gozi_rm3 | 115f3246c6d99478234c30c8e6cc91d8a43389fd7b486c6baaaef414b471dca2

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115f3246c6d99478234c30c8e6cc91d8a43389fd7b486c6baaaef414b471dca2.exe
Size

880KB
MD5

1eb2d08152a0211023449c88c5946a63
SHA1

88ffb9ee5f829aa1c00613ec52a8434258fc3db3
SHA256

115f3246c6d99478234c30c8e6cc91d8a43389fd7b486c6baaaef414b471dca2
SHA512

c91a60fec433d03c7f39d6259e1ca179a5e643753b95b13eaab4097cdfe155a76f6e0b90b16724152ce7d848d2bcb55b25866c5ff857ea23cfd1f0fd11fe92c2

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB1B12F4-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a500000000020000000000106600000001000020000000a43cf0ecfe1b0b4230a19b920665a7f6991ba98eec45a80c440bc564055ab125000000000e80000000020000200000005f60d4300a39611ebe6172a3fd9baf8a43b60a8b2e61b951f85621fac2a5e846200000005532d93285b407b2ba86ec40990d8e8b6fef66bd8552e640550fb8322f2651cb4000000063411704a47d79e94e22d4f90ae06660bcc6360bbbf4b4f7061106a940c73c68f343f11c5e06c63f533453b750a7e8c546284151e88243d75364027fd445b850	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB24B364-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a500000000020000000000106600000001000020000000aefa9a284edd17d09d0463398fb03f1796027dd9a76cca1e9ffd7f760b5ece98000000000e80000000020000200000009931c885699f4aff97824f181e85188c1b2e43ef32f8f35463619338b9a97aa92000000097ed503562d767c903f6690d93b8fe5f2ab84aae4a6a77204ce83e35121c7bf340000000c25f15e2d96b48591dfe0335b400392361d0d1a3c0d11b9bcf7941ccb79c032ce99eb4c2add9f91c90eb9346f38e17c78e3b55fe4e6e077d07982284aa10df58	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DD2ED2AF-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E43218C6-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2056114083"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a5000000000200000000001066000000010000200000002b3feaec1db4c0ec1d615ee6ee42eeeea63c954618b37254c0115e7ba306fee6000000000e8000000002000020000000012b8ab22b8eb97059565968995d506367be555dd68cbf12156d2cf9e7d04a6f200000009c3bff4e0b68cea78ea25aa646a41fba9021f484f3575d8f5fbfaad6a24c376a4000000079c46766f4f2039026746bd2e149f17d1f567c5b31a80a6c711b4e037275206424dd5d1fe4e1d91066859ae9b98fd09617631aa69cd48366c1edb7d684410d18	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C233D16D-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a50000000002000000000010660000000100002000000021412958c47c84494ab6d383d57b66dbae266539e980ef1bb2fe1a1da7e4d297000000000e80000000020000200000000551f9e725dfe3b2bca7c5b0dbda68cde46a35c53a59483affed12fb4980df1c200000000afbe6ae1848dfb4e6686bc0bbd081372e01e05f58b5a3ff07e15f180f24f48c40000000181a76cdd0a2ac62326f85a80feadb8209bcb1eeebb65323d2c0fa3302f3091241d9f7d55b6f6b9b5357d7f94eb45b76298f78163dcfe72d31a66bf4ee3583a1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d03f16853ea6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a5000000000200000000001066000000010000200000004265436683d8c7d6f9af51a227c855e97b7c3a74723d290c443f45b5e4265fdc000000000e80000000020000200000009193b3f4951b5bced38afe5bc6c802c8b61989479d9176ac8382bb47aa38fea120000000c210fba3e6213a792c24bd315e162cbfc5327dac16c1df33d1d5aacd8abccfcc40000000de1ddec4f045e8ab1a14777c5857d46a3cf28ec0ad223fdfb00571fab426969daf9684d52141e85eb8bf32c3d4b90d1a85d6df44fe795355d24400d026efa129	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5ED6E79-1231-11EC-B2DB-FE8EF4155406} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30910014"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a5000000000200000000001066000000010000200000000940cb09313a2900136ee95ac72cadf7823687e72168eae93d6acbe2c2048004000000000e800000000200002000000048a9507eb383b2a63bb758fa5d7a884e813e00fcfd940b302ab1990ccc90598b2000000091228e174cbfe0681228e55ae489859f2922887dbcb8811845720226f4728b5240000000eee07e5402fdfa77b3b6a22e9c31fc73827fcc7ec51f17d637dbaf99c4be196a35fc93e2dee73be02aa54c528c13c1b0e17d60383df6b76ac54a3eeaba9c158f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008bde08182e1b5249b9080d7be250a2a5000000000200000000001066000000010000200000005b9bd8036d33cfec0b58c3508fbbb9664a401f0f8161684f76ff8addedb5458b000000000e8000000002000020000000aa9ea59767aab1193b941d9bb71c4c12d5900a088eb2ccb93169d922cb122010200000008098a1027b5eae3005bc38ae113b1625bf54b3ddb03d3ddbb308807c215d65b540000000d57904262a44fb67b3e414b17607649b96d9b1d9eb349089733135603dda9aa7361e3a3913dc8abbdc9eab949c81315920b74a822a87f3e0f6504a9b5e4076cf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4068	iexplore.exe
2716	iexplore.exe
2808	iexplore.exe
1600	iexplore.exe
3812	iexplore.exe
1336	iexplore.exe
1968	iexplore.exe
3940	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4068	iexplore.exe
4068	iexplore.exe
3980	IEXPLORE.EXE
3980	IEXPLORE.EXE
2716	iexplore.exe
2716	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE
2808	iexplore.exe
2808	iexplore.exe
3868	IEXPLORE.EXE
3868	IEXPLORE.EXE
1600	iexplore.exe
1600	iexplore.exe
196	IEXPLORE.EXE
196	IEXPLORE.EXE
3812	iexplore.exe
3812	iexplore.exe
3720	IEXPLORE.EXE
3720	IEXPLORE.EXE
1336	iexplore.exe
1336	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
1968	iexplore.exe
1968	iexplore.exe
3168	IEXPLORE.EXE
3168	IEXPLORE.EXE
3940	iexplore.exe
3940	iexplore.exe
3664	IEXPLORE.EXE
3664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3980	4068	iexplore.exe	72
PID 4068 wrote to memory of 3980	4068	iexplore.exe	72
PID 4068 wrote to memory of 3980	4068	iexplore.exe	72
PID 2716 wrote to memory of 1384	2716	iexplore.exe	81
PID 2716 wrote to memory of 1384	2716	iexplore.exe	81
PID 2716 wrote to memory of 1384	2716	iexplore.exe	81
PID 2808 wrote to memory of 3868	2808	iexplore.exe	83
PID 2808 wrote to memory of 3868	2808	iexplore.exe	83
PID 2808 wrote to memory of 3868	2808	iexplore.exe	83
PID 1600 wrote to memory of 196	1600	iexplore.exe	85
PID 1600 wrote to memory of 196	1600	iexplore.exe	85
PID 1600 wrote to memory of 196	1600	iexplore.exe	85
PID 3812 wrote to memory of 3720	3812	iexplore.exe	87
PID 3812 wrote to memory of 3720	3812	iexplore.exe	87
PID 3812 wrote to memory of 3720	3812	iexplore.exe	87
PID 1336 wrote to memory of 1068	1336	iexplore.exe	89
PID 1336 wrote to memory of 1068	1336	iexplore.exe	89
PID 1336 wrote to memory of 1068	1336	iexplore.exe	89
PID 1968 wrote to memory of 3168	1968	iexplore.exe	91
PID 1968 wrote to memory of 3168	1968	iexplore.exe	91
PID 1968 wrote to memory of 3168	1968	iexplore.exe	91
PID 3940 wrote to memory of 3664	3940	iexplore.exe	93
PID 3940 wrote to memory of 3664	3940	iexplore.exe	93
PID 3940 wrote to memory of 3664	3940	iexplore.exe	93

C:\Users\Admin\AppData\Local\Temp\115f3246c6d99478234c30c8e6cc91d8a43389fd7b486c6baaaef414b471dca2.exe
"C:\Users\Admin\AppData\Local\Temp\115f3246c6d99478234c30c8e6cc91d8a43389fd7b486c6baaaef414b471dca2.exe"
1⤵
PID:1400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4068 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3980

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1384

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2808 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:196

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3812 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-130-0x00007FF8B96F0000-0x00007FF8B975B000-memory.dmp

Filesize
428KB

Download
memory/1400-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/1400-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/1400-116-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/1400-119-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1600-126-0x00007FF8B9510000-0x00007FF8B957B000-memory.dmp

Filesize
428KB

Download
memory/1968-132-0x00007FF8B96F0000-0x00007FF8B975B000-memory.dmp

Filesize
428KB

Download
memory/2716-122-0x00007FF8B9510000-0x00007FF8B957B000-memory.dmp

Filesize
428KB

Download
memory/2808-124-0x00007FF8B9510000-0x00007FF8B957B000-memory.dmp

Filesize
428KB

Download
memory/3812-128-0x00007FF8B96F0000-0x00007FF8B975B000-memory.dmp

Filesize
428KB

Download
memory/3940-134-0x00007FF8B96F0000-0x00007FF8B975B000-memory.dmp

Filesize
428KB

Download
memory/4068-120-0x00007FF8B9510000-0x00007FF8B957B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads