gozi_rm3 | 2b4a1e90e4b691cd320e26cbf167c987a72dd8df3fc4260873c92b0f3ffb2d43

Analysis

max time kernel
145s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4a1e90e4b691cd320e26cbf167c987a72dd8df3fc4260873c92b0f3ffb2d43.exe
Size

462KB
MD5

b211ecffe6b2c724df0318a1c95672c6
SHA1

d2b87d0586de7dabe031d2f16e69a0855fdf07c4
SHA256

2b4a1e90e4b691cd320e26cbf167c987a72dd8df3fc4260873c92b0f3ffb2d43
SHA512

64fa3c56f23fb38887973fae3b2040df1c389789f2acb23235aa196f0186c88c1cf3cc1ddc55926e0e101865aee93068a969b24fbd3d8b9989b9c9763af7cd0f

Score

10^/10

gozi_rm3 89820235 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300898

Extracted

Family

gozi_rm3

Botnet

89820235

https://exeupay.xyz

Attributes

build
300898
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4000241236"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4000241236"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30957137"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000c33b5d0c937345208c3ade3cc664259392c10c5506eb88788c38a5077682e790000000000e80000000020000200000000eb3a1f96307dea8fea4c0ca581e01cc9380c4f606969346596fa61f5aff4549200000004ca8e2d705746404d5abc404443a43ab358d6a961cdceff58b439a0be1daebdf40000000b4e1910a7d812b318d16fe102a33a332cc77a7ada1361bca8bdf0de10267e42601b3325e0a2ad78d309d658ba495f8224a8e93ff8728dad18225542eb7603533	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70cb6eee515ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b09150000000002000000000010660000000100002000000092e9c6a7d8eefb2c446d529963da8aa3c8a9fe18247c0a447ac9ef1e2b08f072000000000e80000000020000200000003e740e59a5de6a53ca9e70ed86bd4384854cd08b6c0fbfd4256e5916dceeba3e200000001f97923805b55a63e76f1c8f17937c5761cd9898de84e5a3b77e6d37788ed3cc40000000d2af680f146607ce0f1bee56bb5be6a21670d8cc0bb6923cf19fc10911503952e629e438121e9712c2dcb444a70c7638db1d53120a190ae4bd797f1840202487	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30957137"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b09150000000002000000000010660000000100002000000065872e2b65d0fd0194e3a1533c1016ac8863a7ff222e8419a186fcc7fe10ce31000000000e8000000002000020000000655f4cf18daf2276f89ea2c0c8039f74684490e60a456c93c4c839501a9c32a550000000983e4ca97db17d7580c5fe2f04b8aada679e5b4aff9199d9c02bebf3ea413ba96f81353b8ed5265ea7e143682b5069ee4017e9b1e5c39d84f601098854e3c1920c31ec023bcb945c9615e0f14080cb3540000000b09d07e0b6ef9cee8c5425d4fe44ed720393bb1f5f4263186d1cff81e71a2a5fa538afc0f4dd6db79f6e1fd165e97f32b77753b713ed769a7062a705d8d01dce	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b09150000000002000000000010660000000100002000000023a3d04293ae602b6ef5a5a8fbd2d5d7c399846a7b49b9630053dbf5a15a9bbb000000000e800000000200002000000083729326990f96233312e374da90ef2c0985704241ec5121676bfdc19fa3a4cd10000000115707c2eb3c5bd6ce4eb61a6c4ed7ce400000001ac1eb11d036c82683054013b77ae841b5d32666dcbe8899092813a2a3a7a4b505e87ea09137c213fae883197bb94cc5b297053f73cf4b8be8f712beaaf831fc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4245BD2E-CA45-11EC-AC67-5ABF78284711} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202d17f8515ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{19658A82-CA45-11EC-AC67-5ABF78284711} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = f982cdb29d50d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e4c50a525ed801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b0915000000000200000000001066000000010000200000008357b13b388d23698c8a6a6dc7ebe21dc98b7fe53046c359d9fea3fa0d3c2fc1000000000e80000000020000200000009b074d799497d38b304cdcef498cd922ffbded63e67a7bf98b9f6d9116529aff2000000055b52e85b16dfaef9f85d182394b0d5029ddf562be1eec8a58442bb649e713e3400000003bc2c9a90ebdc366fb766c347f0786cbeea92c8dd325090076690e3583f4b6a30bb66246fceed86c6528d87df8326e6d1e38aa940683957dca5d2f742aa3a2bf	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4528	iexplore.exe
4528	iexplore.exe
4528	iexplore.exe
3452	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4528	iexplore.exe
4528	iexplore.exe
4520	IEXPLORE.EXE
4520	IEXPLORE.EXE
4528	iexplore.exe
4528	iexplore.exe
212	IEXPLORE.EXE
212	IEXPLORE.EXE
4528	iexplore.exe
4528	iexplore.exe
4236	IEXPLORE.EXE
4236	IEXPLORE.EXE
3452	iexplore.exe
3452	iexplore.exe
4816	IEXPLORE.EXE
4816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4520	4528	iexplore.exe	87
PID 4528 wrote to memory of 4520	4528	iexplore.exe	87
PID 4528 wrote to memory of 4520	4528	iexplore.exe	87
PID 4528 wrote to memory of 212	4528	iexplore.exe	90
PID 4528 wrote to memory of 212	4528	iexplore.exe	90
PID 4528 wrote to memory of 212	4528	iexplore.exe	90
PID 4528 wrote to memory of 4236	4528	iexplore.exe	91
PID 4528 wrote to memory of 4236	4528	iexplore.exe	91
PID 4528 wrote to memory of 4236	4528	iexplore.exe	91
PID 3452 wrote to memory of 4816	3452	iexplore.exe	99
PID 3452 wrote to memory of 4816	3452	iexplore.exe	99
PID 3452 wrote to memory of 4816	3452	iexplore.exe	99

C:\Users\Admin\AppData\Local\Temp\2b4a1e90e4b691cd320e26cbf167c987a72dd8df3fc4260873c92b0f3ffb2d43.exe
"C:\Users\Admin\AppData\Local\Temp\2b4a1e90e4b691cd320e26cbf167c987a72dd8df3fc4260873c92b0f3ffb2d43.exe"
1⤵
PID:2532

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0c86bf02fe6962a29a4874c45505cfc1

SHA1
3f4a2d3c0d936af0c3b4b19f3ff7327d8b011a41

SHA256
ed234e2f9d2e12aedc0930860a169129ee0256f5710be997efbf11bce7409626

SHA512
caff37c0d8fd2f841a108a37cd752ae426f1c9e7958b901a7ab67b70be4c327f38b288156e52493688c7e67432d0b98bf95b1a0be39e0abd79d3fe8e74487561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
799c8d2de1ad351166318c0912176c4a

SHA1
800729bb215e4b818fbf77f6e7d6e2e1e07488bb

SHA256
1a52b687ffa5d4e90a0b78eaf8bf9040070d40dc15fe0bb11c7fe083a9690271

SHA512
44a1cce3902081f71af974f4a6dd0b4f9f778df31421990d798c95ba7c33b58690ca4241a2781c22ceaef574a80bdf90b9cea98d11b2f2633fb6797de8a69e49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
1c8c8c72a5a8eedfded147080d0a3e84

SHA1
c4e7ac8481f35bb88f28752e413a97ddc09d7e87

SHA256
bae90514bda73e38dd4fe963670d7a5a0e7e18231e275770e5f70de80b0327a3

SHA512
ec1114b9cea1ab5486cef0be119de86123096ff2bf20f4e311a3feb24ee1be954ea2ff4a5ddfcade7679d04a7e7179381016125eb4e6a67f1bff973f28203e93

Download Submit
memory/2532-130-0x00000000021C0000-0x00000000021E8000-memory.dmp

Filesize
160KB

Download
memory/2532-131-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2532-132-0x0000000002220000-0x0000000002236000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads