gozi_rm3 | 623ddfe785d084b34e5a6ba94baa36fb52c3b8912d33ee6a773d466b1ea45f7c

General

Target

623ddfe785d084b34e5a6ba94baa36fb52c3b8912d33ee6a773d466b1ea45f7c.exe
Size

908KB
MD5

7c02a762c6be14557723c0c74877b5e0
SHA1

f809fae86857f4fc4a2cc0ed5da6f62bf57a2fb7
SHA256

623ddfe785d084b34e5a6ba94baa36fb52c3b8912d33ee6a773d466b1ea45f7c
SHA512

a2811d049c46f6401b5b43d6ef98defff51382be9d6d8d60ad3401df26e1fb9102e87da30218c290a830f9613b8ef91ec8c2783bee1196cd99a3b8b812548a5e

Score

10^/10

gozi_rm3 202004141 banker trojan

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "487536628"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30961625"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{46E0AE5F-DBCC-11EC-B274-F2EB97E7861D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff00000000002000000000010660000000100002000000073203a7b23a6569e0a0d7eb42d5c95e498e4db432b8a1793eb3158e230527b5d000000000e8000000002000020000000e8076026734414c2225a5df77c1e749a00bfca17778b116ce5e87c15869b0bd9200000001086abf7d622ce6be0a242aecc16e3eae340de8ea4b1aca16dd349f6d7e0342a4000000040943f0b938e694fcef9a341aeadfee23da0a7bc7fa816aee98717ba6609090f4db2c4bd3688453d344f274cd53a4967e55d16d23b91561360058cf9ebe1b2b2	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000f85ec38ec886f9d9f214a0b028566ce629853d1fce8a49aca40a26f3a50d3aed000000000e80000000020000200000000c5ddd329b4749bb3302b7c38ca5a070398d83f8fc72d6e904f0cd70a531241320000000d169223b598bef87f81ddce400f4ffbb0bcc8e35acdffd0b46043f35d09b00174000000082c55e5eaee2996fc1290f459e2d43d050160d627e73fd9bdb773ba270de19646dbb5e73ecd4a26d31259573f256c2fdae90e59767d653775fc71fff3cd7d4b0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30961625"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a086471ed96fd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "487536628"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795D5AA2-DBCC-11EC-B274-F2EB97E7861D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000480b697cf2ff2a63dd1b4cab43eb64c9b9605961c9cd19d0c22cb3082e9e8744000000000e8000000002000020000000ff663ff78713654020bd71cbbf801ea7a38853917ab00df15bb66a9f6e82e524200000007ce19000e373523c43f953c8d007b833d631cac75c0e4c1dd31f125049364fb6400000005c052e530e3cac5c0bdad76c7bc7abc8af8ecd6b65bb598a408c0d4640db9f17b97b7ee3e7894faad12b96b142f0df9926bb41077fc2cf8b651cfeedb87ea7af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{86306047-DBCC-11EC-B274-F2EB97E7861D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ee6e4ad96fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e047442fd96fd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a009103cd96fd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de0a1e983134cf4e883f258c38579ff000000000020000000000106600000001000020000000e00fb993ee6b697ada757413c8d193f6a4d5504194f4e7d779007d6e86ccb66a000000000e8000000002000020000000ef8e7c09560ed0d1867ace3202a21a0d2fd41a7899a7cd53a1d85210588e797b200000004c2c9793e475314b876e2b19eb31ed47e8f9417e8d2985b8443d4c536ca6b4f240000000aee32bb7992076c9cb8fff4f8330546dc77f4b7dd2f3aede80ca80e273cd450603c30b1d8d9fcf814d468d1c40d9ed024a8f99906ab33cf635b35af185ff9b4b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

4516 iexplore.exe
4516 iexplore.exe
1604 iexplore.exe
2156 iexplore.exe
5080 iexplore.exe
2220 iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4516	iexplore.exe
4516	iexplore.exe
4720	IEXPLORE.EXE
4720	IEXPLORE.EXE
4516	iexplore.exe
4516	iexplore.exe
3668	IEXPLORE.EXE
3668	IEXPLORE.EXE
1604	iexplore.exe
1604	iexplore.exe
1324	IEXPLORE.EXE
1324	IEXPLORE.EXE
2156	iexplore.exe
2156	iexplore.exe
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
5080	iexplore.exe
5080	iexplore.exe
904	IEXPLORE.EXE
904	IEXPLORE.EXE
2220	iexplore.exe
2220	iexplore.exe
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4516 wrote to memory of 4720	4516	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 4720	4516	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 4720	4516	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 3668	4516	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 3668	4516	iexplore.exe	IEXPLORE.EXE
PID 4516 wrote to memory of 3668	4516	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 1324	1604	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 1324	1604	iexplore.exe	IEXPLORE.EXE
PID 1604 wrote to memory of 1324	1604	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2820	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2820	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2820	2156	iexplore.exe	IEXPLORE.EXE
PID 5080 wrote to memory of 904	5080	iexplore.exe	IEXPLORE.EXE
PID 5080 wrote to memory of 904	5080	iexplore.exe	IEXPLORE.EXE
PID 5080 wrote to memory of 904	5080	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2548	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2548	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2548	2220	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\623ddfe785d084b34e5a6ba94baa36fb52c3b8912d33ee6a773d466b1ea45f7c.exe
"C:\Users\Admin\AppData\Local\Temp\623ddfe785d084b34e5a6ba94baa36fb52c3b8912d33ee6a773d466b1ea45f7c.exe"
1⤵
PID:4416

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4516 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4516 CREDAT:82952 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:3668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1604 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5080 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4416-130-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/4416-131-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4416-132-0x00000000007A0000-0x00000000007B1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads