Behavioral Report

max time kernel143s
max time network146s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 00:19

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

3ee9471ac58b08b6bf94434c852c9beb714fc9528671e9f0e844c51199a32384.exe

Filesize

908KB

Completed

21-05-2022 00:33

Task

behavioral1

Score

10^/10

MD5

c4afbd6e19c17dbbc1c73898c3595562

SHA1

2fcb0502909895b07017a03f50a57b6530e9a294

SHA256

3ee9471ac58b08b6bf94434c852c9beb714fc9528671e9f0e844c51199a32384

SHA512

30bab75ef8a03a41ec8f5820a54d14fef323fa0bf1a2368e08af8765826531cbe5fc7b8aee7063de930214e4157b483ae0ae0762565482481e24f75a572a695b

gozi_rm3 202004141 banker trojan

Extracted

Family	gozi_rm3
Attributes	build 300854

Extracted

Family	gozi_rm3
Botnet	202004141
C2	https://devicelease.xyz https://devicelease.xyz
Attributes	build 300854 dga_base_url constitution.org/usdeclar.txt dga_crc 0x4eb7d2ca dga_season 10 dga_tlds com ru org exe_type loader server_id 12 url_path index.htm
rsa_pubkey.plain
serpent.plain

Defense Evasion

Gozi RM3

Description

A heavily modified version of Gozi using RM3 loader.

Tags

banker trojan gozi_rm3

Modifies Internet Explorer settings

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

TTPs

Modify Registry

Reported IOCs

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b3df36aa6cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000ba6b94d7a3e1236085321e093380ff6debdbb8d115f702788259060f9e5625c5000000000e8000000002000020000000fa989cb49bb68b36c229f40843d491bd75bbd5a4de4417447a4ab7d99410af8f20000000aeaeb0b880fff0e48c6d7f44cc6608cbe3504b320d311ebceb084606c5be0aec400000001df441e0d4edd45e9e3b8a7be9942aef5439142ac898450e19d208132ea6cc39450738a4817c738040069fa5db32065369617d9efb1fa910a6af97c3c5f4bd4f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000fd3a46e1499b8ff43ccd3bfc5b6d8151fd3c2afeb3ae03906af35da4cecc5375000000000e8000000002000020000000acb1a71585f00147bec397f17e6fa1dcfecb71196533090a76073df9b82785ec900000009be17df548733f837da74fd8ec685fe6c65b7e584aed6b930e51b896dda81ca11b32ec5ad2a9e715aebbae3bd082785ec0f08e038041043bd0ca0c14413f90d52d37632e1157b7ef28ba86e5aa8204e870b9fd78a0ef929f748ae365027219dd11ddc49413382084146ebf9bc220a83ffece74c083d8fd99b5ce0c0fd5653f3a3d81e6a5d4500a199e9f6c35890b64814000000008caf16ca78ce356b9f750a0e597aa79e18bab561f995bb9ac6ca45110fac9b3dc3ed390090268a46277a4fba35bff3e31fff44b2fef7e909d94b855a66515ff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84D918C1-D89D-11EC-96D0-66E616BC8074} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow
iexplore.exeiexplore.exeiexplore.exe

Reported IOCs

pid process

1136 iexplore.exe
1136 iexplore.exe
1840 iexplore.exe
1536 iexplore.exe

Suspicious use of SetWindowsHookEx

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

Reported IOCs

pid	process
1136	iexplore.exe
1136	iexplore.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1136	iexplore.exe
1136	iexplore.exe
304	IEXPLORE.EXE
304	IEXPLORE.EXE
1840	iexplore.exe
1840	iexplore.exe
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE
1536	iexplore.exe
1536	iexplore.exe
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory

iexplore.exeiexplore.exeiexplore.exe

Reported IOCs

description	pid	process	target process
PID 1136 wrote to memory of 1632	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 1632	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 1632	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 1632	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 304	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 304	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 304	1136	iexplore.exe	IEXPLORE.EXE
PID 1136 wrote to memory of 304	1136	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 1824	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 1824	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 1824	1840	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 1824	1840	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1448	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1448	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1448	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1448	1536	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3ee9471ac58b08b6bf94434c852c9beb714fc9528671e9f0e844c51199a32384.exe

"C:\Users\Admin\AppData\Local\Temp\3ee9471ac58b08b6bf94434c852c9beb714fc9528671e9f0e844c51199a32384.exe"

PID:1932

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1136

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275457 /prefetch:2

Suspicious use of SetWindowsHookEx

PID:1632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1136 CREDAT:275468 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:304

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2

Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx

PID:1824

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2

Suspicious use of SetWindowsHookEx

PID:1448

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1932-54-0x00000000762C1000-0x00000000762C3000-memory.dmp

Download
memory/1932-55-0x0000000000220000-0x000000000022C000-memory.dmp

Download
memory/1932-56-0x0000000000400000-0x00000000004E5000-memory.dmp

Download
memory/1932-57-0x0000000000240000-0x0000000000251000-memory.dmp

Download

Extracted

Extracted

Filter: none

Description

Tags

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title