gozi | 4bc38f181b2d96f0a3a57f3f0b9167d57b0544eb0be6e4d1ede8bf55897a982e

Analysis

max time kernel
142s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c7c3153dd109789ad5514078887443_JaffaCakes118.exe
Size

149KB
MD5

e0c7c3153dd109789ad5514078887443
SHA1

7696b0d065ab5afde9f29d8857beebec0b5c3ca8
SHA256

4bc38f181b2d96f0a3a57f3f0b9167d57b0544eb0be6e4d1ede8bf55897a982e
SHA512

a9ad943b7430349b995d8ba7c57569e4d6a66ed62ebb5cfc471a54194423cc7d07d7d260715e33e28e825ae7274750d77a2d1f5a2047fc5fdfea9ca9b8ef5f09
SSDEEP

3072:tzaE7ZKrQMh/x8orIrUCic0PglqlsvARnj1N2Kl55D8ejI1AbWxS/Cau2lPX3LMB:ZaE4rQqlrIQL8Eh2KloesObWxS/TzMB

Score

10^/10

gozi 3475 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214085

Extracted

Family

gozi

Botnet

3475

google.com

gmail.com

q982yeq23.xyz

t7763jykqeiy.com

hjruu.com

Attributes

build
214085
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0c7c3153dd109789ad5514078887443_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bef17dd406db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131348"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb0000000002000000000010660000000100002000000016d442abcaccc41c63dd40dd1d9f8add58f3604dac36083c92b1cbf7e2aacbc1000000000e8000000002000020000000a2774861dd9f86a6103ead7bc17af6340d9db09ebad3e506818470cb940f62cb200000004948bf0da36184be472acbe815e7a4a1b62ddc00f049baee499aab70c6fd003f400000003fce30427f6bc841fd30e3c8594ff41ef062cad108ab204ce8ff7e75df01fc2011c680a08d44f649e4331fc8ddb404d95ef3df876ee44b9ddf67e9e25f1759e9	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BAF7859F-72C7-11EF-BFD9-D60584CC4361} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b24550d406db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000ea626dd81bf4bd6cf51d3b67ea983c05f2c8d9971de549833f559e8100f622aa000000000e8000000002000020000000f1438cfd4d5f8b538a193e45dfeed4d97fca70c9b72189b7608c9bec566cfd8c20000000d89adc198db87b5ef06a4213e592fcb38aa002606e6b38bcadad487e0fe386a54000000061edb3524d3dfb4819ac091f47254b81b201180016d3c2bb95ae3b521114e7c337c3674d1ab8377e696585d561870e6f06ca5c636496e6131eaa5fc018ef71ac	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5066fd70d406db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{94669A1F-72C7-11EF-BFD9-D60584CC4361} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131348"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE07E264-72C7-11EF-BFD9-D60584CC4361} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000007677ee71c5d7a533f054879794b76d697a725482673a964367b9cf55d3db7ea9000000000e80000000020000200000003d96c1f790bdd2d7cdbb88c7fa079decd03a1ab8ff0284222749b43e9e8446ca2000000080e65c3834dd142bc0463dc55f97cbd049b8d75b004aebae641b79c0e19f007f400000005a48ab02fefbd4c89cfa0279a3a4de9bffff95bc9ff01e9a41674bd9302e5c1ede63cf4b30c2025ef6a6e10473fd756efd6f61759a557e99321b379d8b333256	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10514457d406db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09c0664d406db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B356189-72C7-11EF-BFD9-D60584CC4361} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000db31121855d0344dcd3099b13f504fcafe4c0b9e0f4725684e1fe1c621167599000000000e80000000020000200000001dcd3800cb20787c785c1ac156b4146473545d24ba89f5dc7d6e5bc1f023a83420000000436d85f2c67b67990c53abb7cf50c82606364ac8237ac058f37cad8a96a99cc74000000047933c6a46741b6707b63f32f3a9c6c529e7ce8a9d9b04ff2b9a4bac375b49e0ca99f55abd37d006f5330924dd7aca05924ea44660dd5cd8878b35633cd3c86f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000001c3b3688621e184e1d60a9691cb04b507761781cdc1652702e994f4025b12cc2000000000e8000000002000020000000dc471505801a80f8e309da3229e51c7760d89649cb77b5b1b6d29164af6289cf20000000ca841cbbd4ea99ab2501bb58c065ef08d603c3e0c8204fd8fc56ca10681a7144400000007980a83dc60e74848940387fd2eb870001bd7379c7c5a54fe4439defe8915b27a678294634bd8536be1dbb8778a8f4bfefd07c5beee9124261d30809bad5764d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2272	iexplore.exe
5076	iexplore.exe
2192	iexplore.exe
4136	iexplore.exe
3120	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2272	iexplore.exe
2272	iexplore.exe
1340	IEXPLORE.EXE
1340	IEXPLORE.EXE
5076	iexplore.exe
5076	iexplore.exe
764	IEXPLORE.EXE
764	IEXPLORE.EXE
2192	iexplore.exe
2192	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
4136	iexplore.exe
4136	iexplore.exe
912	IEXPLORE.EXE
912	IEXPLORE.EXE
3120	iexplore.exe
3120	iexplore.exe
4932	IEXPLORE.EXE
4932	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1340	2272	iexplore.exe	100
PID 2272 wrote to memory of 1340	2272	iexplore.exe	100
PID 2272 wrote to memory of 1340	2272	iexplore.exe	100
PID 5076 wrote to memory of 764	5076	iexplore.exe	102
PID 5076 wrote to memory of 764	5076	iexplore.exe	102
PID 5076 wrote to memory of 764	5076	iexplore.exe	102
PID 2192 wrote to memory of 1620	2192	iexplore.exe	104
PID 2192 wrote to memory of 1620	2192	iexplore.exe	104
PID 2192 wrote to memory of 1620	2192	iexplore.exe	104
PID 4136 wrote to memory of 912	4136	iexplore.exe	106
PID 4136 wrote to memory of 912	4136	iexplore.exe	106
PID 4136 wrote to memory of 912	4136	iexplore.exe	106
PID 3120 wrote to memory of 4932	3120	iexplore.exe	108
PID 3120 wrote to memory of 4932	3120	iexplore.exe	108
PID 3120 wrote to memory of 4932	3120	iexplore.exe	108

C:\Users\Admin\AppData\Local\Temp\e0c7c3153dd109789ad5514078887443_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e0c7c3153dd109789ad5514078887443_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:64

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5076 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2192 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1620

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4136 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3120 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\robot[1].png

Filesize
6KB

MD5
4c9acf280b47cef7def3fc91a34c7ffe

SHA1
c32bb847daf52117ab93b723d7c57d8b1e75d36b

SHA256
5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

SHA512
369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\googlelogo_color_150x54dp[1].png

Filesize
3KB

MD5
9d73b3aa30bce9d8f166de5178ae4338

SHA1
d0cbc46850d8ed54625a3b2b01a2c31f37977e75

SHA256
dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

SHA512
8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF84717698256DDEBF.TMP

Filesize
16KB

MD5
4c4e70be411f5423c837111d73883457

SHA1
fea1ec4b7d8a74311976c835e7c5cd6811751707

SHA256
82f6bc98ee1356a182ffe2a59febb8db51fd81d647122c91769ffc1176e1ccb3

SHA512
6a9d3e632bbe59c2d80bf805bc0831742492af03f1d47acd5517222d9beb4043ce0d3a93ea5a187025a4678d8ffb41b5f323e3a6c71601b75675f674febbc191

Download Submit
memory/64-2-0x0000000000D35000-0x0000000000D3A000-memory.dmp

Filesize
20KB

Download
memory/64-3-0x0000000000D10000-0x0000000000DCF000-memory.dmp

Filesize
764KB

Download
memory/64-1-0x0000000000D10000-0x0000000000DCF000-memory.dmp

Filesize
764KB

Download
memory/64-0-0x0000000000D10000-0x0000000000DCF000-memory.dmp

Filesize
764KB

Download
memory/64-4-0x0000000001080000-0x000000000108F000-memory.dmp

Filesize
60KB

Download
memory/64-11-0x0000000000D10000-0x0000000000DCF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads