gozi | 56ae4c3167ae5f55035d9706026e412f643b59d09b9dbce8b0ad8c8855491c62

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

canon_dsc_sdrc231.zip.exe
Size

221KB
MD5

3820ca814fdb124f9b5cb465950f725a
SHA1

5effd15953eeb165d3300679c0451a6f39a862d4
SHA256

3e1ea4ffc3199dcbd8e3ab3f4d4382c364717c6551ea5385e654a735aabb69ad
SHA512

c9e289d05b967dd346de2fb20d1f976b5cb0384cf8b1c44bab405cfd03ddcc8c4922a68189ad0067b983e193c146c4ff2609b460cdec51af905d6cdf3e96fcca
SSDEEP

3072:fEN9PALC3+C2hdYp1Zd6Mq/5Ow7YdY9D3gMTjETxpbYspOHpkP:fJLupDZ0M/1W3ggjETTyHpk

Score

10^/10

gozi 8005 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

8005

ssddl2.microsoft.com

siberiarrmaskkapsulrttezya.ru

sibedriamasterkkmoderatordstezya.ru

massidfberiatersksilkavayssstezya.ru

dolsggiberiaoserkmikluhasya.chimkent.su

dolsibegriaosersk4ermanderezya.chimkent.su

rdosdripakloserikabyatezya.chimkent.su

rusddripakoloserufinurtdrfezya.chimkent.su

ripakteenrufinishryeuliliezya.ru

rufiteemnisripakhglassdzya.ru

rufinisrufripakhmileronurzya.ru

rurugyrfripakinishtokokusstezya.ru

rufislomnishsripakerdfnstezya.adygeya.su

Attributes

build
250161
dns_servers
107.174.86.134

107.175.127.22
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	canon_dsc_sdrc231.zip.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205599220754db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e510000000002000000000010660000000100002000000039f2adca60edfde87d6e486b2fe6fad83f49bf81c89b2b3e82f15965a964b4ae000000000e8000000002000020000000336cc1a2895d7cdfac18f1b72c084433ff44a956bf5404897c1a3c78c2226e5720000000634232a1f3b92628a2a23b7b3580ba306e78b3f8c8f8929071b5f88ef04ca299400000003ab51f880db2dc3ae8009a442612b016fccda97c7f0b5f388f1734008723ce4fb6516a88ee743e40811057fb371003aa8ab7a37c8e982b0b1327063b6aa90aec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000796f34e5d2f3b426a22f859ecd1c531479520cb96956507e10b3a79a39a29c58000000000e800000000200002000000007821d7253482212e7e377d779f705ff65846a3be203482d458868f30c0f4d3e200000002cfeb27202b070e4fdb6736b899b9f6ddc0b857abe6b832bb2a580b7d7ddc3514000000036ba5e2559b209533f2d743953f12f5578b86ea9c5c1c171a73f1337fdb32d7a336452ef2bdd480aecdb86ba86386bc7e874dbe7fe4bfc961a37647f220bc43b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000af7054220309ac5f22eabf63d8fe14bf51916c1b1a8e012cd8fe2bcdea0c7b9c000000000e8000000002000020000000a9fd72c2e2209d6ed36801242604eff2f1289e70bd6740f33716b305f8c6ce222000000089dd5ee5dd1b62618c53a02a3dd7fe3e9fb3e32476d2ff1c3bd1ea1ec20415d4400000001edf55dd2e0a9747ca202ed60ce8b1c75cbb02b97ecada51fb1f620be30400c3281e05b274af8cde1ec13e10045c5443285e5a5d56ea806a9547821ee6a9d2f7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5FB47638-BFFA-11EF-A7EA-CE95CE932DF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151111"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "454069417"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e510000000002000000000010660000000100002000000052cdc6e1a57a950578c015dea955bd20f3456c0e8b4d1c4ace6e1945c36941b6000000000e8000000002000020000000bdc1e62c684660d42aa3e97956848b455b10e435a69dfb26f05ea4ffcd0274b620000000084a7a78fc9c291a0f94fb678509b68162f61fe9cdff30ff7c7963b0833ecd284000000070f35911a67655eac80c61c26f19c727a19d28b51fd2bdac4466455429945e7f1a1b8d695086a8fdbcf72eb779b7454f438c70ec5b2dad51a49f8f3c3ef3eac7	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e5100000000020000000000106600000001000020000000175df0b8d347e43cea522ba6f60c52a1a3a5f4f80390f33ff7fba8d0604926a8000000000e8000000002000020000000c1e1e345a0656c85c3933555fe5e1ae9c87ec1a1feb857b587b0bb119d3c5c5b20000000f34c2b921f465c57d4cfa6a5580d723724509b1daa55e5788367efc178537c9140000000547b9568e50b0a9544107b11ca1fb93d7046ead7f231641590bfdb6bb3bbf09e2504c6739f15d05de2788c60fae1452d59df904540a7dac628be486befaa5d99	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d089273c0754db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80abb21b0754db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{795CE5D4-BFFA-11EF-A7EA-CE95CE932DF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "454069417"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b0b91b0754db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d84a2f0754db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
980	iexplore.exe
1580	iexplore.exe
2036	iexplore.exe
4436	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
980	iexplore.exe
980	iexplore.exe
3736	IEXPLORE.EXE
3736	IEXPLORE.EXE
1580	iexplore.exe
1580	iexplore.exe
516	IEXPLORE.EXE
516	IEXPLORE.EXE
2036	iexplore.exe
2036	iexplore.exe
3628	IEXPLORE.EXE
3628	IEXPLORE.EXE
4436	iexplore.exe
4436	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 3736	980	iexplore.exe	88
PID 980 wrote to memory of 3736	980	iexplore.exe	88
PID 980 wrote to memory of 3736	980	iexplore.exe	88
PID 1580 wrote to memory of 516	1580	iexplore.exe	107
PID 1580 wrote to memory of 516	1580	iexplore.exe	107
PID 1580 wrote to memory of 516	1580	iexplore.exe	107
PID 2036 wrote to memory of 3628	2036	iexplore.exe	110
PID 2036 wrote to memory of 3628	2036	iexplore.exe	110
PID 2036 wrote to memory of 3628	2036	iexplore.exe	110
PID 4436 wrote to memory of 1068	4436	iexplore.exe	114
PID 4436 wrote to memory of 1068	4436	iexplore.exe	114
PID 4436 wrote to memory of 1068	4436	iexplore.exe	114

C:\Users\Admin\AppData\Local\Temp\canon_dsc_sdrc231.zip.exe
"C:\Users\Admin\AppData\Local\Temp\canon_dsc_sdrc231.zip.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2140

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4436 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DF0A5165B1B225BEB1.TMP

Filesize
16KB

MD5
4b999ea78c16e0635cf4631e066271dd

SHA1
8442b8d93fa9c514aaf6335a702bac27ca0b43f6

SHA256
a897c83a06b67ca9f397d3a1e1a947d9e63eba47fb332b8e662a5ba1103836b6

SHA512
4496ff44ba5deaa075f777abafcf46110febbc67b4146f496482d3cdbfe42ca6a56fc30927e4f2d4739d551f1b12285c8497ec73f86f02843e76622a0f6d5adf

Download Submit
memory/2140-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2140-2-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2140-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2140-4-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2140-14-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2140-16-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2140-15-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2140-17-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads