gozi | 67746a3ca8df100d17ac32dd508cc0cbc18b8e869d979bee1368fc6de435cc4b

General

Target

2622f509766fc8dca049981ebc90d703_JaffaCakes118.exe
Size

149KB
MD5

2622f509766fc8dca049981ebc90d703
SHA1

49e92c635b9718da15e1a422fcc52a2885445f3b
SHA256

67746a3ca8df100d17ac32dd508cc0cbc18b8e869d979bee1368fc6de435cc4b
SHA512

bac388ebaac0a68ad30b9653642cd727f75245b09c3f6a7fb380c39accdf2b3d6b1d3f6b98f16a39cb95f6245849a32a039611be23e4fe389cef4e7b409ff265
SSDEEP

3072:tzaE7ZKrQMh/x8orIrUCic0PglqlsvARnj1N2el55D8ejI1AbWxS/Cau2lPX3LMB:ZaE4rQqlrIQL8Eh2eloesObWxS/TzMB

Score

10^/10

gozi 3475 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214085

Extracted

Family

gozi

Botnet

3475

C2

google.com

gmail.com

q982yeq23.xyz

t7763jykqeiy.com

hjruu.com

Attributes

build
214085
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{87658E18-0D68-11EF-9519-6E6D447F5FDC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000313e4b5393417b5b41fa88602712462211d7d66907846628544af938f6ef9314000000000e8000000002000020000000a6c7748d9be0298e49d6fd93fd2cd7258375d37630962ce96b56b048e5ff23232000000093cc7dee841d652653836cc053cb0377c185dabfba6b20a8af93d184e0c5c1c4400000001d46f8560b045d7ebe6a6dd30a01cf9e26e3eeea7d140adbf3fbc2fd9b1e8a2cb0ca79a2b363668899876b398836935b67311d98091585173cc864b49aa8ff68	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b8968a75a1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ADA0A3FF-0D68-11EF-9519-6E6D447F5FDC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000002262045271658d1d96de367b9dc6e5acec79740b4a5e50c27b4aea75cdd6ee5a000000000e80000000020000200000001ede9cb396402d664055406c085e3105bdb53095c71ff910bb14e92dfc44065520000000a519558e96516aa23fbc7890bfa83b8d209fd28a45a2a780c02e79ed339311334000000044a636e5ad0851fb8bd295b5f0e8742cfc2ba54f71807cf55dd1d45ce341d58c6e734eaf8d73b5b61b03ffc66fe400bca224f6dd6834b92de62c699e1b07fcd1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000005e22406b13a7436d8143c9409d0f1ed1d48b1ea02d46d8d7ae766539ba27ed7000000000e80000000020000200000009a2a037dfe9d3b936bafd4e8611a96b50aea858b6f984ab5c5a2e1337d02ab0a2000000078a8869f15143828595f41a1da6d7dea3ab48fe66eb90a05816aefa1992091ca40000000eef20535ce725dd1330a49452c0a10591da6087006a21beda10540966a67c02c84f43db0fa58dadc0fc5c9a2331a280974a41d1727a92744d4de1cdec4ae5c2d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000041fff138699ec629254ec8ca6bdf8eadf0e2836430c9d18d9e598f0568dc2a1a000000000e8000000002000020000000c6ccda020efe9c0fc977339aad117ff7e9d987e502599a15c5624fae0445809a20000000f78bc8a56e47fe7536ae5abe2095b130ca9a5aa9e33ce654e7df28a628880e1640000000bf5b4b343cdde0cabdb93fc81a904e67eda800f68b86a2400981ab8fa2eb1cd43b7ff6b00ce7a0de18238a5c8e775dd53f8b9b4fd53b048dce015be9ad8ef0a5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000009c70a980a08c5f3292b0ce28c5d0dfde2ed8beb11715cd7271c802db8763015c000000000e8000000002000020000000c249071da0aead97c38820e8105e680b4f02b0553726e4172484443bc10013aa20000000d51f741ff856d5cdff7bc3d23ff623076a8bd10c6693147f816eb72415e4844040000000e7d130d555b6f91b3bd08451d65b9a105c74463e03f4b8620cc8dd69f2d1b341a7789dd538d84e06190c4ac817f971c37507ed9bec7efa6528d99f4b50fbd546	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ff9c6375a1da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 409d8c7075a1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BA950AA2-0D68-11EF-9519-6E6D447F5FDC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ac7a5c75a1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000039f8e76061761b1434fb46b20036c6b093452b1ca5b9d2191964d769e196ab14000000000e8000000002000020000000bbbd63592b3e01cad4953518b6fd768a06ea5ddda577fb5a05ef1ead4a6e5b2f20000000a7d9f5ce7b581de9fa088c2dabc4404b038b5e90d9461d0c5de5cd7b4b09330840000000ada45829878bddc356bcb774ca48f56a7ec63bfe28fc584dd1551f5d9774b0ca0cf0e161f2301555e72689b8645766ac97f447d588da721bff3425453e0083c4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d8815c75a1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60a59d7d75a1da01	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2172 iexplore.exe
2184 iexplore.exe
3668 iexplore.exe
3836 iexplore.exe
2004 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2172	iexplore.exe
2172	iexplore.exe
3116	IEXPLORE.EXE
3116	IEXPLORE.EXE
2184	iexplore.exe
2184	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
3668	iexplore.exe
3668	iexplore.exe
1860	IEXPLORE.EXE
1860	IEXPLORE.EXE
3836	iexplore.exe
3836	iexplore.exe
1396	IEXPLORE.EXE
1396	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
404	IEXPLORE.EXE
404	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2172 wrote to memory of 3116	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 3116	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 3116	2172	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2708	2184	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2708	2184	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 2708	2184	iexplore.exe	IEXPLORE.EXE
PID 3668 wrote to memory of 1860	3668	iexplore.exe	IEXPLORE.EXE
PID 3668 wrote to memory of 1860	3668	iexplore.exe	IEXPLORE.EXE
PID 3668 wrote to memory of 1860	3668	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 1396	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 1396	3836	iexplore.exe	IEXPLORE.EXE
PID 3836 wrote to memory of 1396	3836	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 404	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 404	2004	iexplore.exe	IEXPLORE.EXE
PID 2004 wrote to memory of 404	2004	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2622f509766fc8dca049981ebc90d703_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2622f509766fc8dca049981ebc90d703_JaffaCakes118.exe"
1⤵
PID:2896

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3116

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3668 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3836 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2IX84YPE\robot[1].png

Filesize
6KB

MD5
4c9acf280b47cef7def3fc91a34c7ffe

SHA1
c32bb847daf52117ab93b723d7c57d8b1e75d36b

SHA256
5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

SHA512
369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\googlelogo_color_150x54dp[1].png

Filesize
3KB

MD5
9d73b3aa30bce9d8f166de5178ae4338

SHA1
d0cbc46850d8ed54625a3b2b01a2c31f37977e75

SHA256
dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

SHA512
8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF3BF1013D1E27C71D.TMP

Filesize
16KB

MD5
a66be07c30e5e4ff93406c40865ba6de

SHA1
f26a0cf12c57b41849a4b3e7f851ed61971168fb

SHA256
f3f0fbcbfe26af608bb91956b704560fec04fff6af2516ce1a70184975cbc756

SHA512
9d11a4b91e820c1337f91490d920c35cce8b9cfcf078ab17176c224cbdec2f2b880b0d8227c8ec6f5cac544fbc007909798fdd8a5078f896df7e61a11100e413

Download Submit
memory/2896-1-0x0000000000B40000-0x0000000000BFF000-memory.dmp

Filesize
764KB

Download
memory/2896-0-0x0000000000B40000-0x0000000000BFF000-memory.dmp

Filesize
764KB

Download
memory/2896-2-0x0000000000B65000-0x0000000000B6A000-memory.dmp

Filesize
20KB

Download
memory/2896-3-0x0000000000B40000-0x0000000000BFF000-memory.dmp

Filesize
764KB

Download
memory/2896-4-0x0000000002D80000-0x0000000002D8F000-memory.dmp

Filesize
60KB

Download
memory/2896-16-0x0000000000B40000-0x0000000000BFF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads