gozi | 5ecc261daaeff24273d1ab2914b1eb2d4386c5d5ad40d7a934fec816237ec641

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe
Size

613KB
MD5

763e253ea36530b8209a104a39b6e685
SHA1

2473f962fbf9732980e69c46bb28e60037aa28a8
SHA256

5ecc261daaeff24273d1ab2914b1eb2d4386c5d5ad40d7a934fec816237ec641
SHA512

12e6d73ec045aa6552365c94b78f4105fe295b0bf1b4d9adf79946cf21a758ac2a59ff8ad3e44a5b71e26c4a4caa845a77435d3dfa515c266fd0ed9c6b7c0a13
SSDEEP

12288:9Q+6Ii6F0WIxH9OijnA2cEMAPCeTA3CO6OpIR99g9ssdHPCHqKRgJBUM9Q3M2:u+6t6FeH8ijnA2cEfCLCnOpgNRgJBn9G

Score

10^/10

gozi 3494 banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Attributes

build
214098

Extracted

Family

gozi

Botnet

3494

google.com

gmail.com

z72aoe50.com

tarneps.top

wxts86squom.com

Attributes

build
214098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f600000000020000000000106600000001000020000000545acaa68f93ae5be05f81fa8423a653446cf1dd4bd44e3b30667aa1feb4cb80000000000e8000000002000020000000c6b3f24973e583a2cd9d4dd810336baa9f8ba8a85d1ad79dcf557e4824bb80d020000000ab53d5e53117dc2e1ca99f456b4af7689fe0ec8a352a179727c3aa0876f146fe40000000a7ee044d26bb7db859add0c3bd06c80df3b8400a51945f9d2739ea7974c1487f9610cc1ac29c2586094c6418bbfc7219175fdfa2d018378366d02724691bbdba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04177d92485db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2867065765"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f6000000000200000000001066000000010000200000008fc624b3f6331c29686a8801a2627b2d587915eeb0e62f7cfb1836cce8f739bc000000000e80000000020000200000004471bdcf400ea02ca6d72a7633a917866a6f3241c47ffbbde4e44a112af17d18200000006146039d07e5d0dc068cee963599ead2f97432918b5f0cb6ff0445a3fe8ce48840000000d7fb30b4e05fb969d802a80b86548444a4a97a10c05b88063bdf14315c3652df8dec8ca1a171f8248ebd978ac4973579930564a8512f7f789f445cdc70dca1d9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f600000000020000000000106600000001000020000000d5b22d1eb7965f09cfc183ae6057d2a0d908f1a102b4685e01c98e0bdd9595e4000000000e8000000002000020000000e52a45fdf161bb540cee626d58f62c21fee78e8aaaf4c756a70bcdf0e85dd1e7200000008169fffeea4718776d012b5282cad178ae6ca2b6fec350e4f4a51d8d19ca61e64000000021c43a6300879a083b596e87bb2907a0d2006add50bc500bb054079a9b2eb9f45681fc94a0e9b319d8301aec282d683c4cccec501f831842740fe35d7faab8e8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c95fab2485db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF8F04B4-F117-11EF-8CD4-6A30FD81D1A6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602b74bf2485db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f600000000020000000000106600000001000020000000af9d2f0a27604cc817492f7f2b9184fb97b447de3f1e22bb5c8f3e8c3317d156000000000e8000000002000020000000bcafb4b6158e20bc1e5722299a96b45481d6cb615eb03319d023e573526e950c200000002d7e12714c55064713e72ce48fdb8a023e801bd365494730a46a8a251620f6634000000094dce7bdeaf6a961655734288f2c5dad12e84da21f6f721f652665050322139a92283c57cb9be52063b5556916c523c6058618fe4a6c51902621d33a70eb099d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08d84b22485db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163684"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f600000000020000000000106600000001000020000000e73f581b72e3f1f4f5e12d7b7e1a35344c0e00784a524140b70d71a7f725afde000000000e8000000002000020000000a6fee040019216fa9410d6c71329504a9121d4ad3c02420f3d9ab20e667545cc20000000b05c7d2bde0e4f19fc29cc8c056204a8042689b51481199e0e514890e67c2105400000003939b9de101ea4ed1c0861aa2a5d23af0e0ae4c4c282890ad0863c03084767d3422e510dfc5fe2f1142eeceddba5ef4374066c1a82a13eb67b0ed9c601f08457	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0975706C-F118-11EF-8CD4-6A30FD81D1A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3056e8859aed459ffffc86a4b5a6f60000000002000000000010660000000100002000000051270863e1ff85001868ff7c9434e8e7428e7e363770aeb3ad94959484de397e000000000e80000000020000200000005197156cfc7aca61d5a12055aa39d3d509ca526a6e52cffbcc45d612350d0de3200000007369c6786fbd62265145325b2049963deb81293108658c69d66a4407db356488400000005436fd996091152f32e1acc4ac492238b1239866cf0627a24e145fb106bdf730198718366a70fcd9004101ebd23dce23af6398f7ffd6cf04cab5eb17dbd75f78	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2216	iexplore.exe
1228	iexplore.exe
2384	iexplore.exe
960	iexplore.exe
2612	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2216	iexplore.exe
2216	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
1228	iexplore.exe
1228	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
2384	iexplore.exe
2384	iexplore.exe
4408	IEXPLORE.EXE
4408	IEXPLORE.EXE
960	iexplore.exe
960	iexplore.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
2612	iexplore.exe
2612	iexplore.exe
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2688	2216	iexplore.exe	90
PID 2216 wrote to memory of 2688	2216	iexplore.exe	90
PID 2216 wrote to memory of 2688	2216	iexplore.exe	90
PID 1228 wrote to memory of 1952	1228	iexplore.exe	93
PID 1228 wrote to memory of 1952	1228	iexplore.exe	93
PID 1228 wrote to memory of 1952	1228	iexplore.exe	93
PID 2384 wrote to memory of 4408	2384	iexplore.exe	95
PID 2384 wrote to memory of 4408	2384	iexplore.exe	95
PID 2384 wrote to memory of 4408	2384	iexplore.exe	95
PID 960 wrote to memory of 1488	960	iexplore.exe	97
PID 960 wrote to memory of 1488	960	iexplore.exe	97
PID 960 wrote to memory of 1488	960	iexplore.exe	97
PID 2612 wrote to memory of 2212	2612	iexplore.exe	99
PID 2612 wrote to memory of 2212	2612	iexplore.exe	99
PID 2612 wrote to memory of 2212	2612	iexplore.exe	99

C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-22_763e253ea36530b8209a104a39b6e685_icedid.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4992

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1228 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4408

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8GU4RKZM\googlelogo_color_150x54dp[1].png

Filesize
3KB

MD5
9d73b3aa30bce9d8f166de5178ae4338

SHA1
d0cbc46850d8ed54625a3b2b01a2c31f37977e75

SHA256
dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

SHA512
8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VHQUNTV1\robot[1].png

Filesize
6KB

MD5
4c9acf280b47cef7def3fc91a34c7ffe

SHA1
c32bb847daf52117ab93b723d7c57d8b1e75d36b

SHA256
5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

SHA512
369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF6D1221FC96BF15DC.TMP

Filesize
16KB

MD5
1b964c7daa526abc2af78b3e5734194d

SHA1
f393797d34fe5571e55f75b4cabce1a2496f8ecd

SHA256
d4812d6a49c76454d463364dcaafddc7267b686b1442838c06e65e9754a0855b

SHA512
8cc1017e071dfe748517078cc23314ee5a81bf305030a9f682a408cc477496616f03eab5ed3f70848f32ef2a6f95bd75314926502997c0281fed3264300e007a

Download Submit
memory/4992-0-0x000000000049E000-0x00000000004A1000-memory.dmp

Filesize
12KB

Download
memory/4992-1-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/4992-2-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/4992-3-0x00000000023E0000-0x00000000023EF000-memory.dmp

Filesize
60KB

Download
memory/4992-10-0x000000000049E000-0x00000000004A1000-memory.dmp

Filesize
12KB

Download
memory/4992-11-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads