gozi_rm3 | 6a83cc4b98bb4b1f938c1decb6ce8c38b398bb22d48e70068daa58697fc9a7c7

Analysis

max time kernel
147s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a83cc4b98bb4b1f938c1decb6ce8c38b398bb22d48e70068daa58697fc9a7c7.exe
Size

880KB
MD5

4f4aaa9d44ae7e1791b4fbb60572e4a1
SHA1

59b5447b5d9b75500c37f964fe1a53c868c558ea
SHA256

6a83cc4b98bb4b1f938c1decb6ce8c38b398bb22d48e70068daa58697fc9a7c7
SHA512

4e519825a92ce7c9d6cd7f3effd18e8830cb614afb653cd5cea722df6e9bcf9828672c82f0e6198125d63aabee2f078793086f078cd94f9e79359f637e31d8cf

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5074297e41a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9234B747-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0eb278541a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d00000000020000000000106600000001000020000000a875630b98226474a4abbac3b2240963e53007bd0fe357a1d8f60e2045badc26000000000e80000000020000200000003114ece68a0604f4f833393ea3e1dbb310961d63c4c7b214922b886443cbefbc2000000099505f321f33b1f536d2d482616cf103f9e1890b24394c1a87331b6d162b45d0400000009f1dafd6e874e6be5a129aea6390bfd1e3419538d5e2e2aff13b696e4a20ad473d64c5b8268500ef7c7a7ea8b61cc1fd3f615ee645f4ff79e164f7677a2e741d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30da306341a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d0000000002000000000010660000000100002000000083461b21d1acef3255c22267dc0acde4a447ff5caaf33bbe476d85db04d7af17000000000e8000000002000020000000a3db2aa627c5d354edd81c9cc43497a20fcbd11453bc47845d50a96b49eeea8b200000001e5dbafd8de2e4966520e1221288e65539dc122be9108076f8827d22d2692fdd4000000066b5d29ab7961aa428f06bf3a4d3be4a554dbf02268bd21dcc6adb5034906a465e6ac895fe69231c921a6d93a7be65989093853a6d18e7e9cd15a3f9563fa206	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d00000000020000000000106600000001000020000000bd454a1cabe1bbe6ea2b9e69f5fd4e52f0006474c4dae8aa0780bf8062de82b7000000000e8000000002000020000000db28c38720d96cf13a3c5dae5db63946ec72a8f66d59e43eb275a1e033a18275200000002e855683670a6827adfb91dc9697fc6c9880be5f73b73adf21dd98f2b58bdb534000000007edfcf9cf08d15c609a9d7308ed36c15087e5acf02751813b3a3a10df547b9ad07db377a335a41506130b65013516134d9e1a50194b89f4c87656ca5e3a5688	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910017"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d00000000020000000000106600000001000020000000972ccb0078b9a267a034ef097f856bc43a6d084ed49a8755a86e8a24efb6bd76000000000e80000000020000200000000969d70187b7b69926603ea8fe2b0bd5007408292434db1983eecb10a0d6d88c2000000057eeaeff79e248de125f6e438fdf27f1abcd9dd8bd7fd355bdc2b27689bf20f840000000cc19acd8cba2a3a100d46736bb6cb6eea257e99a07a6d359de3353cb45db9f1b6f9f2178d6fc8f720a4430a3f371f6aec1b6a4728bf6f92ec1dabb4bd5ad336d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A03DAE8F-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B443B07E-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d000000000200000000001066000000010000200000006d218cc89309e162579d51019661f010bbb89e81e53bcc755d7b0ef2696127eb000000000e80000000020000200000000b1ace4444edd8e4a4ec59e232e1a10faf79e21b495aa2e436e0f3600663094f20000000fc60de399491a2082b8451a73a983701234d697c72d348b23124f1bcd3d93a8b400000001a5959db19760e598318d4dd1e7bd4579e83f5ad24c948c5df57b064687d2ea00f1a9b71111e19386c1d43248f43e52c05e2d7c06f23de538fbb4c3368745d1d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{993F2988-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d00000000020000000000106600000001000020000000a629708f477ab9ca3ab0c615dc891bdb245d6502af75457d20069b2598344c53000000000e80000000020000200000003d421e8f48b24c040eb7d7951dbae785f41afc8267e3b281c9fdcf1a94b6629820000000f6a38df9310b5a63c0d82ed9db99fea0a692bae923e03b298ce6eb0bb1b81dcd400000005a3ec346faddd5e5100c431f3952cc507feada9ca1d36736f3650aba673c3f50e5596d01fbaefbb70e9072fcfd41df7e0efaa30a3fa869684ab6f91345f7cdd1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C24CA669-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e24e5441a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD4528FF-1234-11EC-B2DB-56DFFBC7AD00} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a306c6a6c961d443822d9acb2cdad11d00000000020000000000106600000001000020000000670302a85ec98104458fc3501721482f1a5d0f9fc3a8fdfe2153884353869747000000000e80000000020000200000004ae2b9d34391c6bd3ae8395ef8f66bf571b632013b1fc4cb9e44f866eb7587b9200000007693958b472fc0a4bbb12406d9a51df5f8a8c565f7ac7d5c976c5eced3c2a342400000000251e31f8947cefc661dfd474426314d704543f2ae6f403764df5c526890b7c4405f48a42b14bc7b71e43c9d5fc06bd6435b879e1f1c414672d8baf3dc654335	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1366647641"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bd285441a6d701	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2840	iexplore.exe
3772	iexplore.exe
1548	iexplore.exe
1196	iexplore.exe
3832	iexplore.exe
2804	iexplore.exe
1556	iexplore.exe
4084	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2840	iexplore.exe
2840	iexplore.exe
3640	IEXPLORE.EXE
3640	IEXPLORE.EXE
3772	iexplore.exe
3772	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
1548	iexplore.exe
1548	iexplore.exe
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
1196	iexplore.exe
1196	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
3832	iexplore.exe
3832	iexplore.exe
1288	IEXPLORE.EXE
1288	IEXPLORE.EXE
2804	iexplore.exe
2804	iexplore.exe
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1556	iexplore.exe
1556	iexplore.exe
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
4084	iexplore.exe
4084	iexplore.exe
3640	IEXPLORE.EXE
3640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3640	2840	iexplore.exe	71
PID 2840 wrote to memory of 3640	2840	iexplore.exe	71
PID 2840 wrote to memory of 3640	2840	iexplore.exe	71
PID 3772 wrote to memory of 3000	3772	iexplore.exe	80
PID 3772 wrote to memory of 3000	3772	iexplore.exe	80
PID 3772 wrote to memory of 3000	3772	iexplore.exe	80
PID 1548 wrote to memory of 2312	1548	iexplore.exe	82
PID 1548 wrote to memory of 2312	1548	iexplore.exe	82
PID 1548 wrote to memory of 2312	1548	iexplore.exe	82
PID 1196 wrote to memory of 1668	1196	iexplore.exe	84
PID 1196 wrote to memory of 1668	1196	iexplore.exe	84
PID 1196 wrote to memory of 1668	1196	iexplore.exe	84
PID 3832 wrote to memory of 1288	3832	iexplore.exe	86
PID 3832 wrote to memory of 1288	3832	iexplore.exe	86
PID 3832 wrote to memory of 1288	3832	iexplore.exe	86
PID 2804 wrote to memory of 1140	2804	iexplore.exe	88
PID 2804 wrote to memory of 1140	2804	iexplore.exe	88
PID 2804 wrote to memory of 1140	2804	iexplore.exe	88
PID 1556 wrote to memory of 2832	1556	iexplore.exe	90
PID 1556 wrote to memory of 2832	1556	iexplore.exe	90
PID 1556 wrote to memory of 2832	1556	iexplore.exe	90
PID 4084 wrote to memory of 3640	4084	iexplore.exe	92
PID 4084 wrote to memory of 3640	4084	iexplore.exe	92
PID 4084 wrote to memory of 3640	4084	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\6a83cc4b98bb4b1f938c1decb6ce8c38b398bb22d48e70068daa58697fc9a7c7.exe
"C:\Users\Admin\AppData\Local\Temp\6a83cc4b98bb4b1f938c1decb6ce8c38b398bb22d48e70068daa58697fc9a7c7.exe"
1⤵
PID:904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3772 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3832 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1556 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4084 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/904-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/904-117-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/904-119-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/1196-126-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/1548-124-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/1556-132-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/2804-130-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/2840-120-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/3772-122-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/3832-128-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download
memory/4084-134-0x00007FFAEEB30000-0x00007FFAEEB9B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads