gozi_rm3 | 2e2847c39dc62716010c637c0e25e466561dcb1778082578ade823659665ceb4

Analysis

max time kernel
141s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e2847c39dc62716010c637c0e25e466561dcb1778082578ade823659665ceb4.exe
Size

880KB
MD5

b45fbc4ccaf940cdb0c806d61fee1517
SHA1

48a9610d1ed27de0ef861286384b1393c0ebc8ce
SHA256

2e2847c39dc62716010c637c0e25e466561dcb1778082578ade823659665ceb4
SHA512

567187aefe33e8875cb7ddcd72767bdd0b74c6cf30372d0a0f019988563f6c450aa5c34ff41ece988d3d83a6d2d8d909817125472e978a6d33abafaec7f4853a

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e923df2a665c438b5a1525646395ec0000000002000000000010660000000100002000000065ca833a900cf9cd4009dbe1c4aee048e5a9dce0e38ef1519134667e199979f1000000000e80000000020000200000004bbd1956c7582233000e22c58c8ae7abeceeed2ad8ca75632ce81c671c02225d20000000144c5784234706d68941b2408affb32a68143799e44f35c92d428e39e34dcadc400000005042b41be062966c567522ee1c96bfb385084c8a70fce4909147fe19380fac9e5e59da55263f13e078cd65e34d96e45629deb0242d153a40921fbaa09109e017	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e923df2a665c438b5a1525646395ec0000000002000000000010660000000100002000000071d9c2af4812dbaad92ea286a10acab22f36c84f8661ade1b9a22490e22b0ad3000000000e80000000020000200000007b339e3d9e765418993ceb89fc2115de310febf78ed7149157adcdf6e9443d0f20000000a285d113b785ea48877ead1fa8f48cbafba04798a21edfb308061c28a813b3ae40000000d6bd6c2588bef704d23ee2ca95996093b905dd009ae5c2b4fce82ef7698245f06e5ef7e6a2a7f1ea47a0928ed4d2eb16c7382107988ab91b16e823653bf85f0c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e923df2a665c438b5a1525646395ec00000000020000000000106600000001000020000000bddbf4bce521ad935facac373368993fbd76ce142c57dd09449f89ceadbde02b000000000e800000000200002000000005ab0b829cb859bcb28d7b9a45163b88080c290603110c79caf589b183e90a092000000066bc0181e5b4edeb9fccce8454a56ec623c702a14e6823ada5f34ba5f9a625c940000000185dcdd53862a1ef1b66e7d59802096c9d67cc96b83cd89231ebbe7bb3328101d37e6d513e8f9b776a553f2584c78abd28c41b4d13fa6c5f1f01b8e8401d73b8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910012"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e923df2a665c438b5a1525646395ec00000000020000000000106600000001000020000000f41407207e475bf801073cdbb10727464f953c14c5e3b8249c802bd1132a991e000000000e8000000002000020000000f26e9631c6225fa5d224e921755a1060d1f28d15b702ef23d0da8ee01541dad4200000001275e1814685e5aeb30b54fa2cac8d4c7154d9f2aecbc71425fe7dc5c1cc4e5940000000d0bf96a45101673314b6477e3f7bbe218e35ddcdfd5be6a7efbc35ac98a6a685aa0ad049d7f3323f8157b4ae2393b8f2b71fff69666cbbeff8d1b603faee24a6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e087045f3ca6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C40F240-122F-11EC-B2DB-F6E29603A65E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504f0d3d3ca6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "765696095"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045e923df2a665c438b5a1525646395ec000000000200000000001066000000010000200000008ab1d2001010d2a4ed8a578e3e23beccf5226504b01338771c49f0a7df9f9303000000000e80000000020000200000008fecf1b8aa6205c83f22af237e5e12823da2a5e035234dab5e91830602200ce6200000007d22f7d38bfd308c371b5725d74b69749c687a4d5a0fb266165ae76cbcce7ae74000000074a9a3ddc158b73f56c61375543dd47ff9a96f5e15fe1ab9eee6734f61a2c7641864b8848013d89447d8fa9f7074a51f7e5ea62a9aad639174b86835c5f9cccc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00316363ca6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{871F527B-122F-11EC-B2DB-F6E29603A65E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802e01583ca6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80aa122f3ca6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3872	iexplore.exe
3712	iexplore.exe
2856	iexplore.exe
3976	iexplore.exe
1688	iexplore.exe
1040	iexplore.exe
640	iexplore.exe
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3872	iexplore.exe
3872	iexplore.exe
4020	IEXPLORE.EXE
4020	IEXPLORE.EXE
3712	iexplore.exe
3712	iexplore.exe
3344	IEXPLORE.EXE
3344	IEXPLORE.EXE
2856	iexplore.exe
2856	iexplore.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
3976	iexplore.exe
3976	iexplore.exe
1276	IEXPLORE.EXE
1276	IEXPLORE.EXE
1688	iexplore.exe
1688	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1040	iexplore.exe
1040	iexplore.exe
4032	IEXPLORE.EXE
4032	IEXPLORE.EXE
640	iexplore.exe
640	iexplore.exe
420	IEXPLORE.EXE
420	IEXPLORE.EXE
2868	iexplore.exe
2868	iexplore.exe
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4020	3872	iexplore.exe	71
PID 3872 wrote to memory of 4020	3872	iexplore.exe	71
PID 3872 wrote to memory of 4020	3872	iexplore.exe	71
PID 3712 wrote to memory of 3344	3712	iexplore.exe	79
PID 3712 wrote to memory of 3344	3712	iexplore.exe	79
PID 3712 wrote to memory of 3344	3712	iexplore.exe	79
PID 2856 wrote to memory of 3044	2856	iexplore.exe	82
PID 2856 wrote to memory of 3044	2856	iexplore.exe	82
PID 2856 wrote to memory of 3044	2856	iexplore.exe	82
PID 3976 wrote to memory of 1276	3976	iexplore.exe	84
PID 3976 wrote to memory of 1276	3976	iexplore.exe	84
PID 3976 wrote to memory of 1276	3976	iexplore.exe	84
PID 1688 wrote to memory of 1568	1688	iexplore.exe	86
PID 1688 wrote to memory of 1568	1688	iexplore.exe	86
PID 1688 wrote to memory of 1568	1688	iexplore.exe	86
PID 1040 wrote to memory of 4032	1040	iexplore.exe	88
PID 1040 wrote to memory of 4032	1040	iexplore.exe	88
PID 1040 wrote to memory of 4032	1040	iexplore.exe	88
PID 640 wrote to memory of 420	640	iexplore.exe	90
PID 640 wrote to memory of 420	640	iexplore.exe	90
PID 640 wrote to memory of 420	640	iexplore.exe	90
PID 2868 wrote to memory of 2968	2868	iexplore.exe	92
PID 2868 wrote to memory of 2968	2868	iexplore.exe	92
PID 2868 wrote to memory of 2968	2868	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\2e2847c39dc62716010c637c0e25e466561dcb1778082578ade823659665ceb4.exe
"C:\Users\Admin\AppData\Local\Temp\2e2847c39dc62716010c637c0e25e466561dcb1778082578ade823659665ceb4.exe"
1⤵
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3712 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1040 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-132-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/912-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/912-116-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/912-117-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/912-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1040-130-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/1688-128-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/2856-124-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/2868-134-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/3712-122-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/3872-120-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download
memory/3976-126-0x00007FFC6E950000-0x00007FFC6E9BB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads