gozi | 67a78fbceb3ffbc36f3ac88c04f7a2c1cbaff236ae09a1dbbdbb547b54b5c8a5

General

Target

67a78fbceb3ffbc36f3ac88c04f7a2c1cbaff236ae09a1dbbdbb547b54b5c8a5.exe
Size

461KB
MD5

7a258790fc13ff0e818cacc79a24087a
SHA1

f389d76bd08ba87f77642f1c04ad089a860d64c0
SHA256

67a78fbceb3ffbc36f3ac88c04f7a2c1cbaff236ae09a1dbbdbb547b54b5c8a5
SHA512

3c49548dd44ccc1c0a79ce0e0d99de29039d299ed094d21840bcac574a1764ac6f69e4238ab2ed6f00049d41f80f3a3d34fcc16acc6508b3f8565fe1c59496e1
SSDEEP

6144:otEtEtEtEtEtEtEtEtEtEt9WO2gUXdCpnZavQqf:Ceeeeeeeeee9xwcaz

Score

10^/10

gozi 89820235 banker rm3 trojan

Malware Config

Extracted

Family

gozi

Attributes

build
300898
exe_type
loader

Extracted

Family

gozi

Botnet

89820235

C2

https://exeupay.xyz

Attributes

build
300898
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d3cf482e34d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6013ab212e34d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{85FBC28B-A021-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6f55f8ac931f843aa48129363c91f6f00000000020000000000106600000001000020000000ad5c8d530852088ce04ed9c2b28925de9a3e1543788c2ef4eb242906501f2dd1000000000e8000000002000020000000aaf048e704c3b1c319c22d82cc268fb52cc1d3e1e74a8820b734875ca5587dde2000000067d0c3b133599e819a8513329729d3c6b1e53ddf4916bfa38759d959ccc40a8b400000003a57944e12b9c270d915c24410eb3c51cc3f78a033b538c6fe7ec84315aa704a2b9181f2523f1d47445732c745cfe8854e3aa9d8826dee90a30c2a195fb22247	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6f55f8ac931f843aa48129363c91f6f000000000200000000001066000000010000200000005cd0c7c80de16a2cccb2f57d8dc90e4bea80196fe51e3de264b0f2412bc111b4000000000e8000000002000020000000ca9d659c09e2217f1c71e096cb9c2295628b11af63ab597955daac6ff0b618412000000069e857e5333fa020689ec428ba4684ccc59fb050a697a5f467d5d683ee281d9d4000000093503017f7dbd6b8ceb3b4cda5659acf26cd6d3f29ab1aab4af16987684016e57aad8c4bea31802b4ef2aa0c5131dd77ed92b2cc75a7fd9dd4049a60c67c7f54	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6f55f8ac931f843aa48129363c91f6f000000000200000000001066000000010000200000009927e9487b3ebfd3a63c206f5b24329cc8ff1d0f9bbd4d53980c7729b23d4d80000000000e80000000020000200000009a16ae8be1e8e2631b9bb119b9fbc69dd9a040b2c75014ddaa4cd3114ce2a7cd2000000041d3883908ab0ef55bc571be5f4a35d5fa64563989fd2b0c44c589a4faba818540000000b76d3f7e80451001ad4dc5ccb51892949c2398b52a4b6996c96210e56a269c1e7999310d6a39dfd7dc70329ed4a2135ed9994307699b91a64a3657000c6248cf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6f55f8ac931f843aa48129363c91f6f00000000020000000000106600000001000020000000a6438a6939ddfc77e4eaaa0bdcc9b5e48230d92735dda5f026c0d7cba4356026000000000e800000000200002000000061d914665044b46162280ee5d6aaa20dcf06ea6af0a336ee53d9d1eaa921be6a20000000c978a2034a69d47efcf7e21428166271bad2538b9f5cab73aaac626ced86f876400000007caef0c3f20dcbaa2939ebbcc33c71653326fda181aa84d06d6bb89915be0c0cc5a5cdbd928a9a26cae714ac197bd1485003563508c1377199515e34a491b315	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6BC446B4-A021-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f5952e2e34d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4A33AB1D-A021-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c7ad0e2e34d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{92E1DB37-A021-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a3a7552e34d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7915A89A-A021-11ED-89AC-CA2A13AD51D0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2264 iexplore.exe
2264 iexplore.exe
4676 iexplore.exe
3876 iexplore.exe
3976 iexplore.exe
996 iexplore.exe
1380 iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2264	iexplore.exe
2264	iexplore.exe
5088	IEXPLORE.EXE
5088	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
4676	iexplore.exe
4676	iexplore.exe
4600	IEXPLORE.EXE
4600	IEXPLORE.EXE
3876	iexplore.exe
3876	iexplore.exe
3580	IEXPLORE.EXE
3580	IEXPLORE.EXE
3976	iexplore.exe
3976	iexplore.exe
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE
996	iexplore.exe
996	iexplore.exe
4964	IEXPLORE.EXE
4964	IEXPLORE.EXE
1380	iexplore.exe
1380	iexplore.exe
4968	IEXPLORE.EXE
4968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2264 wrote to memory of 5088	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 5088	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 5088	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 2116	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 2116	2264	iexplore.exe	IEXPLORE.EXE
PID 2264 wrote to memory of 2116	2264	iexplore.exe	IEXPLORE.EXE
PID 4676 wrote to memory of 4600	4676	iexplore.exe	IEXPLORE.EXE
PID 4676 wrote to memory of 4600	4676	iexplore.exe	IEXPLORE.EXE
PID 4676 wrote to memory of 4600	4676	iexplore.exe	IEXPLORE.EXE
PID 3876 wrote to memory of 3580	3876	iexplore.exe	IEXPLORE.EXE
PID 3876 wrote to memory of 3580	3876	iexplore.exe	IEXPLORE.EXE
PID 3876 wrote to memory of 3580	3876	iexplore.exe	IEXPLORE.EXE
PID 3976 wrote to memory of 3600	3976	iexplore.exe	IEXPLORE.EXE
PID 3976 wrote to memory of 3600	3976	iexplore.exe	IEXPLORE.EXE
PID 3976 wrote to memory of 3600	3976	iexplore.exe	IEXPLORE.EXE
PID 996 wrote to memory of 4964	996	iexplore.exe	IEXPLORE.EXE
PID 996 wrote to memory of 4964	996	iexplore.exe	IEXPLORE.EXE
PID 996 wrote to memory of 4964	996	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 4968	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 4968	1380	iexplore.exe	IEXPLORE.EXE
PID 1380 wrote to memory of 4968	1380	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\67a78fbceb3ffbc36f3ac88c04f7a2c1cbaff236ae09a1dbbdbb547b54b5c8a5.exe
"C:\Users\Admin\AppData\Local\Temp\67a78fbceb3ffbc36f3ac88c04f7a2c1cbaff236ae09a1dbbdbb547b54b5c8a5.exe"
1⤵
PID:3444

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:82950 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4676 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3876 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1380 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3444-132-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/3444-138-0x0000000000540000-0x0000000000568000-memory.dmp

Filesize
160KB

Download
memory/3444-139-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads