gozi_rm3 | 67d0374ccba4a4a176332496433359a3ba3a80cd5879c346776e4afdeed68bbe

Analysis

max time kernel
173s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20/05/2022, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67d0374ccba4a4a176332496433359a3ba3a80cd5879c346776e4afdeed68bbe.exe
Size

618KB
MD5

156067704a567f44a3bdeac98db99e69
SHA1

2167556a853480a6cccdb066dba8c7f453ed2100
SHA256

67d0374ccba4a4a176332496433359a3ba3a80cd5879c346776e4afdeed68bbe
SHA512

495592630ae1adfc905e4ad00a67b7f11de1e2a13636239297aaceb83b859ea576b1fd32659cad781371906983b049760284f84fc4d94de736f0add7611f9df8

Score

10^/10

gozi_rm3 90020242 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300900

Extracted

Family

gozi_rm3

Botnet

90020242

https://vrhgroups.xyz

Attributes

build
300900
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff0000000000200000000001066000000010000200000002e2e8788087bbe0e8484fe60acca6be940b83a5af2cd0a71cab0f125b0971ba3000000000e8000000002000020000000e2697702fdf7063591c61d49adbd280433bce07248c1f3e2a40af2c3036b332e20000000b7856531e84c5a9020a4bac739fb081c11162ff4733d6c0ee2087f1f152315ea40000000def86bccc31205d22c5b992b48d3b1287878794a152df7fb09b070c99a07261a49040a006e1bf7c2dad5fd8181630d0e87ddfc087f7cbf7f3b5b9fc2d02b3618	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001e0f8eb76cd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000f823a2785d387838b1a2ddf1ae5eea478376c30bd2226726684760caf110d446000000000e8000000002000020000000dee986b3a99fee8d4e96f367e27c3ef741a3038e0a9cf633ac451acb395287c9200000003794bc1cc6cc328e248513c5ea18581e22182b4d61f8d05c04b21d8564d3693b400000009555f4ddd0710e3f221902219f67da6603fc4acc8ff7316bf481fd3a17f63d39c1859704272ffafce6c128eecc5cc208e0e3745f8a0896b0abfb0c051be5949a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE6CC41D-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000906f7d62d21f5ccf5d9e4ce7181bba8af9eeeccdc1c5206b91265f64601b3390000000000e8000000002000020000000659082a92cca841b0550017f3529634c59f5e31a177c179234cbac0b6114e2182000000001870ff0dde751ff7357d7fadb5525cf693e392e450747a5ea693285edf0044940000000c4dad2a2e1b40042bf06213c83876907e37200b8e8663639fe23c15ab70476c845dbc664ced7d07ea12b70e2e748203ad5c7036920ec5cca0429ed377761881c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000b0c38ea485c55004d4fcfdad9d03f3359b5fbee75e0152b30f23b663368263b3000000000e8000000002000020000000722f9acedb4f1e75c718a6cf2a8ad9650b6f7408b7fbd3650a393a4574d6ef0f20000000cedd5e9f13eb3bd1ba4d7a66c6e12afe7861cf2faf2a6d7950025111a513a661400000002e6e46d8c6eff7eb1a16b01b574e3879c3e2476a5f19c2683094bd374f2293ea864cebf83c79a9341018324797e7bec65fe0341f98b569a2012ec1dda5fd3d84	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D03B5ACD-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DE17092E-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000d9b1e1ef16021083b378006995441ebd2e1cc0795fdd544c06c7a6cd12cadc6b000000000e800000000200002000000041d0244176efd8e716ff9248d43089f0451321b09d2c44c72b3bad25f5671c8720000000a964ba54c1a2bff4d64ed79ff6fc772c75e87fd7a8f1bcebd796223279b1e9c140000000cb10baa71187df7062b59d25419bfa0dee58ec8f825b99217eb65510e5a34ec1b104e6c2f41af3143ca8874fb135c8003e168c5c3ddb0842c963f5174993e9cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0051fd99b76cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20feb3bbb76cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB04481B-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0035ddadb76cd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F1FE08EC-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F8F0A3BB-D8AA-11EC-B274-FA63415F8E77} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8036d2b4b76cd801	iexplore.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4996	iexplore.exe
344	iexplore.exe
2632	iexplore.exe
4992	iexplore.exe
4976	iexplore.exe
3892	iexplore.exe
1832	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4996	iexplore.exe
4996	iexplore.exe
3848	IEXPLORE.EXE
3848	IEXPLORE.EXE
344	iexplore.exe
344	iexplore.exe
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
2632	iexplore.exe
2632	iexplore.exe
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE
4992	iexplore.exe
4992	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
4976	iexplore.exe
4976	iexplore.exe
3568	IEXPLORE.EXE
3568	IEXPLORE.EXE
3892	iexplore.exe
3892	iexplore.exe
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1832	iexplore.exe
1832	iexplore.exe
4440	IEXPLORE.EXE
4440	IEXPLORE.EXE
1832	iexplore.exe
1832	iexplore.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3848	4996	iexplore.exe	81
PID 4996 wrote to memory of 3848	4996	iexplore.exe	81
PID 4996 wrote to memory of 3848	4996	iexplore.exe	81
PID 344 wrote to memory of 1880	344	iexplore.exe	85
PID 344 wrote to memory of 1880	344	iexplore.exe	85
PID 344 wrote to memory of 1880	344	iexplore.exe	85
PID 2632 wrote to memory of 4908	2632	iexplore.exe	90
PID 2632 wrote to memory of 4908	2632	iexplore.exe	90
PID 2632 wrote to memory of 4908	2632	iexplore.exe	90
PID 4992 wrote to memory of 1240	4992	iexplore.exe	92
PID 4992 wrote to memory of 1240	4992	iexplore.exe	92
PID 4992 wrote to memory of 1240	4992	iexplore.exe	92
PID 4976 wrote to memory of 3568	4976	iexplore.exe	97
PID 4976 wrote to memory of 3568	4976	iexplore.exe	97
PID 4976 wrote to memory of 3568	4976	iexplore.exe	97
PID 3892 wrote to memory of 1264	3892	iexplore.exe	99
PID 3892 wrote to memory of 1264	3892	iexplore.exe	99
PID 3892 wrote to memory of 1264	3892	iexplore.exe	99
PID 1832 wrote to memory of 4440	1832	iexplore.exe	101
PID 1832 wrote to memory of 4440	1832	iexplore.exe	101
PID 1832 wrote to memory of 4440	1832	iexplore.exe	101
PID 1832 wrote to memory of 3196	1832	iexplore.exe	102
PID 1832 wrote to memory of 3196	1832	iexplore.exe	102
PID 1832 wrote to memory of 3196	1832	iexplore.exe	102

C:\Users\Admin\AppData\Local\Temp\67d0374ccba4a4a176332496433359a3ba3a80cd5879c346776e4afdeed68bbe.exe
"C:\Users\Admin\AppData\Local\Temp\67d0374ccba4a4a176332496433359a3ba3a80cd5879c346776e4afdeed68bbe.exe"
1⤵
PID:2668

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4996 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:344 CREDAT:17410 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:17410 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4992 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4976 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3892 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1264

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:17410 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1832 CREDAT:17416 /prefetch:2
  2⤵
  PID:3196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-130-0x00000000021D0000-0x00000000021F8000-memory.dmp

Filesize
160KB

Download
memory/2668-131-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2668-132-0x0000000002230000-0x0000000002246000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads