gozi_rm3 | deb0e285e8864b46aa4d7451829d8314dc26fd6b84933069d79aa2a864dce6b7

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb0e285e8864b46aa4d7451829d8314dc26fd6b84933069d79aa2a864dce6b7.exe
Size

880KB
MD5

3b4012193411b2df70ee4eb46cc009e8
SHA1

9bc1259c149de5b9fa47ca438ff7cd8069d9d533
SHA256

deb0e285e8864b46aa4d7451829d8314dc26fd6b84933069d79aa2a864dce6b7
SHA512

d307a4f3df5c4f713441de890027451a4614f5b2cc62d03d0b4d0372eab8b5d69979e94dd99ff55f0bbcb4e5eb807476ab94fec55c4ad5377c30aa45e1c3e6b0

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{222A34AD-1228-11EC-B2DB-C6A62EEC4D20} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3546251851"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F2821B2-1228-11EC-B2DB-C6A62EEC4D20} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910004"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207bfcd634a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ca1e10c1c340419a6d44c52f5c8d8700000000020000000000106600000001000020000000b4abd2d9a585dffeaa5d7f6ad05bb62b0841611fd544eabc0f88ed340a6d2964000000000e8000000002000020000000e57b8782def81ffb61d6247268abfef54ce7acdfa8e035bfde759f7440f491e720000000ab3090c44a28a1c29ff7020d54de6ac06ae7d6c167426e2db38fb96a5b038dc8400000003294074da83b2df4ec5e4ee620c35d7022b70ac36d26819cde77387fea20be505201a40af90ba411c14e99f79d486c150ce6036cd8df9c7bc7d6f755d2192b2a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e30cf234a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02ef6d534a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e401f934a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ca1e10c1c340419a6d44c52f5c8d8700000000020000000000106600000001000020000000f6b2d7c1c68746971a97a3ff0ea04a13c5c355157dd2bf6e20f3a7b052c3035c000000000e800000000200002000000048fb99b2c4a25a7d926195b3497d7f6334c3591887f9a37a38c9ee0b00c3436c2000000014786643943a22fd27336311c475c77343b5797f599037a320e22559a02c3dd74000000017a90df69d14fe8ab83574bc44d6ac6dd33c499541ea62e831ba299a1cce63e1a2feaeb932e16c91f80741af0a04c1f2bb57941ad53e5f7a2cf947d18245f255	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ca1e10c1c340419a6d44c52f5c8d8700000000020000000000106600000001000020000000330dd1baf05b66d80c713c24ba574fa80a2eb2793e7abfe2359a088fc2004e93000000000e800000000200002000000039d121fc90a24983e670ba68ab6920c157a3079cd55983a59858a296b2b4839e2000000049667652f41927ab24c081ddeff9197d5a8528d08091e85c91fed900446aad714000000099e7beaa9f3aa0d5a74b71dc557ea8baf00d78b6ebe485a7c3b6e00444972393a9bc86ddaa8e8c40f8e186c6cbd82e8c723a8265ebc46206f84654cef472f224	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ca1e10c1c340419a6d44c52f5c8d87000000000200000000001066000000010000200000008590015b758b678daae8bef4244cac2ceb1bb91cff47eafc2c527f665c2f9473000000000e8000000002000020000000b2cdbc464a9317601b3eac072571c0cdcaf9e6d72a4f16bc3e330c1bd5ee54b020000000942d42ab5293d51655eda69799a702d7e7d3573b151937dcc143fa4d9df454a1400000007d815ffa878975dd92d985df7040da46d5783fc3589e32bd2c0882cdd0dcd79b7d4c97cb96d7f82473da9b4c702b92f317a82a4abace9a9dd8ff9794263aed59	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03d050035a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30910004"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000096ca1e10c1c340419a6d44c52f5c8d8700000000020000000000106600000001000020000000ab2c0d78fdb72481d299a4323b2d7d7222398233d640aa3f256c55baefbef5bf000000000e80000000020000200000009cce7618a035bdf054e7ae2f1effb878dc337c8b072082ffe5a4f6c709c221b9200000000f57fafe543c802fb6386db7db46fe0a5d273ae483c5b2dc6076263ed441c7aa40000000c83951c99d74f6869b730ffbd2f4a23a9ffb9ed9a3dc94f4dee8117a3a896173abf15420c7974cab277061580649784dd5525e0827c9d9360e605ba51cff5ca9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50050ede34a6d701	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3912	iexplore.exe
976	iexplore.exe
1336	iexplore.exe
3992	iexplore.exe
2164	iexplore.exe
2296	iexplore.exe
3752	iexplore.exe
3912	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3912	iexplore.exe
3912	iexplore.exe
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
976	iexplore.exe
976	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
1336	iexplore.exe
1336	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
3992	iexplore.exe
3992	iexplore.exe
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
2164	iexplore.exe
2164	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2296	iexplore.exe
2296	iexplore.exe
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE
3752	iexplore.exe
3752	iexplore.exe
4052	IEXPLORE.EXE
4052	IEXPLORE.EXE
3912	iexplore.exe
3912	iexplore.exe
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2644	3912	iexplore.exe	81
PID 3912 wrote to memory of 2644	3912	iexplore.exe	81
PID 3912 wrote to memory of 2644	3912	iexplore.exe	81
PID 976 wrote to memory of 2572	976	iexplore.exe	83
PID 976 wrote to memory of 2572	976	iexplore.exe	83
PID 976 wrote to memory of 2572	976	iexplore.exe	83
PID 1336 wrote to memory of 944	1336	iexplore.exe	85
PID 1336 wrote to memory of 944	1336	iexplore.exe	85
PID 1336 wrote to memory of 944	1336	iexplore.exe	85
PID 3992 wrote to memory of 2136	3992	iexplore.exe	87
PID 3992 wrote to memory of 2136	3992	iexplore.exe	87
PID 3992 wrote to memory of 2136	3992	iexplore.exe	87
PID 2164 wrote to memory of 2220	2164	iexplore.exe	89
PID 2164 wrote to memory of 2220	2164	iexplore.exe	89
PID 2164 wrote to memory of 2220	2164	iexplore.exe	89
PID 2296 wrote to memory of 1244	2296	iexplore.exe	91
PID 2296 wrote to memory of 1244	2296	iexplore.exe	91
PID 2296 wrote to memory of 1244	2296	iexplore.exe	91
PID 3752 wrote to memory of 4052	3752	iexplore.exe	93
PID 3752 wrote to memory of 4052	3752	iexplore.exe	93
PID 3752 wrote to memory of 4052	3752	iexplore.exe	93
PID 3912 wrote to memory of 1708	3912	iexplore.exe	95
PID 3912 wrote to memory of 1708	3912	iexplore.exe	95
PID 3912 wrote to memory of 1708	3912	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\deb0e285e8864b46aa4d7451829d8314dc26fd6b84933069d79aa2a864dce6b7.exe
"C:\Users\Admin\AppData\Local\Temp\deb0e285e8864b46aa4d7451829d8314dc26fd6b84933069d79aa2a864dce6b7.exe"
1⤵
PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3992 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2296 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3752 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4052

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3912 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/776-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/776-117-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/776-119-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/976-122-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/1336-124-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/2164-128-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/2296-130-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/3752-132-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/3912-134-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/3912-120-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download
memory/3992-126-0x00007FFFF08D0000-0x00007FFFF093B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads