Behavioral Report

max time kernel184s
max time network186s
platformwindows7_x64
resourcewin7-20220414-en
submitted20-05-2022 06:48

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

1dc5e8254eb6cc84c1d4a29a203394ca5a5f500f0de3a6145bfab6956f580f2b.exe

Filesize

908KB

Completed

20-05-2022 07:46

Task

behavioral1

Score

10^/10

MD5

96461a39c8fc2a60432164c0e9e666fa

SHA1

5f0bc7807d0dc35dc134d7a67213aafd45898e4f

SHA256

1dc5e8254eb6cc84c1d4a29a203394ca5a5f500f0de3a6145bfab6956f580f2b

SHA512

b322e7a4810e7be794b92305800a9a8b1ad834feaaffde931a674ab604c088285c1fe677c4f0ec97eae88e4447f2f2f56d178961b8b78145822f1f7276e231c7

gozi_rm3 202004141 banker trojan

Extracted

Family	gozi_rm3
Attributes	build 300854

Extracted

Family	gozi_rm3
Botnet	202004141
C2	https://devicelease.xyz https://devicelease.xyz
Attributes	build 300854 dga_base_url constitution.org/usdeclar.txt dga_crc 0x4eb7d2ca dga_season 10 dga_tlds com ru org exe_type loader server_id 12 url_path index.htm
rsa_pubkey.plain
serpent.plain

Defense Evasion

Gozi RM3

Description

A heavily modified version of Gozi using RM3 loader.

Tags

banker trojan gozi_rm3

Modifies Internet Explorer settings

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CCA3BA1-D821-11EC-8873-66AE473A865F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000e64bd8f4ff5b0868b0440166ec438dcd52e5c409124963540bbfbe5710bd8e79000000000e800000000200002000000061f33fc94a0a4e2612f6a62a44864796d76f10a1ee7a83e834ca7fc822b5a5019000000092824788eae9fa9548a34a027d42a94340657c01480aa8e90edc3a76752a504fb7c3830dcc086deaed453291882c8159c2897365a3ce947c8befb7a4500824dd9da21b14d869e586fd6a64f901aac72f41ebc2f56601d405f8e625f198ccadcbeda7eb599e33ae3818af62e24008da9628f87327df10b3f5ba2716749a9452747f8db37c4e0c1fb8b254560992960d1a40000000410d0741a625f0bfa315f614ceb4e857f442dc0146c093d6e2b4688feb4dbbb39f1a87fc641f01e6f0406e354f449426ba4dee3bd48f3148d7a3dc4067633a7a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f57f532e6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE6D45C1-D821-11EC-8873-66AE473A865F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97BD2AC1-D821-11EC-8873-66AE473A865F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000007409b067cc1882735282624b9d18f7d9b3afc71f6c7c18f5bb2b65857023d102000000000e800000000200002000000063fa2f5ff4534a9aa06ffbd074949755587434f5490279f28b68291b2a5c55ec20000000a3e011683c06d70ed0e48cf2a588a15e99458de4a2e75de2870d0370d5af2a3e400000000c73b7c19d3ca3499911cdba392f1befaf6716b6316bd9e204a084bf219294c99c05b814565aa267f005e85ff950044d2d8d34c3de0c24302c4c6df7289fe5ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow
iexplore.exeiexplore.exeiexplore.exe

Reported IOCs

pid process

1008 iexplore.exe
1008 iexplore.exe
364 iexplore.exe
524 iexplore.exe

Suspicious use of SetWindowsHookEx

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

Reported IOCs

pid	process
1008	iexplore.exe
1008	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1008	iexplore.exe
1008	iexplore.exe
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
364	iexplore.exe
364	iexplore.exe
784	IEXPLORE.EXE
784	IEXPLORE.EXE
524	iexplore.exe
524	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory

iexplore.exeiexplore.exeiexplore.exe

Reported IOCs

description	pid	process	target process
PID 1008 wrote to memory of 1808	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1808	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1808	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1808	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1332	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1332	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1332	1008	iexplore.exe	IEXPLORE.EXE
PID 1008 wrote to memory of 1332	1008	iexplore.exe	IEXPLORE.EXE
PID 364 wrote to memory of 784	364	iexplore.exe	IEXPLORE.EXE
PID 364 wrote to memory of 784	364	iexplore.exe	IEXPLORE.EXE
PID 364 wrote to memory of 784	364	iexplore.exe	IEXPLORE.EXE
PID 364 wrote to memory of 784	364	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 1588	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 1588	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 1588	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 1588	524	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1dc5e8254eb6cc84c1d4a29a203394ca5a5f500f0de3a6145bfab6956f580f2b.exe

"C:\Users\Admin\AppData\Local\Temp\1dc5e8254eb6cc84c1d4a29a203394ca5a5f500f0de3a6145bfab6956f580f2b.exe"

PID:912

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1008

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:275457 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:1808

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:603141 /prefetch:2

Suspicious use of SetWindowsHookEx

PID:1332

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:364 CREDAT:275457 /prefetch:2

Suspicious use of SetWindowsHookEx

PID:784

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:524 CREDAT:275457 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:1588

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/912-54-0x0000000075711000-0x0000000075713000-memory.dmp

Download
memory/912-55-0x0000000000230000-0x000000000023C000-memory.dmp

Download
memory/912-56-0x0000000000400000-0x00000000004E5000-memory.dmp

Download
memory/912-57-0x0000000000250000-0x0000000000261000-memory.dmp

Download

Extracted

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title