gozi | 60dbe14b2e1d09d05caa3119170ebaed8f66b115ada3054ecab4db4396a66a31

General

Target

95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe
Size

485KB
MD5

95f3b9b1e5b61fb464b230ecf1d7460c
SHA1

acaeae790062cd29b0a6becf43a335c85a256830
SHA256

60dbe14b2e1d09d05caa3119170ebaed8f66b115ada3054ecab4db4396a66a31
SHA512

b551dec9be7c23d781b789474acea71caea8783477d65f60d6868cf3765aeb1149dca10a1d08e5d5f72a675f011db418fe2ccc8518426b0c52fe77be23ab374c
SSDEEP

12288:mD9UDevpMtdoe83GWLh6iVMGPQtYLwqYZy4e:hiq/H8hh6O9QtqHYZS

Score

10^/10

gozi 3140 banker isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215165

Extracted

Family

gozi

Botnet

3140

C2

isatawatag.com

bosototsuy.com

atamekihok.com

Attributes

build
215165
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0616ab6b2b6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000cb1c808fe2557454c74fb379afa07fc59863a3f299fe026f28af046f8f317729000000000e80000000020000200000009b2d76f2294367926c98e5337a0bd4f1503f86bd934ce79d1f8f0e53bdfffbfd200000004a78c1717e66006ded400989f297aff2906715f2f25af64ea11280fd00b8065940000000f57f6fcfa9a897c6dcd513fee4a054adaf7080d0aa2bf3f722cd9c70096ddf5c96d4b163de92b3c958038ee851a0b4a9a9db38c0ce3a5969992c8a6aa291cdd0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F36698B7-22A5-11EF-9519-5A63B3EA338B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000657bef1db60fcc818fdb9a1630ff3be024a096c4f56006c6ebb9f72966cd6e5e000000000e8000000002000020000000d8ec4096af67dacdaad06fc22b2986e14e216df87773967667bea1c57734e45520000000a35f613e7b8bd8e46eca305423f3f67fd4ebe24270ff3747971813c28cd57f194000000074157008fcf09a8522df296476c16fe8df51282d75d5c28671f49464fe0218387e92bc4584891f56d4eca572646df2023f781450469c858107e21cef783cdac0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CD54090E-22A5-11EF-9519-5A63B3EA338B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000000b0ba7c47040c35714d45cd647223bd8383f5c8d4e80761d9423f10510291747000000000e8000000002000020000000593682600399b97d71892079bc632084397dd1717f7b342bfb91083313e05eb32000000027e2a375ce430ac05cca29973917d1dc20a3ce27a1e6497229c381328426002940000000eb5137502793d0ca8b91012c418655d51cdd3017d855677cc7b733cda43400c98b095d144fe13241b9011390f5166bd23e45362e9d28b46e972eefb64a32c978	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708fa1c3b2b6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00846ba2b2b6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000000e7d24ea4fda5758f7bca83ca9a99e71c4b402f1446d647d7bf4e38178e0081d000000000e80000000020000200000005101afcf659406606f78061fe416bc3ed044c99fbf26febb90bea7b88e1d7d96200000000355a61f434ea51f323fbc6a85c2e75bfa2033b35220f7ae868c92b05ab63392400000008b5d9f3166ef4a5eab1c3087e4e9102d5373436ec8d4147c25a438e3a11ae02a85acfbb8bcf6651bf7767d2567896be0b6ad280bcdc99f7139d209060fe0f77d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{006BAE12-22A6-11EF-9519-5A63B3EA338B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2713399715"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502771a9b2b6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000c761d78ae70dd8b6ab6b5b0585c4f9a42f2c31c2320f88a6bf8e2b03d16a55eb000000000e80000000020000200000001566038ad583328d5dceeb4a7fbd9b778d45e47236fbf872486eb32b24b28238200000009ba9de8c8a0f5a31ccc4831a04c54985383d0086b3cf3c93d1d541904b60539e40000000ea3b8a9013032fe85c8fb125e89f3262914707e1afd1d7996094ea7f9950163597bf9e7d516076413972f0b5bcad70303057ab92d142025509e7308c58feaf45	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2713399715"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

628 iexplore.exe
2904 iexplore.exe
3748 iexplore.exe
4232 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
628	iexplore.exe
628	iexplore.exe
728	IEXPLORE.EXE
728	IEXPLORE.EXE
2904	iexplore.exe
2904	iexplore.exe
4608	IEXPLORE.EXE
4608	IEXPLORE.EXE
3748	iexplore.exe
3748	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
4232	iexplore.exe
4232	iexplore.exe
3952	IEXPLORE.EXE
3952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 628 wrote to memory of 728	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 728	628	iexplore.exe	IEXPLORE.EXE
PID 628 wrote to memory of 728	628	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 4608	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 4608	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 4608	2904	iexplore.exe	IEXPLORE.EXE
PID 3748 wrote to memory of 2956	3748	iexplore.exe	IEXPLORE.EXE
PID 3748 wrote to memory of 2956	3748	iexplore.exe	IEXPLORE.EXE
PID 3748 wrote to memory of 2956	3748	iexplore.exe	IEXPLORE.EXE
PID 4232 wrote to memory of 3952	4232	iexplore.exe	IEXPLORE.EXE
PID 4232 wrote to memory of 3952	4232	iexplore.exe	IEXPLORE.EXE
PID 4232 wrote to memory of 3952	4232	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95f3b9b1e5b61fb464b230ecf1d7460c_JaffaCakes118.exe"
1⤵
PID:2788

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4160

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3748 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4232 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DF79E58CE1289AEAE2.TMP

Filesize
16KB

MD5
0b705ab41226d9466f54fc527b9ba3d8

SHA1
1be72d8053dd71692cb00eaa7ff44f9c2d9d7e4d

SHA256
01625c030b2605eaf7e7ba8097a2e780a6e390e2dcca27c122de82203ea7d703

SHA512
510ad75cd774e07060f3f386c4b63e88ad69557d599ae2e14318fb5f6ffb1881775ca9cae965febbdff5c3c804251e455fd153b61379f093f772adb77d3d7aea

Download Submit
memory/2788-0-0x0000000000C50000-0x0000000000CD4000-memory.dmp

Filesize
528KB

Download
memory/2788-1-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/2788-2-0x0000000002A60000-0x0000000002A7B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads