gozi_rm3 | 930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921

General

Target

930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921.exe
Size

880KB
MD5

c7b71f03f190a5da3e4976f37194419f
SHA1

8e750d01e1a5edb2c320e1b0b703b5823f241587
SHA256

930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921
SHA512

d274bcc78a5916220e51036b8a24b82f165a03736fb829a76a01d96bd5c224b0624b3ebf592a5b06a5bd9d04cc5c7aff0e47bca908782dd27b226fb953f2cc6e

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

C2

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D69E02D-1213-11EC-A248-D2E3FA6D7576} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000002ebb5d3ce3e57dc365e96e9577ec96c0cab71002939f005c4d295ef912456a41000000000e80000000020000200000009e8d3c1f51fb99cd90cd0e74396deb729ba5c81ea8e84c1b2c784dbaa40da0e520000000fa6dafd1516d03b2b164e2b6401c2709bb60542295d11169f9d374d92527d92f400000006e95f3e893d4b09001ec730c081bec4d6a6fcb5dcd389d2729e40028164c12e96a14b6956f388088928edda378ea4daab96d182b662d0575299ff9e13541db4d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cc74f81fa6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6604EECD-1213-11EC-A248-D2E3FA6D7576} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0442d0020a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8017ef1a20a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40e041f91fa6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909983"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909983"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4457B604-1213-11EC-A248-D2E3FA6D7576} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000034828730c6060a328a0e06a3e898740eaab0fc32752491a229302f451e30240b000000000e800000000200002000000012647f31dec469f9a80009d81707cfe450727c9d4c759e2d1f39d8be41b2ace3200000004462817d2f9b0d65186a0e167c09bf2e8e5b55b428ed3f8553d5e039aa6004424000000088c97e6fb5e8a89aa3f996d975a8c73c3a111f3a94f56ca1f8bc9c6adaf68abbf84d4f130cd2a5a5106b2f63f24bf2b63d5359e39c9a8cfbcf53b56e6e7c9f1e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23516565-1213-11EC-A248-D2E3FA6D7576} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000008be4d61255f985dd959e62d7ec5ef8a2033ad8b774695c60699513b1a43d7b9c000000000e8000000002000020000000b391f0714a2ad4ce022abf7c61bb37b1204c8653b4c74314d3409de9b2726f252000000001cd893e9550826b393d24a641da6f9bd93aaccd068dfd5465686195c2e458f6400000005d3646471125b8afaa9ceb0a508a66cb389571e57cf9f49d6409fc58f32d951282ec0f2d0fe8979960dff2f4b6decef03e6920ac3e510d83f504dcc4de0b8b62	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fc1f0720a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F14B587-1213-11EC-A248-D2E3FA6D7576} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000a6caa79993f4b2a16941a60c19cc596ac48429f4800cfd47d272a83f15080954000000000e80000000020000200000007472880c607deefe838f80038862f06f12eba50b0e3f30f15bcc55549b8adab6200000002401fe376e34ed7f42689b577efb65397ab38f28e56c3bb7198b24e3b13dd28940000000927f76a5803b8b56fe925aaa39fe595bd9fd2c5e63fa46d139b2ac6513bed14d699bff8892472eda7d8a74d05cbce91bee1ad7793fdc22c6e17a6085d281d866	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

3500 iexplore.exe
3844 iexplore.exe
2836 iexplore.exe
2244 iexplore.exe
3808 iexplore.exe
1328 iexplore.exe
1852 iexplore.exe
2512 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

pid	process
3500	iexplore.exe
3500	iexplore.exe
2508	IEXPLORE.EXE
2508	IEXPLORE.EXE
3844	iexplore.exe
3844	iexplore.exe
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2836	iexplore.exe
2836	iexplore.exe
3916	IEXPLORE.EXE
3916	IEXPLORE.EXE
2244	iexplore.exe
2244	iexplore.exe
424	IEXPLORE.EXE
424	IEXPLORE.EXE
3808	iexplore.exe
3808	iexplore.exe
3556	IEXPLORE.EXE
3556	IEXPLORE.EXE
1328	iexplore.exe
1328	iexplore.exe
1908	IEXPLORE.EXE
1908	IEXPLORE.EXE
1852	iexplore.exe
1852	iexplore.exe
2512	iexplore.exe
2512	iexplore.exe
64	IEXPLORE.EXE
64	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3500 wrote to memory of 2508	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 2508	3500	iexplore.exe	IEXPLORE.EXE
PID 3500 wrote to memory of 2508	3500	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 2572	3844	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 2572	3844	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 2572	3844	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 3916	2836	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 3916	2836	iexplore.exe	IEXPLORE.EXE
PID 2836 wrote to memory of 3916	2836	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 424	2244	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 424	2244	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 424	2244	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 3556	3808	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 3556	3808	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 3556	3808	iexplore.exe	IEXPLORE.EXE
PID 1328 wrote to memory of 1908	1328	iexplore.exe	IEXPLORE.EXE
PID 1328 wrote to memory of 1908	1328	iexplore.exe	IEXPLORE.EXE
PID 1328 wrote to memory of 1908	1328	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 4048	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 4048	1852	iexplore.exe	IEXPLORE.EXE
PID 1852 wrote to memory of 4048	1852	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 64	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 64	2512	iexplore.exe	IEXPLORE.EXE
PID 2512 wrote to memory of 64	2512	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921.exe
"C:\Users\Admin\AppData\Local\Temp\930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921.exe"
1⤵
PID:3940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3500 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2508

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3844 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1852 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:4048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2512 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:64

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-136-0x0000000000000000-mapping.dmp

Download
memory/424-128-0x0000000000000000-mapping.dmp

Download
memory/1328-131-0x00007FFF6ED70000-0x00007FFF6EDDB000-memory.dmp

Filesize
428KB

Download
memory/1852-133-0x00007FFF6ED70000-0x00007FFF6EDDB000-memory.dmp

Filesize
428KB

Download
memory/1908-132-0x0000000000000000-mapping.dmp

Download
memory/2244-127-0x00007FFF6ED70000-0x00007FFF6EDDB000-memory.dmp

Filesize
428KB

Download
memory/2508-122-0x0000000000000000-mapping.dmp

Download
memory/2512-135-0x00007FFF6ED70000-0x00007FFF6EDDB000-memory.dmp

Filesize
428KB

Download
memory/2572-124-0x0000000000000000-mapping.dmp

Download
memory/2836-125-0x00007FFF6E500000-0x00007FFF6E56B000-memory.dmp

Filesize
428KB

Download
memory/3500-121-0x00007FFF60BA0000-0x00007FFF60C0B000-memory.dmp

Filesize
428KB

Download
memory/3556-130-0x0000000000000000-mapping.dmp

Download
memory/3808-129-0x00007FFF6ED70000-0x00007FFF6EDDB000-memory.dmp

Filesize
428KB

Download
memory/3844-123-0x00007FFF6E500000-0x00007FFF6E56B000-memory.dmp

Filesize
428KB

Download
memory/3916-126-0x0000000000000000-mapping.dmp

Download
memory/3940-120-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download
memory/3940-118-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/3940-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/3940-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/4048-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads