gozi_rm3 | 31941577d287f7445f2791c78da17ffcd54baee40acf61dc0ff27a3f1d5253e6

Analysis

max time kernel
148s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c4e1328230fd65c2c8232e7b9f838ae.exe
Size

880KB
MD5

6c4e1328230fd65c2c8232e7b9f838ae
SHA1

9cfbf6477457d26555e37ad3717cccd3aadc7dbe
SHA256

31941577d287f7445f2791c78da17ffcd54baee40acf61dc0ff27a3f1d5253e6
SHA512

062c9fa2241227752ead4f15d05e3c3df8f685538765e527f4929ed3e94f3f37f89f60764b531a0c935e878b7710ea4174ae6f9b48e7c8aa8066176e57fdf733

Score

10^/10

gozi_rm3 202108021 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300981

Extracted

Family

gozi_rm3

Botnet

202108021

https://haverit.xyz

Attributes

build
300981
exe_type
loader
non_target_locale
RU
server_id
12
url_path
index.htm

rsa_pubkey.plain

aes.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600fc8d860a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3EB05276-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C9F1007-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ca3cd960a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a69bdf60a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b00000000020000000000106600000001000020000000f706b51a7c3b09a339224e0382c1cf8b93580d32a89808472ba39b6962610fd1000000000e8000000002000020000000396dd919c97defad263ca2c56b6c65c00cda46c1f2fc5acc66449dd6508de3ac2000000016a5969edea6f9b35349c3e29f84c4fa749ce6688a5720044870fa551bf9939940000000d86d9482c04d17e5a79c481c1852c7ccc2fdd50ec9fa821017c2c1fde063638f4580c6a851011b85c81283ba6f17ff1a6855c0ad7c3077cd32bc8cb8f3df65af	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{23AE2E32-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b000000000200000000001066000000010000200000008f55019129bab97b77c51544c38f65542428bd7a6d70907858e726397be97dfc000000000e800000000200002000000085b840220629e4ee8499fb1fbabbbc926c952200702077275edde68a5b2aa00620000000949af35a378924748ffeb6779ac36f7ac51ad267446ff834ebb0517587d46c2840000000e7607a7dd34c45765b0a37bb11230cb5d6eeaad27ee35d1fe18a735b90e3f84b8b7863ae277c42bed53ef0f94ebbb3920ab2cf2c83b84235c57585a2aaa07030	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c09fed60a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37B42EC4-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50437e0861a6d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08e750f61a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b00000000020000000000106600000001000020000000270befc4c2d867cad5140ceaf21583607831643947c8728bfa805b50646580f1000000000e8000000002000020000000e6d499cc97cbb6043aa39a618a511c090f5bed8210929231f6f8732cec79b8a7200000009f215b458b3f2590623701ea1626b24e3666f9a196728a8839852d77f87bf15f40000000bf692a7d375c3f5e1f57ef2109a578a02dcd20980895ec3c5f039207bd93541cb0077468791dda639adb4b9de516500c2228bfb5e8d783310bf6bf7c284aea23	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b00000000020000000000106600000001000020000000b09a49eb4e84b81113bea6126b79a3538c143b1a2ded1e568e63f61a612e16e5000000000e80000000020000200000006bf81baf214b5037dbc422dffea04b991b4cfd9a53fbb48e1a4c0738343190bc200000009eae2a42a6397d92d4b8614a2c890df99b743b8f5a7f7db5a6e068dbdeb84630400000007f5c83b98fa8c0fe6c4c52d2d95d66174d2e2b9fdc990da771eb2790394e2b02e8318e84b7fa9eddd20ecae1c569677849d838c267679ad5691050ac06a1ffc0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b000000000200000000001066000000010000200000001d5925363562cc89cf650dc8fc00e28c1b717090e35fb630d144ab1643ff241e000000000e8000000002000020000000220a3544ca5dd9edcf0869c1d524b4629fb14ceae595f567ef39271dfc9045e2200000001741ee2e2343a3eba4a0861fad201fff097160fb20269b2f9b0bfd0222e67c3d400000007d695fe23baa06ec4e26159dd769cac8fad1ec24da0a771cba12a697754273f5b8bffac084519fd74ea3752d53c81e62955c3b894d0bd3672d620fe564caf0a1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b0000000002000000000010660000000100002000000030a341965ead7c28e5b277836e3f8397de67e9b96416b1e03d2162256418d18f000000000e8000000002000020000000eaad72e9fef3334347bf487d947a147498677badcdd1d0ded11a24ae804dd606200000006870fa4ec47f0ae21f8197f6e6486e10c0fa683cbc9d7eb145abc4dde0e284d0400000000d9ccca11236e9155343130e141a5692d517247c0d6a8bce8e4cc26ef1b570b32149386381dc0a4822b0f7fff9270e9d6116925bd0ad73e0940ff659fbbff1cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45A7B3B8-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00a87e660a6d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2AACB42A-1254-11EC-B2DB-E6C57AC66A15} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099a40f215a1ac3458b107f2e261c357b00000000020000000000106600000001000020000000468c1bd53e46dfe6eaa5a5dff8ff95cc06ef5766a4401f1c8ae22544224ac160000000000e8000000002000020000000558b86309ca835a92127f1acd34051a4abeae76a7ca983155e96e8e1390ba0a92000000036d275ae36aaa6855bcf29ad42acbed9b408fe6c93aaadab89c2d90d9e3223af400000009959d5333856dfabd7d1d79456db0e348ed301d4ae1d1bcb1470bb87fce85a5e8a3c680642b6f3de666f55d8eed77dcacd60d8f91ecc3cfd31aa8465bace2758	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30910048"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408a96fa60a6d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3180	iexplore.exe
3596	iexplore.exe
1880	iexplore.exe
1104	iexplore.exe
764	iexplore.exe
4080	iexplore.exe
2304	iexplore.exe
3280	iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
3180	iexplore.exe
3180	iexplore.exe
3692	IEXPLORE.EXE
3692	IEXPLORE.EXE
3596	iexplore.exe
3596	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
1880	iexplore.exe
1880	iexplore.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
1104	iexplore.exe
1104	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE
764	iexplore.exe
764	iexplore.exe
3688	IEXPLORE.EXE
3688	IEXPLORE.EXE
4080	iexplore.exe
4080	iexplore.exe
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
2304	iexplore.exe
2304	iexplore.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
3280	iexplore.exe
3280	iexplore.exe
3872	IEXPLORE.EXE
3872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 3692	3180	iexplore.exe	73
PID 3180 wrote to memory of 3692	3180	iexplore.exe	73
PID 3180 wrote to memory of 3692	3180	iexplore.exe	73
PID 3596 wrote to memory of 2012	3596	iexplore.exe	80
PID 3596 wrote to memory of 2012	3596	iexplore.exe	80
PID 3596 wrote to memory of 2012	3596	iexplore.exe	80
PID 1880 wrote to memory of 3736	1880	iexplore.exe	82
PID 1880 wrote to memory of 3736	1880	iexplore.exe	82
PID 1880 wrote to memory of 3736	1880	iexplore.exe	82
PID 1104 wrote to memory of 964	1104	iexplore.exe	84
PID 1104 wrote to memory of 964	1104	iexplore.exe	84
PID 1104 wrote to memory of 964	1104	iexplore.exe	84
PID 764 wrote to memory of 3688	764	iexplore.exe	86
PID 764 wrote to memory of 3688	764	iexplore.exe	86
PID 764 wrote to memory of 3688	764	iexplore.exe	86
PID 4080 wrote to memory of 3460	4080	iexplore.exe	88
PID 4080 wrote to memory of 3460	4080	iexplore.exe	88
PID 4080 wrote to memory of 3460	4080	iexplore.exe	88
PID 2304 wrote to memory of 3736	2304	iexplore.exe	90
PID 2304 wrote to memory of 3736	2304	iexplore.exe	90
PID 2304 wrote to memory of 3736	2304	iexplore.exe	90
PID 3280 wrote to memory of 3872	3280	iexplore.exe	92
PID 3280 wrote to memory of 3872	3280	iexplore.exe	92
PID 3280 wrote to memory of 3872	3280	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\6c4e1328230fd65c2c8232e7b9f838ae.exe
"C:\Users\Admin\AppData\Local\Temp\6c4e1328230fd65c2c8232e7b9f838ae.exe"
1⤵
PID:664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3180 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2012

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1104 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4080 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2304 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3280 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-115-0x0000000001000000-0x00000000010F4000-memory.dmp

Filesize
976KB

Download
memory/664-116-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/664-119-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/664-114-0x0000000001000000-0x000000000100F000-memory.dmp

Filesize
60KB

Download
memory/764-128-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/1104-126-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/1880-124-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/2304-132-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/3180-120-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/3280-134-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/3596-122-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download
memory/4080-130-0x00007FFAE00F0000-0x00007FFAE015B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads