gozi | 0fdbe7bcafa2968e63429361502bd3a78fb4efe8d7e40421990b025aadd42f3a

General

Target

01b47c599033cc101df4762ea2c092f1_JaffaCakes118.exe
Size

203KB
MD5

01b47c599033cc101df4762ea2c092f1
SHA1

e488b358fa2137ef6acfe7676bca9ac292eefd3d
SHA256

0fdbe7bcafa2968e63429361502bd3a78fb4efe8d7e40421990b025aadd42f3a
SHA512

f5bccc2fd4b61b13dfc06803ebd8ddbee9e9359e99fccce9cb44b4774851f65127d9717180ac9d7fe366d635f82c39eaf447579150dec740d7991610591befbf
SSDEEP

3072:9gji2dQ6v4uPXDNUj4jKBonzmLXlYVRLh0epEEZqkFBc4+uTqN76o:96dp4uPZzGonqXGXh0bluBc4GZ5

Score

10^/10

gozi 3162 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215165

Extracted

Family

gozi

Botnet

3162

C2

menehleibe.com

liemuteste.com

thulligend.com

Attributes

build
215165
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc47000000000200000000001066000000010000200000002637655ffc1e9cab76e02c5b00ec772d0bbb8474279b02cb091583fbaac4c10d000000000e8000000002000020000000f6763fb3b4bd51af4e1a9280e0ca021b79ae4b3b28590b4c10df935e3dc6fce920000000715b380240b9e860d74503c58b86c501380a1ddae3a8f44c7f249ce8e422c9d440000000c78df55ed260bd59eaae71d91bbe3bcd36693815f3b15da1d8f843a39da2d4821a04d2ba35bc59ad261f20530fc727d2b46e5c63eb90c93e5cf984e52ee0912b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc47000000000200000000001066000000010000200000004b94e393b365d2fa01bd8656ad6833d3b003f7d956b5414e4bbcff6d52132132000000000e8000000002000020000000d537c204585a2e05b000070589cfae77a476c148ded08917bc4267d710a27ca92000000066e54c7159b17088a33e648e3b0fbeee46e56980fcacd691b1f2880fb124e7c14000000011518f016f9e9c45e60f03167eac377f51393fef36f32bb5a809190385c6dc37d48702bc56e749afc5af61ecb24b60dedd6726b49e2a2459f1f5d2b3655b2b1a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc4700000000020000000000106600000001000020000000965ddcc87a13a0f73e840716f995357bc6c6430a798d87e727572e7650931de0000000000e800000000200002000000081813370a61b0d373d0e76834cae2f98e6198c3ca712be6e6d5e23876a50ea9d20000000c7ed69346b802740a0862cbd75019211b36de21fe7fa0e19621b2b5886d0ce5f40000000d886ace26056d3abd580ff9433daa6adb564722d643ff0469a508e3d803b4f4bdc18836dc3ada9d9101c14a16e551adedab90f7900db2de150a39392b2bc21bd	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0faaa0e2198da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58BF5A85-0414-11EF-921E-CA40C9C0A512} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4BE065DB-0414-11EF-921E-CA40C9C0A512} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6CD145D0-0414-11EF-921E-CA40C9C0A512} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{32FB7976-0414-11EF-921E-CA40C9C0A512} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04ae3072198da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc470000000002000000000010660000000100002000000001c134641beaa189870406037f03f2a16cb9b63c8c20459c0409369e6cab9080000000000e8000000002000020000000eab3a2aa923c845912e65a205fbb19f689b80f8ad104292e67d4a8201cf6e89d20000000e48b338e3af4146aa39dee94e1a9f1232fcad471df4f58cf1b5db307cd4429d440000000eb40571a09a343fe39505380cdd7efdf0d6b531329ef71f798a03e431cf4ab4ebfc2b216200e67997a75043e3ab8b1a3dc056957c82196dae042583fe61a3c5b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e4db222198da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc4700000000020000000000106600000001000020000000ce29a9ae3f6dd73f2b04488978ab10cfd44f2d7bda6cc26777f5cc573d21b657000000000e8000000002000020000000f8748775582515f4f10e966d6b5cae14a3cc6857fe1156489bb469b73d65cb4020000000f3f1dac99fbc836ff8224a39d2c9584c98a2797604a8f1e5d8e8a1ce9dd38b70400000004c9b00a1f6c307154a64fb21a8da58c09a3d304fb1afe15fbabee84462144c75777c462054bbd78c71d540039245774580d4919e50d58da1092e3df0c1689aab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c076ea072198da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b007d6362198da01	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2124 iexplore.exe
1552 iexplore.exe
3056 iexplore.exe
2004 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2124	iexplore.exe
2124	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
1552	iexplore.exe
1552	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
3056	iexplore.exe
3056	iexplore.exe
460	IEXPLORE.EXE
460	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
4788	IEXPLORE.EXE
4788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2124 wrote to memory of 1240	2124	iexplore.exe	IEXPLORE.EXE
PID 2124 wrote to memory of 1240	2124	iexplore.exe	IEXPLORE.EXE
PID 2124 wrote to memory of 1240	2124	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 2800	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 2800	1552	iexplore.exe	IEXPLORE.EXE
PID 1552 wrote to memory of 2800	1552	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 460	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 460	3056	iexplore.exe	IEXPLORE.EXE
PID 3056 wrote to memory of 460	3056	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 4788	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 4788	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 4788	2004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\01b47c599033cc101df4762ea2c092f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01b47c599033cc101df4762ea2c092f1_JaffaCakes118.exe"
1⤵
PID:4608

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DF5DE96CB7B61843E5.TMP
Filesize
16KB

MD5
0222c98a1823ac5ec0f97f161f5b587f

SHA1
5e16bcf80ed4f29b3982d12f440cbad21c35c112

SHA256
f2b47e0a3eca427648c98574c85304b1edcb399ff624fb40bcaac7c022ec654d

SHA512
0fccde80eadab9bce2155fdf2d5cfac23bd65dca69ab87fe7450a2d6e4293baaaedac0946df9b4a3aa4396c6cf3e5efe4a29f475c0b7fef7149430804cebbc5b

Download Submit
memory/4608-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4608-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4608-4-0x0000000000700000-0x000000000071B000-memory.dmp

Filesize
108KB

Download
memory/4608-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads