gozi_rm3 | 950877d2f56ae662d99268e36a0b6e561ade63ede6e81bd0cbe909e5df5f3164

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

950877d2f56ae662d99268e36a0b6e561ade63ede6e81bd0cbe909e5df5f3164.exe
Size

880KB
MD5

8ceb653e7a0794bf97778664a7f28c7b
SHA1

5337356ce3014d024ff323e12dedac99df948898
SHA256

950877d2f56ae662d99268e36a0b6e561ade63ede6e81bd0cbe909e5df5f3164
SHA512

d891b5e329f72015ef86e9e34199df3cc42d4eb877ec571efa3157c63b856efe5e842d80807e773ea0d22e3ea0f320fde5558c7e1ae2b9a9ef0b8f508e0a97cc

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00df0e781aa6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000000d7e4fccbce60cfae86fe3343f82621b82dd473831d5d53ff7105e52c8b6a821000000000e80000000020000200000007642bb6ebec5f39aee6840c36bdf3706da27da7203d4eebbde8f0687a3850d3e20000000d5268c8139985059ce2323d960c5677d039eb29b50775d1063ace7007f9a82454000000063b52f6ecff1ed7f70267c72c4f3dfc7345221e53369635af198cba7b629a0db46d954185db761491ca6657fdeb2bbda3676833da816e581ef7ab2805a6eb04f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85DF3DDA-120D-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000006bcce22e0ddb55ead7c0e7a8d7da3215aeab150ac94c87656d481797fcd31f59000000000e800000000200002000000055d0ffa5c99439e6bae9d51f2edff1663ded28dc9b5e899115cd8c9748daabd6200000005bc086cd70f623011cc694c5c2d26c4c2e7eb79dbc1ed28ec1f71ff3c6dfc732400000002c9b53e5b30996f1ed98530c7c8489dc0f5744d6bdaccdc93344930c355eb12aaf0bf5f74de2b297361083156b2ecb2fc4fc8f7d58dacb2b8bacc2e58f6b2fd8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000116b605b1ea685fec757b8644dda295b9c852fcb133b85508d21b9af7ee89365000000000e80000000020000200000009d192da9c4125015c8afbd2ddaa62cdc028fd35a4e8b0f67053fee59a08a3d2020000000caf9132d1c642dfbbac73af001b3e7c20b5be92b979ec8548f24f50eb4bd6c2240000000ef8b85f8ae9fda3a05a90e45819b5df277428f8ecfa677506c26e9dde4cd7bfc6b7a0b5419d9abb998c5af630a1fdf2dce25d70bbbf97e1aa904731e141e0f9d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000003fe755ee5aa148b9adac30096e8ed8377d917884728e626e9b9c03a4fdf562fc000000000e8000000002000020000000ee27792d63f629f2d233e610ef2c51aa4959cc346865b6c4cb965f3f60a19615200000004089155f39bfd9d17ca49c852323b6dad039d8d2387b6cdfda007c45c343f83440000000e657391bc2ae24868f42175e974278274014501f40af87b50f21da9db8fffdfd17ba43eb8721ab5fb79d5c9f0c477290549a038845a1ba4c0bd02697c7ef3f61	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cabd471aa6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60aca2481aa6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406c51631aa6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{93AC9819-120D-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5445A04-120D-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000d31fd1d076c831f81aa6c9d2267c7bf6750afc652c737df47462cbc15827489a000000000e8000000002000020000000e55b3e3ffa6134de13d95bc9eaa275507c77ac8970522e595e45640a7499556420000000c0c8cfb7b92652c97ea31b8a15ac5f6289a04e254e6edd94be1619e2a105384d40000000b665e786dc8cbfd51e965d3e53b11ae9947c27eeab181214a966108261693a7fad2ebf4d65574444d16aefbaebf1db0887270a15381be496a7a3726fd8ce2caf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3456	iexplore.exe
1068	iexplore.exe
2500	iexplore.exe
3604	iexplore.exe
3104	iexplore.exe
1668	iexplore.exe
1856	iexplore.exe
1780	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3456	iexplore.exe
3456	iexplore.exe
3828	IEXPLORE.EXE
3828	IEXPLORE.EXE
1068	iexplore.exe
1068	iexplore.exe
3380	IEXPLORE.EXE
3380	IEXPLORE.EXE
2500	iexplore.exe
2500	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
3604	iexplore.exe
3604	iexplore.exe
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
3104	iexplore.exe
3104	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1668	iexplore.exe
1668	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
1856	iexplore.exe
1856	iexplore.exe
2304	IEXPLORE.EXE
2304	IEXPLORE.EXE
1780	iexplore.exe
1780	iexplore.exe
2196	IEXPLORE.EXE
2196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3828	3456	iexplore.exe	82
PID 3456 wrote to memory of 3828	3456	iexplore.exe	82
PID 3456 wrote to memory of 3828	3456	iexplore.exe	82
PID 1068 wrote to memory of 3380	1068	iexplore.exe	84
PID 1068 wrote to memory of 3380	1068	iexplore.exe	84
PID 1068 wrote to memory of 3380	1068	iexplore.exe	84
PID 2500 wrote to memory of 2192	2500	iexplore.exe	86
PID 2500 wrote to memory of 2192	2500	iexplore.exe	86
PID 2500 wrote to memory of 2192	2500	iexplore.exe	86
PID 3604 wrote to memory of 2304	3604	iexplore.exe	88
PID 3604 wrote to memory of 2304	3604	iexplore.exe	88
PID 3604 wrote to memory of 2304	3604	iexplore.exe	88
PID 3104 wrote to memory of 204	3104	iexplore.exe	90
PID 3104 wrote to memory of 204	3104	iexplore.exe	90
PID 3104 wrote to memory of 204	3104	iexplore.exe	90
PID 1668 wrote to memory of 2736	1668	iexplore.exe	92
PID 1668 wrote to memory of 2736	1668	iexplore.exe	92
PID 1668 wrote to memory of 2736	1668	iexplore.exe	92
PID 1856 wrote to memory of 2304	1856	iexplore.exe	94
PID 1856 wrote to memory of 2304	1856	iexplore.exe	94
PID 1856 wrote to memory of 2304	1856	iexplore.exe	94
PID 1780 wrote to memory of 2196	1780	iexplore.exe	96
PID 1780 wrote to memory of 2196	1780	iexplore.exe	96
PID 1780 wrote to memory of 2196	1780	iexplore.exe	96

C:\Users\Admin\AppData\Local\Temp\950877d2f56ae662d99268e36a0b6e561ade63ede6e81bd0cbe909e5df5f3164.exe
"C:\Users\Admin\AppData\Local\Temp\950877d2f56ae662d99268e36a0b6e561ade63ede6e81bd0cbe909e5df5f3164.exe"
1⤵
PID:4032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3456 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3104 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-123-0x00007FF9187A0000-0x00007FF91880B000-memory.dmp

Filesize
428KB

Download
memory/1668-131-0x00007FF9265C0000-0x00007FF92662B000-memory.dmp

Filesize
428KB

Download
memory/1780-135-0x00007FF9282D0000-0x00007FF92833B000-memory.dmp

Filesize
428KB

Download
memory/1856-133-0x00007FF9282D0000-0x00007FF92833B000-memory.dmp

Filesize
428KB

Download
memory/2500-125-0x00007FF9265C0000-0x00007FF92662B000-memory.dmp

Filesize
428KB

Download
memory/3104-129-0x00007FF9265C0000-0x00007FF92662B000-memory.dmp

Filesize
428KB

Download
memory/3456-121-0x00007FF9187A0000-0x00007FF91880B000-memory.dmp

Filesize
428KB

Download
memory/3604-127-0x00007FF9265C0000-0x00007FF92662B000-memory.dmp

Filesize
428KB

Download
memory/4032-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4032-120-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4032-117-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/4032-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads