gozi_rm3 | 7941e7cab1e386ed6990a79e23da69848ee1f7971ea6300f77260d7468084102

Analysis

max time kernel
145s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7941e7cab1e386ed6990a79e23da69848ee1f7971ea6300f77260d7468084102.exe
Size

880KB
MD5

57bcb99cca4654b21e83e2732099d961
SHA1

38af72807030e608e517e37d528cbf684b738f69
SHA256

7941e7cab1e386ed6990a79e23da69848ee1f7971ea6300f77260d7468084102
SHA512

072314ffe77ecb0148ae78b2bdd24c7e884208b7f073390929aa73eb30b7575f8ae09e8e2a33594df3e0ba520ee20dda71ba10bc3a83350b914ece382ed2e1d3

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9587015A-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3090e7932ba6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000003ce9a8fedf52322dc51f5e44f327d5c5ee4b598046db35786d74f7c6b12e3bea000000000e80000000020000200000006edc06bbd329f7ce629c46508da10659d5f37dc2ae770cf9252913058e657adc2000000039afb60c8cfb37f1970974bdb903d237e2753f70c1f51c551a77fbc90c3708f6400000000b69c1d55536a57c1c45c008d897fb2cf51cd6bba7ec360cdbd1e9fe0375f8d69dddf6bdc32242d06b6e2d99938654eda99850a815b49e20efa21cae73c0913b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AF76F686-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c065d59a2ba6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000005e7581f3bc3e242d76c3f0ec342034c413fc7a2dfa0186335c263f800e2ee864000000000e80000000020000200000006b3f51a2cdada5988514a65372661c7a1def505c22062def67a97c5677d16ada20000000a8c7e0a5315a35ee4f4265958154a7806706bd2716f676a4a1a7831bdb4b32b740000000815c270fd678a3fcc6cad07d9e92b61c044837de554ba7cc8fad5e223b6cd7eb801a0f3a5c79ab647093a56c7dc77874aa41b789894cd1937838fa927ea1ca63	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000205fe65d5ef91902e0b342e7f2893cdf8effaa8dec37f35b77a97682c729e2cc000000000e80000000020000200000001667a406cd1d548bddebba8b557ead762813abb7803fb89de1dbe52f2dcf914b20000000258fd2f75ad4ae9febee077417ae511e2f4a5e1e3c911b419f3417dc5ddf668e400000002e2d668225e19f7d4d990cbefe8bbaec8744e14950c3b08c111392df372d7efa33e64c37855a5e0ed14caaca8cae21907610925e9738f88d79da2843d655c02b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A88B83D0-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA38BBB8-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B664CD6B-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809f2a792ba6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C34AE55A-121E-11EC-A248-F24B91EF8881} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0836c6a2ba6d701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000158d59287aa1f03dbd6003e0c3d5dbc898ae245e143be3c57abd39c91f0f4b47000000000e800000000200002000000025f129941e3dc85d688a0c4eda753ac761410da26c1a6cf23705848a38e7045f2000000034768ce87424a0d22aea5cb922f7d6eefbac8bc75c7c5aade480f5d2c106a4df400000004f9d6996d26079c856c4f1bf4efa9da088d258917d51e5d2351f139c26514fd1ca24b86e7a40d0537bd519fb87a21fcb4c6cf69aa3c4dde5413670f0f5ea9703	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000000def9df78d201c6699eb74ca1d4cca4ab3c23c1838766bbc1ed6013fa7cfadbc000000000e80000000020000200000008279be81a22e5bd266ff26b20f0466babc689d2955992f5cba79e75cf898e79720000000f925c480b9bacbdd79828415c2d6fae8621da1e2d0fbb28c698c55a35e435b5740000000e9444c799573cf43a68c5f7a0db864cb6ffe6baa43a0fcfe5c07edc377d9d2b810249758fa8d7b4652817cd33a1bb69abac08eee4a218e8f2901840f0cd26f3f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000976be689bf34bc74ee53993fe0b33ba8f43722802fc9bef489b25e7c6a355d52000000000e8000000002000020000000fce9408f30fa41e99c9591c3404fd8ed562c8f5a45331a7d0ce33387d41fbbfd20000000934cebeae35f13bbd18e262031fa275b03b832ce6a37cee8c7e2fbee8101cc61400000003363ccc2eea8dc1d3d196cfcf158c9de57d4a5980748ca61ba4714c64d795cd1ac6668ad74411669c45eff27d0b21a597a34897ceb00f2da5f3536935270fc1e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4876	iexplore.exe
5060	iexplore.exe
4368	iexplore.exe
4628	iexplore.exe
1792	iexplore.exe
2724	iexplore.exe
4828	iexplore.exe
4000	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4876	iexplore.exe
4876	iexplore.exe
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
5060	iexplore.exe
5060	iexplore.exe
5116	IEXPLORE.EXE
5116	IEXPLORE.EXE
4368	iexplore.exe
4368	iexplore.exe
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
4628	iexplore.exe
4628	iexplore.exe
4680	IEXPLORE.EXE
4680	IEXPLORE.EXE
1792	iexplore.exe
1792	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
2724	iexplore.exe
2724	iexplore.exe
3644	IEXPLORE.EXE
3644	IEXPLORE.EXE
4828	iexplore.exe
4828	iexplore.exe
5040	IEXPLORE.EXE
5040	IEXPLORE.EXE
4000	iexplore.exe
4000	iexplore.exe
3856	IEXPLORE.EXE
3856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4928	4876	iexplore.exe	72
PID 4876 wrote to memory of 4928	4876	iexplore.exe	72
PID 4876 wrote to memory of 4928	4876	iexplore.exe	72
PID 5060 wrote to memory of 5116	5060	iexplore.exe	74
PID 5060 wrote to memory of 5116	5060	iexplore.exe	74
PID 5060 wrote to memory of 5116	5060	iexplore.exe	74
PID 4368 wrote to memory of 4424	4368	iexplore.exe	78
PID 4368 wrote to memory of 4424	4368	iexplore.exe	78
PID 4368 wrote to memory of 4424	4368	iexplore.exe	78
PID 4628 wrote to memory of 4680	4628	iexplore.exe	85
PID 4628 wrote to memory of 4680	4628	iexplore.exe	85
PID 4628 wrote to memory of 4680	4628	iexplore.exe	85
PID 1792 wrote to memory of 1980	1792	iexplore.exe	87
PID 1792 wrote to memory of 1980	1792	iexplore.exe	87
PID 1792 wrote to memory of 1980	1792	iexplore.exe	87
PID 2724 wrote to memory of 3644	2724	iexplore.exe	89
PID 2724 wrote to memory of 3644	2724	iexplore.exe	89
PID 2724 wrote to memory of 3644	2724	iexplore.exe	89
PID 4828 wrote to memory of 5040	4828	iexplore.exe	91
PID 4828 wrote to memory of 5040	4828	iexplore.exe	91
PID 4828 wrote to memory of 5040	4828	iexplore.exe	91
PID 4000 wrote to memory of 3856	4000	iexplore.exe	93
PID 4000 wrote to memory of 3856	4000	iexplore.exe	93
PID 4000 wrote to memory of 3856	4000	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\7941e7cab1e386ed6990a79e23da69848ee1f7971ea6300f77260d7468084102.exe
"C:\Users\Admin\AppData\Local\Temp\7941e7cab1e386ed6990a79e23da69848ee1f7971ea6300f77260d7468084102.exe"
1⤵
PID:4480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4876 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5060 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4368 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4828 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-129-0x00007FFF0C180000-0x00007FFF0C1EB000-memory.dmp

Filesize
428KB

Download
memory/2724-131-0x00007FFF0C180000-0x00007FFF0C1EB000-memory.dmp

Filesize
428KB

Download
memory/4000-135-0x00007FFF0C180000-0x00007FFF0C1EB000-memory.dmp

Filesize
428KB

Download
memory/4368-125-0x00007FFF17840000-0x00007FFF178AB000-memory.dmp

Filesize
428KB

Download
memory/4480-115-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4480-117-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/4480-120-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4480-116-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/4628-127-0x00007FFF0C180000-0x00007FFF0C1EB000-memory.dmp

Filesize
428KB

Download
memory/4828-133-0x00007FFF0C180000-0x00007FFF0C1EB000-memory.dmp

Filesize
428KB

Download
memory/4876-121-0x00007FFF1E410000-0x00007FFF1E47B000-memory.dmp

Filesize
428KB

Download
memory/5060-123-0x00007FFF1E410000-0x00007FFF1E47B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads