gozi_rm3 | 3afcb6faa5ab3e7786759aca218aa64eb3500a4788d71b73b1fab1d29286d602

Analysis

max time kernel
143s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
10/09/2021, 10:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3afcb6faa5ab3e7786759aca218aa64eb3500a4788d71b73b1fab1d29286d602.exe
Size

880KB
MD5

259f09c88e054ce2ba81e395f256dcbc
SHA1

cd47565c17fc1c06048fdd5f8b0d61bb5ac1675d
SHA256

3afcb6faa5ab3e7786759aca218aa64eb3500a4788d71b73b1fab1d29286d602
SHA512

6b0dc7712e68bffcad093853de958c285e8bd836d7cac7df2f996e53789479147a682fae70345cdedb26863a537943a80d35a976f61bfcfda6f7f0da8519d8cd

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910017"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe31b9da51ea1f4fa60a3246aafee6a300000000020000000000106600000001000020000000be279478b27de71b7d1873037d551ce9f199734800bbac9f981c4f5d9de7f3b7000000000e800000000200002000000063245a0d6ede3a7e2200546274f8e68c1615f745179a1c6144c8ab30ddbe5958200000006a258a6d04c92af3876ec518fa3ae30248942f3f0447e001b7601ab0c32d75e640000000d0088bf81d0886940f2ecd6d86af3d713f364a866884feceb8091a4ea59ca9f1e7f1cc45b93cf4aed0fa6d61169ed6a7043afe1ced5b9caf449423a911afd26d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe31b9da51ea1f4fa60a3246aafee6a3000000000200000000001066000000010000200000004a304c2c563c15cac288114b148ab6b4372cfe2310fbc83b9de307fda2dbc832000000000e8000000002000020000000ba5bd1e0f189f3d82eef860ade3b2d4e1a802867fae3ec4f940d24054be587ee20000000068d669de66e23c86c9f05500f77146778e4c05e29f50fd5772e888172019bcd40000000350b5678c35a845d50091f6ca23f9f90bd84ca2e688fb92f58ead45af16815173d39ca87abe3ce18c61aa1d4489a5bfa2434bc2a87dd4d222ebd2ead5064271c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7041718041a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d065945641a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81781459-1234-11EC-B2DB-EE0CAE80DA12} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9496CD60-1234-11EC-B2DB-EE0CAE80DA12} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe31b9da51ea1f4fa60a3246aafee6a30000000002000000000010660000000100002000000074402b3086e54c5d272759dac4a3fa4751f009fed3e34921a6b9d574e5a05ea5000000000e80000000020000200000002573859d43cefbe9365a2858c39869efe369a44b1f2cf3b38d259a9caf4ffcdd20000000891b7a40b36e073938396c42df3c03ea1e71813fcb97396cfaeaed3965a601f5400000003cee481aa9dbb69bbb5173efaa9117474f26d529536783d2e703713bef415a1c89525df43dc3a8501366a43ba3ba6654f57f618e5084c8f803cd9db43a3a2987	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C48D5DEA-1234-11EC-B2DB-EE0CAE80DA12} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe31b9da51ea1f4fa60a3246aafee6a300000000020000000000106600000001000020000000148ec09ec72bfa0feb8800167e433b7c8bf2926aa861ba6022910489c136968c000000000e8000000002000020000000f263a4fc42c023e78c8fd6b13ec23fafec1c4d7aac59c8f55f80d95b180732eb2000000052f37a1a4a1c314243b3aea4c5aef9d822d7cfda2985361d440d481acde23eb84000000041a76569e1206bd5c992c1b32c7e2688ab90ccd4f84d6c6d5f13e3962d568cf5b7645f09b0f942d1a46abb8d4a445faf9e804e25e7d3156dc4ddaef73fb0b2ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30910017"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b8965e41a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD939AB6-1234-11EC-B2DB-EE0CAE80DA12} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2676	iexplore.exe
4088	iexplore.exe
1596	iexplore.exe
3176	iexplore.exe
672	iexplore.exe
2340	iexplore.exe
184	iexplore.exe
1356	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2676	iexplore.exe
2676	iexplore.exe
3836	IEXPLORE.EXE
3836	IEXPLORE.EXE
4088	iexplore.exe
4088	iexplore.exe
4004	IEXPLORE.EXE
4004	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
3176	iexplore.exe
3176	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
672	iexplore.exe
672	iexplore.exe
4040	IEXPLORE.EXE
4040	IEXPLORE.EXE
2340	iexplore.exe
2340	iexplore.exe
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
184	iexplore.exe
184	iexplore.exe
3536	IEXPLORE.EXE
3536	IEXPLORE.EXE
1356	iexplore.exe
1356	iexplore.exe
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3836	2676	iexplore.exe	71
PID 2676 wrote to memory of 3836	2676	iexplore.exe	71
PID 2676 wrote to memory of 3836	2676	iexplore.exe	71
PID 4088 wrote to memory of 4004	4088	iexplore.exe	79
PID 4088 wrote to memory of 4004	4088	iexplore.exe	79
PID 4088 wrote to memory of 4004	4088	iexplore.exe	79
PID 1596 wrote to memory of 2532	1596	iexplore.exe	82
PID 1596 wrote to memory of 2532	1596	iexplore.exe	82
PID 1596 wrote to memory of 2532	1596	iexplore.exe	82
PID 3176 wrote to memory of 2740	3176	iexplore.exe	84
PID 3176 wrote to memory of 2740	3176	iexplore.exe	84
PID 3176 wrote to memory of 2740	3176	iexplore.exe	84
PID 672 wrote to memory of 4040	672	iexplore.exe	86
PID 672 wrote to memory of 4040	672	iexplore.exe	86
PID 672 wrote to memory of 4040	672	iexplore.exe	86
PID 2340 wrote to memory of 1064	2340	iexplore.exe	88
PID 2340 wrote to memory of 1064	2340	iexplore.exe	88
PID 2340 wrote to memory of 1064	2340	iexplore.exe	88
PID 184 wrote to memory of 3536	184	iexplore.exe	90
PID 184 wrote to memory of 3536	184	iexplore.exe	90
PID 184 wrote to memory of 3536	184	iexplore.exe	90
PID 1356 wrote to memory of 2676	1356	iexplore.exe	92
PID 1356 wrote to memory of 2676	1356	iexplore.exe	92
PID 1356 wrote to memory of 2676	1356	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\3afcb6faa5ab3e7786759aca218aa64eb3500a4788d71b73b1fab1d29286d602.exe
"C:\Users\Admin\AppData\Local\Temp\3afcb6faa5ab3e7786759aca218aa64eb3500a4788d71b73b1fab1d29286d602.exe"
1⤵
PID:604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4088 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2740

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-132-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/604-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/604-116-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/604-117-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/604-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/672-128-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/1356-134-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/1596-124-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/2340-130-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/2676-120-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/3176-126-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download
memory/4088-122-0x00007FF842F40000-0x00007FF842FAB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads