gozi_rm3 | 59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Size

2.9MB
MD5

2686a3ff73287ad1f874a0a4c2470af5
SHA1

73542f96a0cc31e4cf5c7ae94366587a572a2ac3
SHA256

59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4
SHA512

c69ec47c273724c78839a4ace51e1b0ab1ddfd40eefece23a684328cecc3b9467c6f84b1aee864c326622f8937c81f87e05aed3df113eb070b77e201d3ef93f3

Score

10^/10

gozi_rm3 banker trojan

Malware Config

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "972"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1952"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "1100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "1952"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1952"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "2038"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f00000000020000000000106600000001000020000000e0f592167613b8f91bb408cf3182b48fc2acd8857e9b60106b53f938bc6c43d0000000000e800000000200002000000087fee2495552fa66f1ef43d654a13d93a065f6d4b2919c51ac73fa420ac1eca990000000c073501657e3a4f5cae7df9ea2052c84887c331e1a3c268f61a349c3f01bdc67fabc92425eba9a9f30d85dcde2d2c733ca55aff4dc87d259089721f4a7e6a7cf57ca7643a6ec50dd862b6d6ddb0922913f37de5c306198ff731f8c72e28ab6d43d2d66e0a2f6ccdacae805d494b70ab0d93fafe1c593f7ff60398201a0359ee0dfa03451c3540a0bd1f7ad072152fb7e4000000061629dc9cb99325d54234b424f958d533c251d3353d67e8c5f3750ff5f81c04e27bca2fab62b6182ffeef2136cd7e85e831fccaf6ddc629c53ac3fa483cd7f73	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "1874"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "2923"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2923"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1053"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "2923"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = b032defc17a0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1874"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "2038"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1222"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1222"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "365512763"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "972"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07af11018a0d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1792"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A115771-0C0B-11ED-A5C8-6670F74F06AE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1792"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1874"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e528c10875d4b347a30c038b2e32007f0000000002000000000010660000000100002000000064853969f069a7800ae334c2804716ee0753348271d6f4082c3ad9ac0a7b18e8000000000e8000000002000020000000f95fe837450070b7a638589f9dba4d8c37493fbb1a9f8d5ee077e70d3aa4621e2000000003e46cd6dff4f280e63d23c8627aa60f3b14719e916e435ab440532a9733493540000000eb38491b50d454e3210c483abb1bdae6c3866c749e895e3d96dacd368faac30545005d6e2a316edfa97540205eec7ee8d526835bbb39f05a4d8edf932510816c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "1053"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1053"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\dl.web.de\ = "1222"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "1100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\DOMStorage\web.de\Total = "972"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
612	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
612	iexplore.exe
612	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 612	944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe	31
PID 944 wrote to memory of 612	944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe	31
PID 944 wrote to memory of 612	944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe	31
PID 944 wrote to memory of 612	944	59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe	31
PID 612 wrote to memory of 1936	612	iexplore.exe	32
PID 612 wrote to memory of 1936	612	iexplore.exe	32
PID 612 wrote to memory of 1936	612	iexplore.exe	32
PID 612 wrote to memory of 1936	612	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
"C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe"
1⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
"C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe" /SU
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:944
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "http://go.web.de/os/win/ie_runonce"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

Filesize
471B

MD5
3c0a2f4386177e910df9a2f5d623907f

SHA1
3853a6e7f1395fe0fbf07d315fe0e10aeebb50ab

SHA256
35d18a1c90ebc578afd6db020fecfe219ea5004252d634c7673c6d6d5776d93a

SHA512
be8ffa2d541afd895d1c6b72609a972adc9e8ad83f85b6f7667e9457446b98ae67d9fd2d2c37cfb92b6296edd6aa0995451d41dd90b251d7facc34a4cb871af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
4a3c3027aa08384062e54171a017ea2f

SHA1
60af63617d5859416fe0de707250fb9661a528f8

SHA256
09fdbc021964a094a502ef251fd47548f4282e337ef01d536790756808e47c31

SHA512
4cf2925c2d3344a6791b41fef7536d27fe469ccd2d2d383c767407cb3acb0b4656d6df57240e8c65e640fc3ff322f751f65f19a0d11f10dbd0db2c72a5e0beac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
2e83fda2ebabec3ee2c39eff0e889a64

SHA1
c696f6072aeeac8a6976666b219a95bdcc798b9b

SHA256
020d397e1d9d8652f43aadfd421c7e3a1e3c373ea80ea38bbbd939d5242b0b9b

SHA512
259e34e23805db34126427f837ded3d7ac593eba88ddca38a4988b9c4967b9ae3e51a07727d98f557ce983e40d58b2dd23386de320540e6dab1a8bf132d73713

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

Filesize
408B

MD5
f84f58a51fdb2e9722ae80e4dd95e213

SHA1
99207845bb78cef934ab9db3a0f5a0d87c268258

SHA256
df7caffcfd51260565b58ca2410df0c3c7d7d8fed84917a1ff1e59956ac8d6c9

SHA512
01dc9ff172147121a7ec783e9c0fa42b60ff698eb6cd721e9bd5ea807d7efe1245c6203476e8abad0b35f7a5c40d9b81b501acc8541ccbcb7f2279d23936bbfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lvx0ibj\imagestore.dat

Filesize
22KB

MD5
bccd8a16cc0fc59da41d0eeaa63f332c

SHA1
168055875edcf7b2a3f6e339f4feb174d9d2231d

SHA256
cf6f19f29ee5afc76501b2229b393abd6b884c53d0602c51521c0bcda5a3d13d

SHA512
351b4d96e209cb5f81669ee98718bc6f8c203d4ab7773d226f5e00084c4b0e4fc37c8934f200bc47efa0c979ec978a6f87a4e4a0a11e8588a8c01abe9ebaad92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8IO140UC.txt

Filesize
601B

MD5
4bfb7720b82d35adc5e15770cad20286

SHA1
71bf62d199d4c35a7c83438011cc244c57164203

SHA256
db5e2cd14e206a084d34b9f6208a9012fd2678dfded4bafa8c4d3ff60c245c34

SHA512
2da3346375d211e2ef7b299ef3c61f21df64ee16d7780372b6c92dffa9d76884a5bda3fc9bc4c0d9117ac57bdd963d50d76c12b24c4fa0a3a9f47dfe44e0939b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L23LKMHA.txt

Filesize
113B

MD5
20ba8ca1782495bfc7f990d421ff30e0

SHA1
4462c26e55a1a274af239d2282ac7f7333bea57a

SHA256
625080cdb21d37db4ab2480c24f7dbf221ec0ac55d8f4c0d7480aa9ef5dccb4d

SHA512
75ac4c8c343cf9a1015fa5ae8b487ee38e45d09223f99a0ef0ec83572e87fd1ba1d49121fc473c27441a60f5983f88e4b9284d0a251890d3756b4818060822d9

Download Submit
memory/892-54-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads