gozi_rm3 | 1c48ffe76b119a4c2e4d34142620ec69aeff9395fd16f5109e18fe5a7367e7b2

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c48ffe76b119a4c2e4d34142620ec69aeff9395fd16f5109e18fe5a7367e7b2.exe
Size

880KB
MD5

5ae9ebc5f58db0ef2937e1a49bb2b758
SHA1

c7c3b8c491cf21ef193005c1709b47d6fa64c47f
SHA256

1c48ffe76b119a4c2e4d34142620ec69aeff9395fd16f5109e18fe5a7367e7b2
SHA512

cb1b26aaa0b2af4279587d0889cf5e58a0c2bbb027c289e0ce20bbbb42c6e35be00660c79763fcdfccd6ce9395ed594aaf08d484ea01ebe0e0344e6356f89207

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E86415A-120D-11EC-A248-76D11839487D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000885d2d0682332f8a5f1d78e58338726daae10e91f9439904b4d79f97825a981d000000000e8000000002000020000000e5acbff52009d1c687b38efa18fd0f002f9a621292ad2158162225f328375a2520000000dab651f38465b369166e2b9498fcf8c219585cf200d7fd7414b19f10a1ef186b40000000eb715a21f0aab711e29f359ef3a54fc66ff4a97c9de2b8a5d21a2a61b2d5254886cb85aa33b7e9321528ee170593a5b2e7ee5d3a190b4599885bc76e2122d58f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2084594a1aa6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000f3420d7824ca00d31485bc754c5543febfc6ec51e58dfb67934f324335cd8a54000000000e8000000002000020000000bd1ad2c97ea516082dc4ee232cf6bb146f85aca07882cfce10230583d9c956d020000000a18c4e20b8d383103daa9bd037b791002330eaadca387e13c2f84159155db352400000005d7437e1b66170c64054266337a3c57053b49a6de606e782d315601fd6125fc75be812feb8859138d2bb546d44e73e327ba7e676ca4b680b84ff5d03f84a2bd7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1224569554"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000e25f3b97fd8c8eac8b65e5a3820021132c94bebe58fb17e520709853533d8d5a000000000e800000000200002000000007e9c248f58501562d4646ad84b4a4a6f292a978b697d6f1769d05935fdb23012000000059e44d8bb698f4d17c3d5aa8409b3c056ced9904ec97fa10ac69021695f35e3d4000000063de2e0741eb9effd76263dcef90fde1eb033dca3e6b6cf1d528eef40faf5603f4d219c57025817d4eed57c7b95003cfe521733defab208d92700698fd6cbb3c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000e324982ad99b46ac22e5de03c79869e3352d60dcce85ddd77db6a3582b787e9a000000000e8000000002000020000000e51c57fa24624531a0c3476b7452f1dcb0bb1f6a74a839bbcfb14e8077eb085e2000000065c83d6a37b1c3daab9c6e1a3cccf4636870a8df0124bd40a50ab2b2c1d76c6540000000de0be947618ef557f4399cb76b5009ee7c27d6a91ecd20b780a062e2a2510305f869b5b1ccb3992b025c39bd52396487b616ab42be21ba918e222a22f5103567	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909978"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000bf6b84b163226cf697674bba35e98b30df05aacf337380ec87b07e64d465a77d000000000e8000000002000020000000f3392bb78175d6d24f516e282dfdb108ccac88e707a7c84c858e789cd51f3f38200000003909993d11ca72c551cc9d0a48efde0c0d8785f969815d08ec6768d752c41557400000004c62464741a8cf6cc4a4787c1d4ffa5972a09fc9c6fd02a9f5986b1fc3857296c9079e7fb96bddc937ead943f426d9c5caff169269e0015df2511691c69d164d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c8e3721aa6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B01E01D2-120D-11EC-A248-76D11839487D} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4428	iexplore.exe
196	iexplore.exe
1420	iexplore.exe
2512	iexplore.exe
2140	iexplore.exe
3632	iexplore.exe
3168	iexplore.exe
3884	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4428	iexplore.exe
4428	iexplore.exe
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
196	iexplore.exe
196	iexplore.exe
852	IEXPLORE.EXE
852	IEXPLORE.EXE
1420	iexplore.exe
1420	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
2512	iexplore.exe
2512	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2140	iexplore.exe
2140	iexplore.exe
3900	IEXPLORE.EXE
3900	IEXPLORE.EXE
3632	iexplore.exe
3632	iexplore.exe
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE
3168	iexplore.exe
3168	iexplore.exe
4368	IEXPLORE.EXE
4368	IEXPLORE.EXE
3884	iexplore.exe
3884	iexplore.exe
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4540	4428	iexplore.exe	81
PID 4428 wrote to memory of 4540	4428	iexplore.exe	81
PID 4428 wrote to memory of 4540	4428	iexplore.exe	81
PID 196 wrote to memory of 852	196	iexplore.exe	83
PID 196 wrote to memory of 852	196	iexplore.exe	83
PID 196 wrote to memory of 852	196	iexplore.exe	83
PID 1420 wrote to memory of 1640	1420	iexplore.exe	85
PID 1420 wrote to memory of 1640	1420	iexplore.exe	85
PID 1420 wrote to memory of 1640	1420	iexplore.exe	85
PID 2512 wrote to memory of 2856	2512	iexplore.exe	87
PID 2512 wrote to memory of 2856	2512	iexplore.exe	87
PID 2512 wrote to memory of 2856	2512	iexplore.exe	87
PID 2140 wrote to memory of 3900	2140	iexplore.exe	89
PID 2140 wrote to memory of 3900	2140	iexplore.exe	89
PID 2140 wrote to memory of 3900	2140	iexplore.exe	89
PID 3632 wrote to memory of 3028	3632	iexplore.exe	91
PID 3632 wrote to memory of 3028	3632	iexplore.exe	91
PID 3632 wrote to memory of 3028	3632	iexplore.exe	91
PID 3168 wrote to memory of 4368	3168	iexplore.exe	93
PID 3168 wrote to memory of 4368	3168	iexplore.exe	93
PID 3168 wrote to memory of 4368	3168	iexplore.exe	93
PID 3884 wrote to memory of 2644	3884	iexplore.exe	95
PID 3884 wrote to memory of 2644	3884	iexplore.exe	95
PID 3884 wrote to memory of 2644	3884	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\1c48ffe76b119a4c2e4d34142620ec69aeff9395fd16f5109e18fe5a7367e7b2.exe
"C:\Users\Admin\AppData\Local\Temp\1c48ffe76b119a4c2e4d34142620ec69aeff9395fd16f5109e18fe5a7367e7b2.exe"
1⤵
PID:4656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4428 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:196 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3900

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3632 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-123-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/1420-125-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/2140-129-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/2512-127-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/3168-133-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/3632-131-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/3884-135-0x00007FFB93FC0000-0x00007FFB9402B000-memory.dmp

Filesize
428KB

Download
memory/4428-121-0x00007FFB85D80000-0x00007FFB85DEB000-memory.dmp

Filesize
428KB

Download
memory/4656-120-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4656-117-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/4656-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4656-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads