gozi | b958fb921a0e3bcc14962b3771f610e972526713f70bd36437b3f299fd252e52

General

Target

19a6785fe245b33b5b87091cc1d3a3fb_JaffaCakes118.dll
Size

115KB
MD5

19a6785fe245b33b5b87091cc1d3a3fb
SHA1

574301573c262e1f1008fad6611ad1ab0506a2c7
SHA256

b958fb921a0e3bcc14962b3771f610e972526713f70bd36437b3f299fd252e52
SHA512

ff7608ea8242db34e257cd2568f9eeaad4c43e0643be5633a0881201141d26f5d46c23cc0f204e89a4a538818d35f193b1ad808bf80481f6751c6a5f84dcc6fe
SSDEEP

1536:cXq3Q48oRjL3YCcxt6vcfFVwXr4OHZehTead4wBb88FGHKXs/OPWWm2B:ca3Q48oZDcxYvcNIViasNbG7/OPWWm2

Score

10^/10

gozi 7221 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

7221

C2

po3p53334.yahoo.com

web.citylimitshog.com

Attributes

build
250154
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEregsvr32.exeielowutil.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000dc2a9fc4b47a85dc00b3050f4df5be989cb35dd0551a5c7cae718ff77641badc000000000e8000000002000020000000d4588676a791a8ed8f86f040176b0b927124dc9852506186a36f721c1fa96211200000008137dbbf08d3e226fc65d52233eb174b85746bd3bb5c70e3df6bf2cff4a2c5e4400000005819a33787160ac0440739731648bcc84370e943ac528cd08f734c94a2aee9c742b0af143edbbb3a34364bc7bac34d5254edcc7d345e2712900423a0324dc9d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602339a52ae2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505a7d9e2ae2da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000cbb5e902b8724837eb82d6f6367f81ede743c0614a709a95d265532ca62f126a000000000e80000000020000200000009e228bd41cca8cb8046ed0f6b65e8acc3a065c19f652317f9be14efea63b7f3c20000000258efb1768c2191d29fc5bece27c1bd0ebe0ea586ff38bda183937e313c9676040000000ccbf3a548ff39fc722aa3dc92e2031a9a0c15c6e8a970e77e469689c21ed69843c5e973b9d13c9172188b33de033e730caae78a31c8d0a25a4d4157effae4131	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a0000000002000000000010660000000100002000000078e9bb9e2ec4683c8de4b3a6829cb0d6fbe0e05ab1aa57f39af17351f080aabb000000000e8000000002000020000000d2aa2a9169844bb7020f6470b59c76d9a565c9bbd7ad8d569b9ec3245660180c2000000084bfe782f0463e3c4186df720032640f6b4420a8c8b83f541f4412b1f4a3783240000000609390d8a1d788134b71fda7efb701f07e7d18761a49308ea839fcd9cfbb3e3dcc886fccf0604fc22e850087eec876a95833b0d384f865e14b658eff91979011	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121962"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2649179305"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF41981F-4E1D-11EF-B355-D624FE4E3F02} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C92581AD-4E1D-11EF-B355-D624FE4E3F02} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121962"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E281A4E1-4E1D-11EF-B355-D624FE4E3F02} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FC59C185-4E1D-11EF-B355-D624FE4E3F02} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a00000000020000000000106600000001000020000000ecc708c8e6bd253eac81898daca14f259a20dbb2d138d18cfbc716897ba14e86000000000e800000000200002000000014e1c07cd30e7482f543ef4a9a236a7ea3b286b3fa997f9e189a6e262c33869c20000000ec11078d15728083254da6e49a17a540f699603d1ab49993c8037ccd22afbce240000000c125fb7454049f7ca37d3053e7aa6af05472039044112cdc2ce4c18e2a269dba65a65d5a0dbbddcf0ae722929e524baba5de168e9a1bb3caec8440a53caa0852	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bfd43f7a7cb3b439c96900a06cb1d5a0000000002000000000010660000000100002000000040543d6693c253784bbd0493bdbd2cd09db240786622fa0bee8afde53938104e000000000e8000000002000020000000b720bd970c68bad16b543de5a3c346a0a3a635225586562ac290469e92b9ee6120000000ec1c29becf2e7edd4273830c9a797c417d3f50297dd9b084088a37d1d9ac723a4000000040d0c75c4c07bbeb9f852091f768e0a7629cec45d74992fa1eda98a0f7e13dbaee2d6ad14929d94625636fd5cccc319559b2b4090cef145de00aa4a8aaaaf4bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d56bbf2ae2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2649179305"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2600 iexplore.exe
1720 iexplore.exe
5052 iexplore.exe
4904 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2600	iexplore.exe
2600	iexplore.exe
3288	IEXPLORE.EXE
3288	IEXPLORE.EXE
1720	iexplore.exe
1720	iexplore.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
5052	iexplore.exe
5052	iexplore.exe
2848	IEXPLORE.EXE
2848	IEXPLORE.EXE
4904	iexplore.exe
4904	iexplore.exe
3032	IEXPLORE.EXE
3032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

regsvr32.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3052 wrote to memory of 3156	3052	regsvr32.exe	regsvr32.exe
PID 3052 wrote to memory of 3156	3052	regsvr32.exe	regsvr32.exe
PID 3052 wrote to memory of 3156	3052	regsvr32.exe	regsvr32.exe
PID 2600 wrote to memory of 3288	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 3288	2600	iexplore.exe	IEXPLORE.EXE
PID 2600 wrote to memory of 3288	2600	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 2692	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 2692	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 2692	1720	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 2848	5052	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 2848	5052	iexplore.exe	IEXPLORE.EXE
PID 5052 wrote to memory of 2848	5052	iexplore.exe	IEXPLORE.EXE
PID 4904 wrote to memory of 3032	4904	iexplore.exe	IEXPLORE.EXE
PID 4904 wrote to memory of 3032	4904	iexplore.exe	IEXPLORE.EXE
PID 4904 wrote to memory of 3032	4904	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\19a6785fe245b33b5b87091cc1d3a3fb_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\19a6785fe245b33b5b87091cc1d3a3fb_JaffaCakes118.dll
2⤵
- System Location Discovery: System Language Discovery
PID:3156

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:17410 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:17410 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5052 CREDAT:17410 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4904 CREDAT:17410 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD53E29EB59DCDD96.TMP

Filesize
16KB

MD5
694925de8188ba0720b6471cc9b91436

SHA1
5fb75225c191f6dd73633faf38223c7d598a560b

SHA256
07961a9bde77ba5537f3619077fd6a13bc43cd2caf3facc230a4cb4b799abd35

SHA512
87ab3aa5512dd6966ece981b509098248c56e4144872c3b8bc797ff89511de6c693b957f8ebc7cac2e1914d9ee8a1f5062e7df29fa7171b4d0b3ef9039f5af17

Download Submit
memory/3156-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-1-0x0000000000427000-0x0000000000429000-memory.dmp

Filesize
8KB

Download
memory/3156-3-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-4-0x0000000001110000-0x0000000001120000-memory.dmp

Filesize
64KB

Download
memory/3156-8-0x0000000000427000-0x0000000000429000-memory.dmp

Filesize
8KB

Download
memory/3156-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads