3476c9d5d4c03f04c7a703ff9a60468754251de098640d820000000ea974e0ba063f60cd75c3ffc549f2d18b64308649731c7deb434bf48b8b1a60640000000d67202667dce74ca8816dafb97cea940873e5b8c59a68edc41774f0c79d9ed79a4d07df1f0480b284b26091b4f77f957d455556692f612710e7836f84b57ad98	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f0000000002000000000010660000000100002000000096460d99262b323ec7f531a9cf942a61a4708d386d91251c2e8ee08f7e6e44ae000000000e8000000002000020000000f70348f29d705cccf518acdc8a044182f06895611d6c5f2c44eae9d94e21d410200000005ff37ac1030df053f8e709aaedbddb7dce36200377bba90cb6d3071e9b776fe4400000001c8c9f8170b63e2540517caa9cd1d57de7e12f440c708383422d961c70e95828ac5aca59ab1376f1e2830feaefd26330e8e3bfd045f17feb2ee8d67487b5f0fa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f76176845b0b2e4398e74b822b2d867f00000000020000000000106600000001000020000000fc2c6f4379224a47854ed17db053e741c88ad7cd38245bdcb20fcdbde79daf5b000000000e80000000020000200000007333cf395c97009bf519568114d27b21b30c355c6615bf6dd9ed6cce43643aec200000000358c94a25f966c24f4ec30b906b42bd013a4c869ed82e70580f556fe4f8b60640000000455e4336f3f0d8945e4e78f496e72d60d9e2de685650a3e98638949c0608d3522b87f83e2cebd95719c917daf3abefd4fdd9ced1cb615842b7284b1aacca7a9e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f4facc1da6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909981"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AF8AE96-1211-11EC-B2DB-F634F559A0EA} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
576	iexplore.exe
2532	iexplore.exe
500	iexplore.exe
2008	iexplore.exe
1264	iexplore.exe
2192	iexplore.exe
1520	iexplore.exe
740	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
576	iexplore.exe
576	iexplore.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
2532	iexplore.exe
2532	iexplore.exe
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
500	iexplore.exe
500	iexplore.exe
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
2008	iexplore.exe
2008	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1264	iexplore.exe
1264	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2192	iexplore.exe
2192	iexplore.exe
3960	IEXPLORE.EXE
3960	IEXPLORE.EXE
1520	iexplore.exe
1520	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
740	iexplore.exe
740	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1488	576	iexplore.exe	81
PID 576 wrote to memory of 1488	576	iexplore.exe	81
PID 576 wrote to memory of 1488	576	iexplore.exe	81
PID 2532 wrote to memory of 2264	2532	iexplore.exe	83
PID 2532 wrote to memory of 2264	2532	iexplore.exe	83
PID 2532 wrote to memory of 2264	2532	iexplore.exe	83
PID 500 wrote to memory of 2352	500	iexplore.exe	85
PID 500 wrote to memory of 2352	500	iexplore.exe	85
PID 500 wrote to memory of 2352	500	iexplore.exe	85
PID 2008 wrote to memory of 1480	2008	iexplore.exe	87
PID 2008 wrote to memory of 1480	2008	iexplore.exe	87
PID 2008 wrote to memory of 1480	2008	iexplore.exe	87
PID 1264 wrote to memory of 2760	1264	iexplore.exe	89
PID 1264 wrote to memory of 2760	1264	iexplore.exe	89
PID 1264 wrote to memory of 2760	1264	iexplore.exe	89
PID 2192 wrote to memory of 3960	2192	iexplore.exe	91
PID 2192 wrote to memory of 3960	2192	iexplore.exe	91
PID 2192 wrote to memory of 3960	2192	iexplore.exe	91
PID 1520 wrote to memory of 2952	1520	iexplore.exe	93
PID 1520 wrote to memory of 2952	1520	iexplore.exe	93
PID 1520 wrote to memory of 2952	1520	iexplore.exe	93
PID 740 wrote to memory of 3028	740	iexplore.exe	95
PID 740 wrote to memory of 3028	740	iexplore.exe	95
PID 740 wrote to memory of 3028	740	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\1fd238418ac4555bbad917983054d445b1134f135f610d0bce3b80919b75ed77.exe
"C:\Users\Admin\AppData\Local\Temp\1fd238418ac4555bbad917983054d445b1134f135f610d0bce3b80919b75ed77.exe"
1⤵
PID:3128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-124-0x00007FFAA43C0000-0x00007FFAA442B000-memory.dmp

Filesize
428KB

Download
memory/576-120-0x00007FFAA2F30000-0x00007FFAA2F9B000-memory.dmp

Filesize
428KB

Download
memory/740-134-0x00007FFAA4E10000-0x00007FFAA4E7B000-memory.dmp

Filesize
428KB

Download
memory/1264-128-0x00007FFAA43C0000-0x00007FFAA442B000-memory.dmp

Filesize
428KB

Download
memory/1520-132-0x00007FFAA43C0000-0x00007FFAA442B000-memory.dmp

Filesize
428KB

Download
memory/2008-126-0x00007FFAA43C0000-0x00007FFAA442B000-memory.dmp

Filesize
428KB

Download
memory/2192-130-0x00007FFAA43C0000-0x00007FFAA442B000-memory.dmp

Filesize
428KB

Download
memory/2532-122-0x00007FFAA2F30000-0x00007FFAA2F9B000-memory.dmp

Filesize
428KB

Download
memory/3128-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3128-117-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/3128-116-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/3128-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads