gozi_rm3 | 05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29

Analysis

max time kernel
152s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
Size

890KB
MD5

6c8cb4b72384977bad413dee3bc30d66
SHA1

83d0110ea6ee7ef084930cd09651d2ac6cdf0cf8
SHA256

05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29
SHA512

eb8ef5638f0d35130a801bf46f45d38bfbb339c86e64b45dfa767b210744e3b78f6c819f489ee711baff20147fb48a4ba227b86e8dbcb0d4d50832baab4be7ef
SSDEEP

24576:Ria6ZRQk/vMSfj36oi7pMyb5/JeWsxF3B840Ef:RGI7pM458DFp0

Score

10^/10

gozi_rm3 banker evasion persistence trojan

Malware Config

Signatures

Gozi RM3
A heavily modified version of Gozi using RM3 loader.
banker trojan gozi_rm3

Executes dropped EXE 3 IoCs

pid	Process
276	mscorsvw.exe
1988	mscorsvw.exe
596	OSE.EXE

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3845472200-3839195424-595303356-1000\EnableNotifications = "0"	OSE.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Clownfish	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	OSE.EXE

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "55"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "171"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "171"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "139"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "171"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000a88b4b9af68c7c9cf03c346a13c67c13e07455ebc702954e6b3f840bc264478f000000000e8000000002000020000000b30ba09a8ce7b184b54a8d0bcec5a47f2e7e78624102dcc589823221e7f551b320000000368cbdbe72980a72e4240f4cf784b20d955995450d836b0519b2958f5af766ce400000009e8dc569d28fe4af21fc6649237d5646490b8660c05f44dbef156e7a3b13b7390ecc4d9e83157eee28bd2f30936fdbc5d1bc579c5152030f38e80e1eb3ce7406	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2752F01-422B-11ED-A50E-C6457FCBF3CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "55"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\doubleclick.net	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\Total = "55"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com\ = "139"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000f9510a1e9e55844275ab890c5d66666b88a5047da0f715718af4224c85175aa1000000000e80000000020000200000005f995c949e23d1603b2eafc618f2ed1ccd9530a43c799f168e69bb436e1df0509000000026fc54a68609b8d9477b5e2fef74a8c0bb15b8b73d910e7fec0ca4b431140ac94b1a5bf520fdbce9a4089482f3aa390bc9aa90e6d631ed011a47e779eace5f388bd03ae4b15025dc8218464749a0581423116a99671745d3921b38c75a0b8419d66631980e791b56f371242349e919e6d972234c6be0490c781f7930e20fc2beb290e6c00bbf92537cf8b7f149d08b7d400000002523e56ace5e116941d3880cfb3c1c03571fbd802e19f3234cda745f859c9059c4054202f609ebf5b3d1fd692844a10c876a6b1359e2bef629af47c6d20f1964	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371464098"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\clownfish-translator.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "139"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d758c038d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: 33	1520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1520	AUDIODG.EXE
Token: 33	1520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1520	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
Token: SeRestorePrivilege	1144	msiexec.exe
Token: SeTakeOwnershipPrivilege	1144	msiexec.exe
Token: SeSecurityPrivilege	1144	msiexec.exe
Token: SeTakeOwnershipPrivilege	596	OSE.EXE
Token: SeManageVolumePrivilege	676	SearchIndexer.exe
Token: 33	676	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	676	SearchIndexer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
1828	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1828	iexplore.exe
1828	iexplore.exe
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1704	SearchProtocolHost.exe
1704	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1828	908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe	29
PID 908 wrote to memory of 1828	908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe	29
PID 908 wrote to memory of 1828	908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe	29
PID 908 wrote to memory of 1828	908	05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe	29
PID 1828 wrote to memory of 1760	1828	iexplore.exe	31
PID 1828 wrote to memory of 1760	1828	iexplore.exe	31
PID 1828 wrote to memory of 1760	1828	iexplore.exe	31
PID 1828 wrote to memory of 1760	1828	iexplore.exe	31
PID 676 wrote to memory of 1704	676	SearchIndexer.exe	38
PID 676 wrote to memory of 1704	676	SearchIndexer.exe	38
PID 676 wrote to memory of 1704	676	SearchIndexer.exe	38
PID 676 wrote to memory of 1544	676	SearchIndexer.exe	39
PID 676 wrote to memory of 1544	676	SearchIndexer.exe	39
PID 676 wrote to memory of 1544	676	SearchIndexer.exe	39

C:\Users\Admin\AppData\Local\Temp\05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
"C:\Users\Admin\AppData\Local\Temp\05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://clownfish-translator.com/download.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1704
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
e38da67101f6875d1e6ea71b2f703b69

SHA1
f66f9b87805cbda4e59b3cb6df841e3f981c47c4

SHA256
f3e394216f6b282ca30ee018ec31af065755a8505f75411d371e138cd0b08fe1

SHA512
bf2e346f543868bb2286a5b4bd31452c9df159a74cae196f721aef6662640f60a8dedb096376f971a38cd14a5c3e99d07a0d9d3de1d54c32e5dbbb6392eeae63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ce796fcb1c3fc255f29999d077cc31a

SHA1
138388b9cc1366353b74ec80001e314d1cfd3430

SHA256
f2981a4abfdfaba96b169437d0f11e35a0c50de5c7ffbd3a3df50aa77d9978ea

SHA512
f3aaf56b6bfb3e1e3f1b960a58bba02d7861c8a562a9d559e4d8d13a35c412a8958608de63f054903531b5a08964fb933b8a0d41f56595e7c9ed1864d48ae9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
5KB

MD5
bb205d9296733c021dcdc248496eb47f

SHA1
f6200c094eefd46be43a63cb311548311ee8bdf4

SHA256
a1cb89abb382979b9605a9320fe9f5c5ed88560f829082d6b95c131396d9cd05

SHA512
eb72ab98b7fcac29b0ae92a890ec29ab33bd6943c28ab6f4b173fbf94a965e1cfc8245979d62d4c29445a380c3fb1f6f54c7fd106bfd3f0951011377109a20e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V8O92W9P.txt

Filesize
608B

MD5
da2c03ed0ae24f6da9a3d13c219899db

SHA1
095ac3d0c8a1d5d21c2d68a47fdf40666a1b35f5

SHA256
038fd51655ceef993ab89b47c8ab71032420f8fcdefcf8b1278a25019c55ac1c

SHA512
2e786caf85cba8aa47d9932af738a7658c904ff1b18851198c4bfac89caa909772b25aee0a844293997842ce6f8fbee3f4c887e32fc3593e7a9ae5437c5fc3c5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
74a779f491d3e638e34649217f233651

SHA1
3e2ef3107a57d9aea7be2b1e4a7dabfad503230b

SHA256
90dd6fad0b6a87c5c55e3d57d78f409f55643d783445030bad81422ca922f775

SHA512
47118a2f6ffaf40f0189f1f735bf70cb696976944e249cb8694b744a96bf8961a940558fac41f0bb3e8819bc4b55e8c72c6c912d67beb0913581deee66a28dad

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
74a779f491d3e638e34649217f233651

SHA1
3e2ef3107a57d9aea7be2b1e4a7dabfad503230b

SHA256
90dd6fad0b6a87c5c55e3d57d78f409f55643d783445030bad81422ca922f775

SHA512
47118a2f6ffaf40f0189f1f735bf70cb696976944e249cb8694b744a96bf8961a940558fac41f0bb3e8819bc4b55e8c72c6c912d67beb0913581deee66a28dad

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
ef5fa52e9f2e54874583f203ee0e7acf

SHA1
723cacc0884dac0a010af0659276e3c7eaf85dfe

SHA256
f6b5af2c1ea3ae9ecfad97f3f7ed063ee89c3cd99e2cf5c1b0d97f7eb20f4960

SHA512
4eb92672d3051d733a4b2b7fc834985cad49184012efee6d04cdcdaa9639e9aedb956494d25b1b783e75d9c5ada13403fab6f3f8bef803f36bc1358753a67052

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
9fe284bcb59b51b5e43c4540e275ecf1

SHA1
a6a2421d6935c0984873e0488edf4673f19a29c0

SHA256
91d23c21af253fa3bb1d5e1d5594163ef57dbf176307921177326389a82d7443

SHA512
04a1b6de2aed3f720e2842211e719ca2d11d8db6059855da1683defac822a76fa2011196c7ae5d9f675d093d8a923e703e8c921c52a4323671fd312de5c864ba

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
ef5fa52e9f2e54874583f203ee0e7acf

SHA1
723cacc0884dac0a010af0659276e3c7eaf85dfe

SHA256
f6b5af2c1ea3ae9ecfad97f3f7ed063ee89c3cd99e2cf5c1b0d97f7eb20f4960

SHA512
4eb92672d3051d733a4b2b7fc834985cad49184012efee6d04cdcdaa9639e9aedb956494d25b1b783e75d9c5ada13403fab6f3f8bef803f36bc1358753a67052

Download Submit
memory/276-60-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/276-58-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/596-66-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/596-72-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/676-90-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/676-74-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/676-106-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/676-109-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/676-110-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/908-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/908-55-0x0000000000400000-0x0000000000607000-memory.dmp

Filesize
2.0MB

Download
memory/1144-64-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1988-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads