Analysis Overview
SHA256
8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0
Threat Level: Known bad
The file 8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0 was found to be: Known bad.
Malicious Activity Summary
Gozi RM3
CryptOne packer
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-24 08:02
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-24 08:02
Reported
2022-03-24 08:46
Platform
win10v2004-20220310-en
Max time kernel
163s
Max time network
177s
Command Line
Signatures
Gozi RM3
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30949220" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2186F174-AB57-11EC-B9E2-EE12E79BD9A2} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30949219" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4039460302" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4039303713" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30949219" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "64180467" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 3436 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2896 wrote to memory of 3436 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2896 wrote to memory of 3436 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0.exe
"C:\Users\Admin\AppData\Local\Temp\8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.42.73.24:443 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exeupay.xyz | udp |
| US | 8.8.8.8:53 | exeupay.xyz | udp |
| US | 8.8.8.8:53 | exeupay.xyz | udp |
Files
memory/4516-134-0x00000000005B0000-0x00000000005D8000-memory.dmp
memory/4516-135-0x0000000000400000-0x0000000000474000-memory.dmp
memory/4516-136-0x0000000002210000-0x0000000002226000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-24 08:02
Reported
2022-03-24 08:45
Platform
win7-20220310-en
Max time kernel
4294214s
Max time network
162s
Command Line
Signatures
Gozi RM3
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000f89921d2d308eb337e7bbc6302d25b5c3d550c70752fc1c57c339359aed49659000000000e8000000002000020000000954f2dbac130cee5af6180bb5b6982ad25f678aa2af0883bce14cd40db1ce43690000000a3128b9ae2ccd387dab9932783c8f4dc7e2d147e68dd93538769ed82c9fe0fcef4c7e667e420695d2a2f6978a0caac297bf4b2f2438c2e3bb0c058bb1f68d5bec1d519a05e62e1aeae217fe3cf72c7cc6b389f8710ef2b8221b705c4386059360d0b0bb3c4a95603fc0ce6df2fb487395df63ab0c1d42dbfb52addcc774f4e5a3cf18aa901404ee3278dcc5762dfb2fa40000000e5f9198801aa1d4e170ace9e70d3dc048adee9384171974639ba3987bd987c3fbaa8b61f4cf677fb8c9b183fcbbd2dbc3f5659fba274f6201eba475407071a00 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904c59d9633fd801 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E88F3800-AB56-11EC-8933-42DD4F163D23} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000184107cd0f7ca421c8d90dfc1f013d5ca425570b1f00b632ee15368e6d54035f000000000e80000000020000200000002f5c5604a0f6e2963069e617eb3322a9b1e9f66540a84b108e6e13ae4e86e6e120000000673ea3c2f747ed8c586a1a38761d7d9cf8328579f6e4cc0d40a213ca9c7bd277400000002a739f8b46525144d3a6d0872bc481dcbfd21f08537e00cd1b22df5a3a2321a65412f7ff1abbd31ef885d8c9a767e1912f329634004f165d803c130319cb1f33 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0.exe
"C:\Users\Admin\AppData\Local\Temp\8190320d71768d12e4c58c7e69c4cd06c088d982fd8e16cfb0fd76377a8e77e0.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1428 CREDAT:537611 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | exeupay.xyz | udp |
Files
memory/1992-54-0x00000000765D1000-0x00000000765D3000-memory.dmp
memory/1992-55-0x0000000000220000-0x0000000000248000-memory.dmp
memory/1992-56-0x0000000000400000-0x0000000000474000-memory.dmp
memory/1992-57-0x0000000000280000-0x0000000000296000-memory.dmp
memory/1992-63-0x0000000000390000-0x0000000000392000-memory.dmp