gozi_rm3 | b26a47a17c699378e3ebef87bb81e219d876237e13bb7bb0909bd1ee9fcd69e9

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10-en
submitted
10-09-2021 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b26a47a17c699378e3ebef87bb81e219d876237e13bb7bb0909bd1ee9fcd69e9.exe
Size

880KB
MD5

95c215be27fb24eaaaea480cf11adf92
SHA1

6d1c1f6ea2e7d188890fe7e3ff09fc78962557b0
SHA256

b26a47a17c699378e3ebef87bb81e219d876237e13bb7bb0909bd1ee9fcd69e9
SHA512

0613beb41f408eb8bf2d67b714c0de58ebd9d6d3ce1363032c16f28754c297e92a51e54f4655a0b9c2af4910b695f6b3647a6d1efa46c83267e31d1029288ef6

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000005fcc87e00ef430bde4a54620f510346d002cfae3de37a67360a4d97e4598fd08000000000e8000000002000020000000612e137bed2ec4fda040d12df3bb414aa26ab3093da10de7d6328f68595510e420000000fff5c85cbb4fef0f2978ce6d8204c367803eca3ab3eab4470323be07c10e9d7e4000000022e708572292fbbb2a2dd3f217c435a108c9f50525c7ff2030bf1f503222df582ce1bd0d97120fb1d8d6aa30575ba157a8fa5ce872a597d9e73d11ae59baea39	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D20CD28B-121A-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d4610000000002000000000010660000000100002000000058eb51051474f5a3d9fd86bba431e78ddb9c43e433c109ac9cc513175b474fcc000000000e8000000002000020000000db09189cc5bdee241c0f32919b4b83343440bab7bc0360bb5f6a67f5649530b92000000054b5b6edfd9ae167cfaf97a07906c6fe7db9d5f2f278434c2314f0c81825690c400000006d52ced835fb1fdef8d20a2b7cbc1c37e99a22f2864651a3b7959c7e6151c6e3e21138be74864a5027c4cd65bff42f07c5a9c2d0af5c53ccbec499258ef3b3a1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFE15676-121A-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30909991"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02dd97227a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000048e420b4fa4c10cfa62b2d0bcedc3434ece0624ac76c7677f9a807fd3b57de2000000000e8000000002000020000000d3dc85ae1459c40fb37960860286d20e8d0ed58318a1099e5cc80695e1aba5af200000003e180f7ef4fa6b4a59a9a01b957f84a7e0470cb6c0f83acb45d76cba19d2f05140000000bc998343d0fc1b2e7f604d54228686fca27f189aa971b3b532e13bde9b34d36effdadf9c0dd50c037b6e589342efa71dd1511db4223b702b212221d928696f7c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1905275962"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30909991"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000d19190ae066de2c173bccdda149823b2ddb65cc028d379cbf628aa1148465d21000000000e80000000020000200000007c2d371b240c8128c2dd074cc154000e60f11f4646389a22c10f205a538af73f200000007268f79e84b938db8eb4dd5694ecd24fb49ea8cd300acb8eab2d1107d2aa5bc04000000024f8ddd2f496a436285ba51e9a7faf6674be8a9613d988e16a151b6d873eed1fae2e2200feb1587e59ce7e6f8ba98f1b83bd5570626f7faaba730a0842ce6dbc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000001bf6c4e2be29ba4f716fae77f77c34c39358ca3b9766258fbdd33a1816841f0f000000000e80000000020000200000003e6cd73850cd2c0b252f2754add3a866a40a754530457a065f57c5b09575a8cf200000008e028633d166e14084810b6c342bf4ec2d31576c299f6674f51f993afad2456240000000d8db939cdad7e9ee0b32ee1d1a5e231dc10af7fce3804a32a0e296062edeff7d226c0773e932f4ead1308d2014116a00f768ac5f3ad3736e90d62f2257bfdf10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 106aef7127a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d46100000000020000000000106600000001000020000000f2a3b1915d90b9061c51a3bed75c299a31bfa7087c26586120b72d3893d2f99b000000000e8000000002000020000000940b934152c655411373427668b6b92f2d4c15a6dae5bfb84fd534d8ab2dfa4e2000000024b165119315c75e53af8c2462f90842271ff54ec600d35d633b530868df57584000000014959acad7bc68be675ebc4cf78656204417337980745248a956537a706b4929129768796da00a99d86aae5e51de0d878d5ee34afc3bb085731ddc72c723aae9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6F9FF79-121A-11EC-A248-F62E334B89D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3944	iexplore.exe
856	iexplore.exe
1660	iexplore.exe
2348	iexplore.exe
748	iexplore.exe
3720	iexplore.exe
1816	iexplore.exe
3480	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3944	iexplore.exe
3944	iexplore.exe
4060	IEXPLORE.EXE
4060	IEXPLORE.EXE
856	iexplore.exe
856	iexplore.exe
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE
2348	iexplore.exe
2348	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
748	iexplore.exe
748	iexplore.exe
316	IEXPLORE.EXE
316	IEXPLORE.EXE
3720	iexplore.exe
3720	iexplore.exe
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1816	iexplore.exe
1816	iexplore.exe
3692	IEXPLORE.EXE
3692	IEXPLORE.EXE
3480	iexplore.exe
3480	iexplore.exe
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 4060	3944	iexplore.exe	72
PID 3944 wrote to memory of 4060	3944	iexplore.exe	72
PID 3944 wrote to memory of 4060	3944	iexplore.exe	72
PID 856 wrote to memory of 1056	856	iexplore.exe	74
PID 856 wrote to memory of 1056	856	iexplore.exe	74
PID 856 wrote to memory of 1056	856	iexplore.exe	74
PID 1660 wrote to memory of 964	1660	iexplore.exe	76
PID 1660 wrote to memory of 964	1660	iexplore.exe	76
PID 1660 wrote to memory of 964	1660	iexplore.exe	76
PID 2348 wrote to memory of 2376	2348	iexplore.exe	80
PID 2348 wrote to memory of 2376	2348	iexplore.exe	80
PID 2348 wrote to memory of 2376	2348	iexplore.exe	80
PID 748 wrote to memory of 316	748	iexplore.exe	87
PID 748 wrote to memory of 316	748	iexplore.exe	87
PID 748 wrote to memory of 316	748	iexplore.exe	87
PID 3720 wrote to memory of 1212	3720	iexplore.exe	89
PID 3720 wrote to memory of 1212	3720	iexplore.exe	89
PID 3720 wrote to memory of 1212	3720	iexplore.exe	89
PID 1816 wrote to memory of 3692	1816	iexplore.exe	91
PID 1816 wrote to memory of 3692	1816	iexplore.exe	91
PID 1816 wrote to memory of 3692	1816	iexplore.exe	91
PID 3480 wrote to memory of 1660	3480	iexplore.exe	93
PID 3480 wrote to memory of 1660	3480	iexplore.exe	93
PID 3480 wrote to memory of 1660	3480	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\b26a47a17c699378e3ebef87bb81e219d876237e13bb7bb0909bd1ee9fcd69e9.exe
"C:\Users\Admin\AppData\Local\Temp\b26a47a17c699378e3ebef87bb81e219d876237e13bb7bb0909bd1ee9fcd69e9.exe"
1⤵
PID:4000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1056

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2376

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3720 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-130-0x00007FF927C70000-0x00007FF927CDB000-memory.dmp

Filesize
428KB

Download
memory/856-124-0x00007FF927E00000-0x00007FF927E6B000-memory.dmp

Filesize
428KB

Download
memory/1660-126-0x00007FF927E00000-0x00007FF927E6B000-memory.dmp

Filesize
428KB

Download
memory/1816-134-0x00007FF9282D0000-0x00007FF92833B000-memory.dmp

Filesize
428KB

Download
memory/2348-128-0x00007FF927C70000-0x00007FF927CDB000-memory.dmp

Filesize
428KB

Download
memory/3480-136-0x00007FF9282D0000-0x00007FF92833B000-memory.dmp

Filesize
428KB

Download
memory/3720-132-0x00007FF927C70000-0x00007FF927CDB000-memory.dmp

Filesize
428KB

Download
memory/3944-122-0x00007FF927E00000-0x00007FF927E6B000-memory.dmp

Filesize
428KB

Download
memory/4000-116-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/4000-121-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4000-118-0x0000000000E60000-0x0000000000E70000-memory.dmp

Filesize
64KB

Download
memory/4000-117-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads