gozi | 44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
Size

1.3MB
MD5

34686f47e7d2f9206fd5dab3814ed870
SHA1

447fbec5fb2ffe97d839ce8ed56a75383dca02c1
SHA256

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30
SHA512

092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076
SSDEEP

6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Score

10^/10

gozi 3300 banker discovery execution isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

addlock.mitial.at/api1

Attributes

build
250141
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
5840	regsvr32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d98021b2aa89a94e834964080000661d00000000020000000000106600000001000020000000b0bc1ea0ef26a1240c36bb50d8710e7ae529532525f8a48a64b5219e2e26340f000000000e8000000002000020000000dbb7fe7cf45545a05fbe089b41ce61099e57ec2d4cc9b93f76b12f3af2a9156820000000c5269c82f67e8048cd46ba70a4ebe4f4d148633ae5cec7feadc984f97267a7b94000000009177edff31a13c82d63a07d199338d853c183d0dddd677c57f192b47c144efb39d35cb4b8e9dd5148bbf50211eeaeb15d37b0710e5c0f584709fa219c876eec	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d98021b2aa89a94e834964080000661d0000000002000000000010660000000100002000000024c26f56b7cc7592cca9df310e4180c5292c9520683ab20b1ca844baf83fb531000000000e800000000200002000000037dbbc7165c047987219d063ebc39c6a86d4fed265b360595a06308d60e4b7dc20000000e8e8f5bbe122e5fb39f4cd7337b6abaaa7eed621a3e2b61d8693fc832864acb040000000a31ec523ea3a19ffd688fbada42ced4664ba4bf772e66a75f8b5ae42d8b0648c001affdd552a8870ea82bae752ca0b8ba9a957031817909dd276d030bf5af9b1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d98021b2aa89a94e834964080000661d00000000020000000000106600000001000020000000961d5958c06cc631cb232679cf2edd5bc8cc8710b3c9460b4074480ba6ff9954000000000e8000000002000020000000ab92a8a1d5f141a92116956ab97ef139be67857952d3e3c2826929f0df2f5f3b20000000dba800f8736502df0a34ff743e878aaebd7368166918428d8d5f5f28d093113e40000000cc16e5898cab05272751afdf89ec775509504bd74debbbcb72651c8c1fc679c816a81e6ed2316b5c9ac9b99ead122b6d583d753eb07b9fa59162c75ee409cdc7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d98021b2aa89a94e834964080000661d00000000020000000000106600000001000020000000534d47f606c7122f471de183e194ad3f4c6d8c4a60463450c64cea413758e053000000000e800000000200002000000091dd67b4c296b661ace649cd5e0737081c00171e9df958f21dd9f1d92be7d8fa2000000024de5aef9da8a37eff05fe4cbb42d7728f372749c7beaec7a27f94c7c67b93d540000000463c519c837f980c99a46996e3ee031f9dd49cf07f281516e02e1ebe922da93043455543c8f8505a63697dd85b290c4ca3457c3bdcfc4527e0a05f5193c1fea0	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F6ECE4F-09C1-11F0-BB61-66C39D25294B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04d5142ce9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0507d2ece9ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b56835ce9ddb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f1214fce9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00b822ece9ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d98021b2aa89a94e834964080000661d000000000200000000001066000000010000200000003d014da512feb31cb9b3bb7fd70c01e292bffba450fc040280ac277089cdbdd4000000000e8000000002000020000000296255c5d14730ed8c174ae07b7bd47a27e4137e0d07ede872f4ac5430ece08520000000854ef82442215c77adfa36dec3d780ea8b0729e3422d14afee0568b19c1ae4d7400000003a39c13fa2637a0a90553b0287f404122a5f949f43e1001318aee6c718d6fa415af9187d75a9077a9451958b28d68b1e78cc3f9cf2c9e16ba6ac0c8ccaaef7dc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C41DB2D-09C1-11F0-BB61-66C39D25294B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{597DA1BA-09C1-11F0-BB61-66C39D25294B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{727CCE5F-09C1-11F0-BB61-66C39D25294B} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1208	iexplore.exe
2396	iexplore.exe
1344	iexplore.exe
5508	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1208	iexplore.exe
1208	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2396	iexplore.exe
2396	iexplore.exe
3756	IEXPLORE.EXE
3756	IEXPLORE.EXE
1344	iexplore.exe
1344	iexplore.exe
5444	IEXPLORE.EXE
5444	IEXPLORE.EXE
5508	iexplore.exe
5508	iexplore.exe
856	IEXPLORE.EXE
856	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4544	212	wscript.exe	90
PID 212 wrote to memory of 4544	212	wscript.exe	90
PID 4544 wrote to memory of 5840	4544	regsvr32.exe	91
PID 4544 wrote to memory of 5840	4544	regsvr32.exe	91
PID 4544 wrote to memory of 5840	4544	regsvr32.exe	91
PID 1208 wrote to memory of 2192	1208	iexplore.exe	103
PID 1208 wrote to memory of 2192	1208	iexplore.exe	103
PID 1208 wrote to memory of 2192	1208	iexplore.exe	103
PID 2396 wrote to memory of 3756	2396	iexplore.exe	112
PID 2396 wrote to memory of 3756	2396	iexplore.exe	112
PID 2396 wrote to memory of 3756	2396	iexplore.exe	112
PID 1344 wrote to memory of 5444	1344	iexplore.exe	115
PID 1344 wrote to memory of 5444	1344	iexplore.exe	115
PID 1344 wrote to memory of 5444	1344	iexplore.exe	115
PID 5508 wrote to memory of 856	5508	iexplore.exe	117
PID 5508 wrote to memory of 856	5508	iexplore.exe	117
PID 5508 wrote to memory of 856	5508	iexplore.exe	117

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\regsvr32.exe
    -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5840

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2192

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5444

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5508 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt

Filesize
204KB

MD5
952bc67de7e7e40d3938ae5d9118bde9

SHA1
c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

SHA256
52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

SHA512
667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF74B3E2E29396563F.TMP

Filesize
16KB

MD5
5efed328fb36ab679370fc95369d058c

SHA1
fa6ca2a3f3ee2c5a12375f2fb42be6cce891dc6c

SHA256
a789e5861442df6a4a2901ddc64d7349f31dba291eeeecc589d6c356166a5d21

SHA512
33f776b71a9a37fc1973f2cf7fec289bb6c00763f9d90fd615248e28849ff43da7b49f72d80d672a47319224987399de9006e1518ca3b2ee26f0ea2d8bfac599

Download Submit
memory/5840-3-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download
memory/5840-5-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5840-4-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5840-6-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/5840-10-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads