gozi_rm3 | 3d0dddf2dfb9a9223eeaea0776ac7d4277b21bcfb6121fb9e694427ea75e7ae5

Analysis

max time kernel
148s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d0dddf2dfb9a9223eeaea0776ac7d4277b21bcfb6121fb9e694427ea75e7ae5.exe
Size

880KB
MD5

815cab8c6fcaaf05066f36a2b11d8ba1
SHA1

7a162d5c999748d5cf9c380e9bc84dac22f3c8e6
SHA256

3d0dddf2dfb9a9223eeaea0776ac7d4277b21bcfb6121fb9e694427ea75e7ae5
SHA512

4cd3c089fb2d3332b4eaa22224e5d35332f9d500a00d46ba82ce0d1fd26f7e5b7dc7cb4a61050e4110f7dcb05cd67c138c55f45da4c76e7a120ffb28e320efe0

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFEB9044-121E-11EC-A248-E2F254D1B155} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000468d2d456f3e088482ede3404e0aecad7954629559251092f87068077240c227000000000e800000000200002000000069343f3b9f0663b2bfd74f8dcd673fd52632d8ee163a721322f5fe3ace62da1e20000000a0a72de3c27cbe8f0b66b26a02dd3354841dd07746df66416ad0ca8e9adea38a40000000e42085d0b0c4e8b912431647c71e00ad31321082deec8dc180b77f9e8633130501732128587cf458b072e202fd976b6c31122bc1bc163aa88750dc233eab085c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000737c916bc7e2462fb6b1a4a85e6a82a2fc3500a90bf8c8a9b0a8a06481c2288e000000000e80000000020000200000001fefae5620c72f83e99e18d617cfe16a42954f1a24a6c82d6834a811f1ac3ce9200000006b88271ca960aeab10ddc80dc3a5ea056e79d457e054b2ab2cb00e96b9ab9db1400000004048a7e1837df685e12e01e0adfbc12539e85bda282515509c96c2123c71d6f93d3605d5ef77e9bcc3240dc86ff06f12d7fb1d6b39a91009a57fb7d3415b186a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909995"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000660a94b63d7b317aa5635ecb898673cf44fe3d0f24624f61844d67f8755e2d6c000000000e80000000020000200000008a27d1a5920670db4bd2ec31f6e57497ba6d823ebd5c816b264ec04d3ccf354420000000faf7cdefdbd15f364eee75ce8ca25c9dd3debf80576633915dd63f530ac2c5664000000050f101806b05fe6cfe7e5af741d87e5bd478862feddf1e797b750b40cfbe866faf984e99d9dccb10d42938a52d235970f1cd0d78b4e66674d3f4f0d0a20e0cb3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D4AB85E8-121E-11EC-A248-E2F254D1B155} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e047cb752ba6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000caaab498c443536d7f62ff1a53edfc9f79e89e26b5208a5bf01cf865be67cdf2000000000e80000000020000200000007112eea17a3761e12d128115541281ae9a8a339050234936490e54b62e6c6d6020000000561df817578daf3965789f7b781b6326def68b06fbbe0f1e2b3248c1f5679365400000005c4f664c173eeb36a5b2856963633eab6c5feef62f71d73de3717055a75359e0559402f2b74c8760be1922ddc6e5684fc12a9a29c18a922301a224566dadad23	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A53A7ABE-121E-11EC-A248-E2F254D1B155} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00459f892ba6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1721261379"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000f4c933e58301cb81a7394e2dc605bd0a2f9d0cfe6a349b025205b39b6640e4f0000000000e80000000020000200000007571762b7f2e4e93e03505e919f52e97ee50a9387533b240fd58baab53aa9a77200000000432559d70c9e5164df4cb6b00c9a4e521fe0f4e448bc17c12c94ef7e0c7b42c40000000fa069eeb43bdfc4ec924706e3e63202487ff60457eb9d14f68cdcb853a737632d56c950a7ec15c36977081977779dc34d3a6c9d96fa10f654e7748cae60e6ec0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dd67972ba6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3656	iexplore.exe
904	iexplore.exe
1780	iexplore.exe
3964	iexplore.exe
1840	iexplore.exe
2596	iexplore.exe
2536	iexplore.exe
2632	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3656	iexplore.exe
3656	iexplore.exe
3728	IEXPLORE.EXE
3728	IEXPLORE.EXE
904	iexplore.exe
904	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1780	iexplore.exe
1780	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
3964	iexplore.exe
3964	iexplore.exe
3340	IEXPLORE.EXE
3340	IEXPLORE.EXE
1840	iexplore.exe
1840	iexplore.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
2596	iexplore.exe
2596	iexplore.exe
512	IEXPLORE.EXE
512	IEXPLORE.EXE
2536	iexplore.exe
2536	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
2632	iexplore.exe
2632	iexplore.exe
3876	IEXPLORE.EXE
3876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 3728	3656	iexplore.exe	72
PID 3656 wrote to memory of 3728	3656	iexplore.exe	72
PID 3656 wrote to memory of 3728	3656	iexplore.exe	72
PID 904 wrote to memory of 1148	904	iexplore.exe	74
PID 904 wrote to memory of 1148	904	iexplore.exe	74
PID 904 wrote to memory of 1148	904	iexplore.exe	74
PID 1780 wrote to memory of 2092	1780	iexplore.exe	76
PID 1780 wrote to memory of 2092	1780	iexplore.exe	76
PID 1780 wrote to memory of 2092	1780	iexplore.exe	76
PID 3964 wrote to memory of 3340	3964	iexplore.exe	80
PID 3964 wrote to memory of 3340	3964	iexplore.exe	80
PID 3964 wrote to memory of 3340	3964	iexplore.exe	80
PID 1840 wrote to memory of 1860	1840	iexplore.exe	87
PID 1840 wrote to memory of 1860	1840	iexplore.exe	87
PID 1840 wrote to memory of 1860	1840	iexplore.exe	87
PID 2596 wrote to memory of 512	2596	iexplore.exe	89
PID 2596 wrote to memory of 512	2596	iexplore.exe	89
PID 2596 wrote to memory of 512	2596	iexplore.exe	89
PID 2536 wrote to memory of 3064	2536	iexplore.exe	91
PID 2536 wrote to memory of 3064	2536	iexplore.exe	91
PID 2536 wrote to memory of 3064	2536	iexplore.exe	91
PID 2632 wrote to memory of 3876	2632	iexplore.exe	93
PID 2632 wrote to memory of 3876	2632	iexplore.exe	93
PID 2632 wrote to memory of 3876	2632	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\3d0dddf2dfb9a9223eeaea0776ac7d4277b21bcfb6121fb9e694427ea75e7ae5.exe
"C:\Users\Admin\AppData\Local\Temp\3d0dddf2dfb9a9223eeaea0776ac7d4277b21bcfb6121fb9e694427ea75e7ae5.exe"
1⤵
PID:4020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3964 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-123-0x00007FFD39960000-0x00007FFD399CB000-memory.dmp

Filesize
428KB

Download
memory/1780-125-0x00007FFD39960000-0x00007FFD399CB000-memory.dmp

Filesize
428KB

Download
memory/1840-129-0x00007FFD39690000-0x00007FFD396FB000-memory.dmp

Filesize
428KB

Download
memory/2536-133-0x00007FFD39690000-0x00007FFD396FB000-memory.dmp

Filesize
428KB

Download
memory/2596-131-0x00007FFD39690000-0x00007FFD396FB000-memory.dmp

Filesize
428KB

Download
memory/2632-135-0x00007FFD39BE0000-0x00007FFD39C4B000-memory.dmp

Filesize
428KB

Download
memory/3656-121-0x00007FFD39960000-0x00007FFD399CB000-memory.dmp

Filesize
428KB

Download
memory/3964-127-0x00007FFD397D0000-0x00007FFD3983B000-memory.dmp

Filesize
428KB

Download
memory/4020-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4020-120-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/4020-118-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/4020-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads