gozi | 68637e5e021ca632cc17b6c0dfbb367cafa733253be608e10c8e9a6eadb05caa

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3df0a88ebacb4fb7b7609a79fd188e1_JaffaCakes118.exe
Size

155KB
MD5

d3df0a88ebacb4fb7b7609a79fd188e1
SHA1

e8e0f9cfe8a1f91a8b00f9208460a56da328f036
SHA256

68637e5e021ca632cc17b6c0dfbb367cafa733253be608e10c8e9a6eadb05caa
SHA512

dfa49359dc81f7fc5741227d8dca1a3f2c27d6cfd64f7b14861c55dcf73d889794f6b19866b0839908c084ca55f2d83e0cce0237052c6294a193ec657489c1ce
SSDEEP

3072:4Wuk6BU7sniep/j4UswJiNsRI4EwR3WxUIuupS/KuXkwIEnUaTii5Qi37Gq:4WI2wiep/j/2sRI4E4Wx5MhIlaMi37X

Score

10^/10

gozi 3492 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214098

Extracted

Family

gozi

Botnet

3492

google.com

gmail.com

lsammietf53.com

p28u70webster.com

ploi7260m71.com

Attributes

build
214098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3df0a88ebacb4fb7b7609a79fd188e1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b70957000000000020000000000106600000001000020000000d84408e354548eb18f14214540e1ff9f84697feda8463a29cd0ab4d7da9b0d1a000000000e8000000002000020000000130bbc685abcc1530c2c20ab702285ebfbfed552959f6e42b1fd7bcc824a787720000000d7fb91272662f3c5562aa7728ce116e76bab9854d43d8f4f6d7add4cff41d84140000000ba1adf920e438788a81c70556a858be3e95f36ff7e808eba78737df402831f25b697f3f1f5dbe096ee97f0021a97cbca1e83adc10be7a4391cae72a82e45bd6d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6EA46947-6DB6-11EF-818E-F60A6DD2E828} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130051"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "484675150"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c2843ec301db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b70957000000000020000000000106600000001000020000000a63c849f82d5694eaa1ce6186879954ab589014345bb8eaf377bde49d7cab95d000000000e8000000002000020000000dda44674bdf0827709a2c7959f128b2ac1d55c101d8b7c77d5886077c6265c1320000000d4513923adeb24cb4965b8f4f2666da14ce8b2ec4f3a7632cdb5c549e8b3ba7d40000000884faa4f0b918d58b1372b3afe42da5ffee11b26bad3e0af77537a376697c21451ce082b66e7c91478ebfd29b9c51bce7c7d037ae9f8cc84b42ffeb452f47497	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006a9031c301db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130051"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4047961dc301db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b70957000000000020000000000106600000001000020000000a6ff487c6cc1ad4ca5c3358d6cffdbdc638baed4226582fb5c13e686c969be85000000000e8000000002000020000000e82664fc72f1fc8d3760d8aa55a6a2db4b5d0f7c6ac6b6826d7257571a0aaf61200000004e1c92f38b9e1f86677dd9fd9c0dd1ed0be033ae56b6c30e87f7828aa352df4e4000000005deeca3365de7a570c3ddc424d15154df4c519c9eb67b59198a57aaf3cdf88488f4bbcaac8a5f73d31471a5635b33f2cfb2edfd94793094b1d00dca51b276b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{61B729EF-6DB6-11EF-818E-F60A6DD2E828} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B8A7FB3-6DB6-11EF-818E-F60A6DD2E828} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{48753DE7-6DB6-11EF-818E-F60A6DD2E828} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508c911dc301db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b709570000000000200000000001066000000010000200000007181a187ee707fd71705c1748385da384011a4f7dc39063cb027295f6048e8c6000000000e8000000002000020000000b5561292b5ae4df2972b49aa3a40d5e74685f0a802f9857b5560b0f764e7856120000000e5399f75e486b4037e67b348d008e4166f772bd3c5a942d6eca95db1230c0e5740000000ffd6f95ca5a923ddc6d2172c59abcb5ca3d9a7c418429aa014d1fcf5100dee3332fb5c0f21c63ebfd60c6385c575f77c7798d451d10b31f21c8303ee9a5e878c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000009bd7b3d01c72643a6b4d24d0b709570000000000200000000001066000000010000200000004f8313810596a463a85b4e9b5c51cbb8d92564d95eb7ff0eca806ae0064f71c6000000000e8000000002000020000000409f2b98c5c3b16467df3fda7c262822a7f5ff80eeecea96b421effd91698b662000000054912e16212a89345469198433b15f86dc7c9b1c67a9ad0efb224beee6d91ca34000000054157271f685b95fed00b94bcc7401f736d72137e2801e4bceb678c24356507809e96a3d05435b21f0c6773088cfa0c15cf330c572f17ace8ed595ec46c382ec	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fdae24c301db01	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2396	iexplore.exe
244	iexplore.exe
1612	iexplore.exe
832	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2396	iexplore.exe
2396	iexplore.exe
3336	IEXPLORE.EXE
3336	IEXPLORE.EXE
244	iexplore.exe
244	iexplore.exe
3088	IEXPLORE.EXE
3088	IEXPLORE.EXE
1612	iexplore.exe
1612	iexplore.exe
4712	IEXPLORE.EXE
4712	IEXPLORE.EXE
832	iexplore.exe
832	iexplore.exe
3524	IEXPLORE.EXE
3524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 3336	2396	iexplore.exe	98
PID 2396 wrote to memory of 3336	2396	iexplore.exe	98
PID 2396 wrote to memory of 3336	2396	iexplore.exe	98
PID 244 wrote to memory of 3088	244	iexplore.exe	100
PID 244 wrote to memory of 3088	244	iexplore.exe	100
PID 244 wrote to memory of 3088	244	iexplore.exe	100
PID 1612 wrote to memory of 4712	1612	iexplore.exe	102
PID 1612 wrote to memory of 4712	1612	iexplore.exe	102
PID 1612 wrote to memory of 4712	1612	iexplore.exe	102
PID 832 wrote to memory of 3524	832	iexplore.exe	104
PID 832 wrote to memory of 3524	832	iexplore.exe	104
PID 832 wrote to memory of 3524	832	iexplore.exe	104

C:\Users\Admin\AppData\Local\Temp\d3df0a88ebacb4fb7b7609a79fd188e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3df0a88ebacb4fb7b7609a79fd188e1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1932

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:244 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFCC9D5A02BC9ABF22.TMP

Filesize
16KB

MD5
b902eb9760bc0e7149fef53c4b80aba4

SHA1
2447cb94a979c2bc4c6ab894fd0c2e048f236c1b

SHA256
c4e0a43ba994ee76db2094ececc46fc8cdf47fd3aa1552f5b01d50ac07e336fd

SHA512
a4c1bfd0ea722180609c5ee154876a21d62da9741d7085ae14b50826c5c229e2b5a3d90fa05e00c5df8300b5e9a77e8a1d66c6beca3195bd36d0cb8bab900356

Download Submit
memory/1932-1-0x0000000000428000-0x000000000042E000-memory.dmp

Filesize
24KB

Download
memory/1932-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1932-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1932-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1932-4-0x0000000000610000-0x000000000061F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads