gozi_rm3 | 6d26e1dcfb67a261b1c00a6c2164f4173ea33b8142800222c1f9982494dbbdc2

Analysis

max time kernel
145s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d26e1dcfb67a261b1c00a6c2164f4173ea33b8142800222c1f9982494dbbdc2.exe
Size

880KB
MD5

f358432dba85233597ecc6f3ffba57bc
SHA1

7a7c8693f7d15f997a8cbcd45e37de23e49d3723
SHA256

6d26e1dcfb67a261b1c00a6c2164f4173ea33b8142800222c1f9982494dbbdc2
SHA512

aad18093b3cbbf7fbc04a0e5d70f66ce2d2471426649dfe3d8d62de8a14d1b2f882a10266f3d96bdb70b1d3cb28563b310843c6b5cbe6c249e31611e7c07e772

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4004652430a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05a574630a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "437477327"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf00000000020000000000106600000001000020000000d894d3dba8c1ed3e975a5f139f9b680d05e20b57aa9e041f58ca71b77adcdb28000000000e8000000002000020000000c6f4b6fad5b0fde18cb898a4c30ff36876f3bce288f3ae11d860a063f1b52a3420000000e5979ca71467fac1b023eb9de1850c855b2bbbbb20b533bd1cac3075db4e365b400000004dfc56836cbc7c2969611a671c06c308ed1c7fef13f177b8675e4a4810736406e853eae0776aca741b0f68b7cbbfadef28e152f0e5435a73dc56400e5ddc1475	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf000000000200000000001066000000010000200000004feef8d49157eb6ba4c5acfaad832273c8dd6492551556cbd5997cb344cb9ff2000000000e8000000002000020000000ece9ee756d1c83436f2b28324127117cb572fad0bfb9ded682a356bb1b3300e020000000e522dc7545dbe49ca87edc22dee6e8753260d69a59018484381ff3af2c246a904000000031e9eb6ecaee7b27feaa20cf420aa2cee5f3a9fa9e3a608d4690327223bd759786e92abbcdb0881b250b42cf9ae318ac838c420a422f21e8c45d8a430ec1b8cd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A8666A1-1223-11EC-B2DB-EA801B2465EB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 609e5d3f30a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf00000000020000000000106600000001000020000000d6113c890f9b668e488beed06855c5a435fe2b94dde1dbbc5327ccb0e621201e000000000e80000000020000200000009e00e16003fe60cbc478c8358655b9a35539c9e958f9c8b68aacf069307161ec200000005b82f981797213ac94f91cf1a0e0ca4407264d0e48bbb8f8061184424157aa0240000000c451c1387a3ccad82c82b7becf54b5452f60ecf58d50cfd49a11876ead7b6084d07e0be82bcdf07cda7d8693875a1f750bdd14b52fb966af24a4def03db1a40d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20fe5c4d30a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf00000000020000000000106600000001000020000000925bc05277cee61f0865c54224c85604241138a1a7b73d56c00ffea126125021000000000e800000000200002000000098654da92c29659689235c36b056d185054c77f940da337c464212f76633388a200000002c4a1a3ea952b8940e538ec9cb9b7cbe0b121920b8291c7fbcc7e72bd31c79234000000072380b826509876566d28081df8b423714a9d9b37010f9ab9d6e27b713657fd3bfe7ec6447f2b89be74fd665c243d6a8b5a486d6feda0c89579c9245ca997a6b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf000000000200000000001066000000010000200000009c49be8f21cab0b1e9725f5d82257a856d09f32cf30796c3872e63bf456f9f0c000000000e80000000020000200000005f047c933ebddac176c959f9d35d59d88839656cf5edf9d1188595fb143d1e74200000004bf32cd2f2f3ac6722937a8c4a82c84582b3a08794254cce0485ce6e506d7633400000006e42bedb54a2e2a4ae11de3e1da97f13fa268e7f1ef44e6bd9afc2006ed017cb88ea592ab43811b9a283ade5b09bf5b95ea146d12247bd578f8e38da79b3005c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000025e65256f079a14baa14d6c5c112faaf00000000020000000000106600000001000020000000d48978ad2b12beb55a5db9cd7f1b101bf795011a9d0321067e0425d50a706237000000000e8000000002000020000000c4c763105f319db37026faadc4a0e5cc730b47ce5d725f364e9e9deee791bdbf200000007c587d14a5882f3317ec90cc07ade67e085051c684a70431c3855154a858bb2c40000000871018ea0fbf045003e96e4d5c84f96ab28773a81052e1f1785d3e453796acba12738a18feec661bb5cb5e532c9ed239fe70581a01d6ce4c84264dca1a8a6988	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30910000"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d6681d30a6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45945D3B-1223-11EC-B2DB-EA801B2465EB} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1008	iexplore.exe
3056	iexplore.exe
856	iexplore.exe
2848	iexplore.exe
2288	iexplore.exe
2188	iexplore.exe
804	iexplore.exe
2284	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1008	iexplore.exe
1008	iexplore.exe
2484	IEXPLORE.EXE
2484	IEXPLORE.EXE
3056	iexplore.exe
3056	iexplore.exe
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE
856	iexplore.exe
856	iexplore.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
2848	iexplore.exe
2848	iexplore.exe
4048	IEXPLORE.EXE
4048	IEXPLORE.EXE
2288	iexplore.exe
2288	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
2188	iexplore.exe
2188	iexplore.exe
3196	IEXPLORE.EXE
3196	IEXPLORE.EXE
804	iexplore.exe
804	iexplore.exe
4008	IEXPLORE.EXE
4008	IEXPLORE.EXE
2284	iexplore.exe
2284	iexplore.exe
2260	IEXPLORE.EXE
2260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2484	1008	iexplore.exe	81
PID 1008 wrote to memory of 2484	1008	iexplore.exe	81
PID 1008 wrote to memory of 2484	1008	iexplore.exe	81
PID 3056 wrote to memory of 2272	3056	iexplore.exe	83
PID 3056 wrote to memory of 2272	3056	iexplore.exe	83
PID 3056 wrote to memory of 2272	3056	iexplore.exe	83
PID 856 wrote to memory of 3044	856	iexplore.exe	85
PID 856 wrote to memory of 3044	856	iexplore.exe	85
PID 856 wrote to memory of 3044	856	iexplore.exe	85
PID 2848 wrote to memory of 4048	2848	iexplore.exe	87
PID 2848 wrote to memory of 4048	2848	iexplore.exe	87
PID 2848 wrote to memory of 4048	2848	iexplore.exe	87
PID 2288 wrote to memory of 1600	2288	iexplore.exe	89
PID 2288 wrote to memory of 1600	2288	iexplore.exe	89
PID 2288 wrote to memory of 1600	2288	iexplore.exe	89
PID 2188 wrote to memory of 3196	2188	iexplore.exe	91
PID 2188 wrote to memory of 3196	2188	iexplore.exe	91
PID 2188 wrote to memory of 3196	2188	iexplore.exe	91
PID 804 wrote to memory of 4008	804	iexplore.exe	93
PID 804 wrote to memory of 4008	804	iexplore.exe	93
PID 804 wrote to memory of 4008	804	iexplore.exe	93
PID 2284 wrote to memory of 2260	2284	iexplore.exe	95
PID 2284 wrote to memory of 2260	2284	iexplore.exe	95
PID 2284 wrote to memory of 2260	2284	iexplore.exe	95

C:\Users\Admin\AppData\Local\Temp\6d26e1dcfb67a261b1c00a6c2164f4173ea33b8142800222c1f9982494dbbdc2.exe
"C:\Users\Admin\AppData\Local\Temp\6d26e1dcfb67a261b1c00a6c2164f4173ea33b8142800222c1f9982494dbbdc2.exe"
1⤵
PID:652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2188 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:804 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4008

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/652-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/652-116-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/652-117-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/804-132-0x00007FFD23010000-0x00007FFD2307B000-memory.dmp

Filesize
428KB

Download
memory/856-124-0x00007FFD22FC0000-0x00007FFD2302B000-memory.dmp

Filesize
428KB

Download
memory/1008-120-0x00007FFD22FC0000-0x00007FFD2302B000-memory.dmp

Filesize
428KB

Download
memory/2188-130-0x00007FFD23010000-0x00007FFD2307B000-memory.dmp

Filesize
428KB

Download
memory/2284-134-0x00007FFD23010000-0x00007FFD2307B000-memory.dmp

Filesize
428KB

Download
memory/2288-128-0x00007FFD22FC0000-0x00007FFD2302B000-memory.dmp

Filesize
428KB

Download
memory/2848-126-0x00007FFD22FC0000-0x00007FFD2302B000-memory.dmp

Filesize
428KB

Download
memory/3056-122-0x00007FFD22FC0000-0x00007FFD2302B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads