gozi | 1ca6d557eb822bd4a7e5d066a2e0afa1c0a8b07190b1f30515045ae11fc700d7

General

Target

1de75b58ba6202247f8ecae6f0262fea_JaffaCakes118.exe
Size

908KB
MD5

1de75b58ba6202247f8ecae6f0262fea
SHA1

01c436b1d8000d1c0722e4730e4f3feffca82866
SHA256

1ca6d557eb822bd4a7e5d066a2e0afa1c0a8b07190b1f30515045ae11fc700d7
SHA512

fdc18c1ff5e965c69cdbd1c37ef0c304dcd9562ad7f1619476261d99f9eea6bc3654dbd94984d8019edb804f42abbdf5a9e5b584aafe08c8f8b365db618a97cd
SSDEEP

1536:tV7RSS9YSCSISCShSCSxAGzsCTXYtFBo45GQG770gSvc1RIVLmyLmRgRLuLkutb+:JuAGBTYzGHsNv6xgRK4VljQaeA

Score

10^/10

gozi 202004141 banker rm3 trojan

Malware Config

Extracted

Family

gozi

Attributes

build
300854

Extracted

Family

gozi

Botnet

202004141

C2

https://devicelease.xyz

Attributes

build
300854
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com
ru
org
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce1000000000200000000001066000000010000200000001cc53277d8fdf2076ebd250ee594d53741a37c5d545699d97f8781b56389cd51000000000e8000000002000020000000bb02b047280f5582bd51f8012cfda0eb8693d01da30a38e2da666e97457466c0200000001b92eeb38330f52af0b19934a911b34d5efa73084346a35000ea0b8537fbe06540000000de07c7a978dcce50504556f25f523360e5f189edafb57f9d1283fb6262c2afcb62268481ba18f0fab39746beaf7a5e45bff399d37c4c59ac706858e9834c352a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d82f52e79fda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "884344248"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F5962FD-0BDA-11EF-B37B-FEF8E0261D73} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31104999"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31104999"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce10000000002000000000010660000000100002000000064287e018fb23d7de553d24237aeb76296d550a57248df6bde3e42d942e8e992000000000e80000000020000200000002a96796f7a66d03f55e7102588412369ad39a85a19ed9c30ffa0ca0d1245132e200000004396b56fa2278a3711251b394c587eba1714276089099a7a666842ca8db0985a40000000b86f30e55a144e9b5db28ac25fa01b300da71adcf50cfc416ea7555403943b77e00ad7d789b7f0f77fcca592e2314cd9b694266c25a56c0a5546b893f490ef85	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{605D2A7A-0BDA-11EF-B37B-FEF8E0261D73} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce100000000020000000000106600000001000020000000eba9103ac7a45321f98536dbc8ccec06c581fe42fa0494ba83eabd854ab27bc6000000000e80000000020000200000007e2c7fc4519b9088c698c74355f80fc67e96ab0bc3977522f247f785761e8097200000000bcebe3cec889195bfc12bc056853776d6da07a53c3f04d8b41cf4d8f9d19a7640000000f1f7e334b6ce9328cb57e8fd31a3b209d463667650f7e664f33e40032199b190e8b1e16288059e8da1ad0d23ec3c01519e61f46c337043cec59ada7f087845f5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce100000000020000000000106600000001000020000000f0e9658766d60ace25fe083b199874f7432d6ca70c324bd7c70f870ff7965530000000000e800000000200002000000085047e7f305193d850e4cf50252b48172c593cef19025be80f3bdd5c970070fa20000000880b41999af5da4e0cf0c463f5538dd4dc57ff9c1d5bb39c08650a80f339bf214000000060dfc0c14ea2530e57f1095ad6a8bb3f3eccd6fb768b97ebd445c8465d5860b07599e158b5846451a83c3f47696de68a3b602a42956e6e481deb1de584c3ca58	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{758144D6-0BDA-11EF-B37B-FEF8E0261D73} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f55e38e79fda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007fe03b4cb10a344eb13f4ed23e329ce100000000020000000000106600000001000020000000bcdfaff676d5837493379526f5a890b4740ff9a33dc2b0aa27edb853d02f8849000000000e8000000002000020000000ff2e8c0675900ec65e082ba238a8559b59b66d8d728f8bd09401862f1020c57920000000222c2666e62c59a13ce94750322d4a93f55b232ca5ce6ce5f48454da7910a30e400000001dff7fee9cd2a9eeee5aaf1c106d0df20e1080a356e9002359fbca69b5b368944b7f7d520478a3391c89175b42832189de9ac82f177a922ab005453e89012f4d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004b7225e79fda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "884344248"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0166445e79fda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

4852 iexplore.exe
4852 iexplore.exe
4112 iexplore.exe
3412 iexplore.exe
3232 iexplore.exe
3788 iexplore.exe
3840 iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
4852	iexplore.exe
4852	iexplore.exe
2292	IEXPLORE.EXE
2292	IEXPLORE.EXE
4852	iexplore.exe
4852	iexplore.exe
4192	IEXPLORE.EXE
4192	IEXPLORE.EXE
4112	iexplore.exe
4112	iexplore.exe
3400	IEXPLORE.EXE
3400	IEXPLORE.EXE
3412	iexplore.exe
3412	iexplore.exe
4608	IEXPLORE.EXE
4608	IEXPLORE.EXE
3232	iexplore.exe
3232	iexplore.exe
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
3788	iexplore.exe
3788	iexplore.exe
4168	IEXPLORE.EXE
4168	IEXPLORE.EXE
3840	iexplore.exe
3840	iexplore.exe
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4852 wrote to memory of 2292	4852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 2292	4852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 2292	4852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 4192	4852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 4192	4852	iexplore.exe	IEXPLORE.EXE
PID 4852 wrote to memory of 4192	4852	iexplore.exe	IEXPLORE.EXE
PID 4112 wrote to memory of 3400	4112	iexplore.exe	IEXPLORE.EXE
PID 4112 wrote to memory of 3400	4112	iexplore.exe	IEXPLORE.EXE
PID 4112 wrote to memory of 3400	4112	iexplore.exe	IEXPLORE.EXE
PID 3412 wrote to memory of 4608	3412	iexplore.exe	IEXPLORE.EXE
PID 3412 wrote to memory of 4608	3412	iexplore.exe	IEXPLORE.EXE
PID 3412 wrote to memory of 4608	3412	iexplore.exe	IEXPLORE.EXE
PID 3232 wrote to memory of 3672	3232	iexplore.exe	IEXPLORE.EXE
PID 3232 wrote to memory of 3672	3232	iexplore.exe	IEXPLORE.EXE
PID 3232 wrote to memory of 3672	3232	iexplore.exe	IEXPLORE.EXE
PID 3788 wrote to memory of 4168	3788	iexplore.exe	IEXPLORE.EXE
PID 3788 wrote to memory of 4168	3788	iexplore.exe	IEXPLORE.EXE
PID 3788 wrote to memory of 4168	3788	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 1672	3840	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 1672	3840	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 1672	3840	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1de75b58ba6202247f8ecae6f0262fea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1de75b58ba6202247f8ecae6f0262fea_JaffaCakes118.exe"
1⤵
PID:4356

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17418 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4112 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3412 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3232 CREDAT:17410 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3788 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3840 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\httpErrorPagesScripts[1]
Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\NewErrorPageTemplate[1]
Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\down[1]
Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\dnserror[1]
Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WEG78UAE\errorPageStrings[1]
Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFBDC1B873D83CAF01.TMP
Filesize
16KB

MD5
7786c6451bf955ace3a742415b2bffe8

SHA1
a2db5e3be880dfd49567e74f1b3ed1178974ce15

SHA256
6aa60730644d756623c4137e51cc82714ee68b594f5f1a1ec1f72c1919447f5b

SHA512
a8634cee8caaf62676f566acac6056a30de6736169e7d0fab01772d686637125ab906be531e20c29f25c416fb774b81fd43618df926a60aa3aa33d11dd6bbd5d

Download Submit
memory/4356-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4356-0-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/4356-2-0x0000000000670000-0x0000000000681000-memory.dmp

Filesize
68KB

Download
memory/4356-8-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4356-24-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads