gozi | 44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236

Resubmissions

25/03/2025, 21:22

250325-z7241awn18 10

25/03/2025, 21:19

250325-z553wasxfy 10

25/03/2025, 21:15

250325-z39chswnx3 10

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
Size

1.3MB
MD5

34686f47e7d2f9206fd5dab3814ed870
SHA1

447fbec5fb2ffe97d839ce8ed56a75383dca02c1
SHA256

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30
SHA512

092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076
SSDEEP

6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Score

10^/10

gozi 3300 banker discovery execution isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

addlock.mitial.at/api1

Attributes

build
250141
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
4008	regsvr32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D148C78-09BE-11F0-A1E4-E65CC27B11DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e80e6fa45ebf4a40a3dae258a9756632000000000200000000001066000000010000200000008cc8eac200e2d9e273a7106e8396eb13983cc59ca92577a155d36f0dcb08117a000000000e8000000002000020000000ee2f0f308f382b83208f888c9491fde623d0b17775880c37879c5ab9835b50392000000026a624673786eedc515e16ee473c516ce99e9a71a0545eb76d0c9777690ff303400000006c0acd097743b94621ffd979b780e28a553e668aea45cd60ef36f73e58b9da25a8e32e567c36790e2abea65217e2dd8d4b31871e94e696b653fa8364d21b3343	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e80e6fa45ebf4a40a3dae258a9756632000000000200000000001066000000010000200000004a5da98b92f77c73439b576077287925da368aa17e6661b6964ae624842ecbdd000000000e8000000002000020000000575237d2d50402e7c33696b9aab079c54f7fdd5c0cd4d557c62fadaa5c2a458720000000c48380f06f26ea81d269bfa3fef8da4ef40be3764ddc8248a95897157a56888440000000699a649060b0229cc349ab2f45b2e14663ce72094332b759ca6b8964ca5b86513a9a98bee40cc70a5913acb6c1b5b7079041f551d1c7498dbf0ef2f1860ab7c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06c1739cb9ddb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e80e6fa45ebf4a40a3dae258a975663200000000020000000000106600000001000020000000fc3e9cbabad800893dc9e0240e4d066d9ffd9b63202acb46159dd7edfaf49b7a000000000e80000000020000200000006ea83009976e5277a30ce79026f210fe8d626c2c31e45af8d7ba3e4a546c4b30200000009e3e705907c4c6d9a358fc267317b457d832cdc29b98d1670ab22391e625093f40000000a6b72373d55a65c87a6d0df14b6dbcd860081591a22d1570df89cde6976647c3da91f48577bc9d1dd97928bd51d46730a0fff8b4256d18cd1115c6f7db05006b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0981e39cb9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{64404EF6-09BE-11F0-A1E4-E65CC27B11DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C7BFE9E-09BE-11F0-A1E4-E65CC27B11DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e16242cb9ddb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e80e6fa45ebf4a40a3dae258a975663200000000020000000000106600000001000020000000a26a7110001fcf10b54af5eb249ade180fc999e9c83c53fbe25be6cd2ebb527c000000000e80000000020000200000000affd77a2d3e6b1d7a7a6045f690b9b5e9eb78b827e3fa7cec390192e81db804200000000cac613a23e28312037f091d43ecd71c58e074706a8f10f43702a4c30c1c2e9b40000000cd95c1b96295a1d5a53f5a5e74f6f668cd935bacd8d2ea8d85e3a74cd9d3d9428a68aa2f2881970501ce027ae8eaad6e34fa00e4810707b69aa1e8566fa23932	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e30250cb9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9A043682-09BE-11F0-A1E4-E65CC27B11DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4049735dcb9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e80e6fa45ebf4a40a3dae258a975663200000000020000000000106600000001000020000000df3070f83eadf60ba2fad864a60dd5bc06bfae7b9be3ae9acf726e38d52cebfd000000000e8000000002000020000000cd2ab8d65518ccf5cc3fa6d210ac07137d5f53c3490faa6e31535297744b30f120000000cd1d0e787e800c77b6d4d764e9bd6831b356e894ef68c583b3fe0a44de758b8b40000000d15dc06634816738dc3838d6e2363f541f6b2f2ca193d28f334699ec57f35bf45047cce7adf4a5a5f9de1257c0312f565d956c7440009cbb3de556b8949de8f5	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3812	iexplore.exe
4652	iexplore.exe
5212	iexplore.exe
2892	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3812	iexplore.exe
3812	iexplore.exe
3948	IEXPLORE.EXE
3948	IEXPLORE.EXE
4652	iexplore.exe
4652	iexplore.exe
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
5212	iexplore.exe
5212	iexplore.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2892	iexplore.exe
2892	iexplore.exe
732	IEXPLORE.EXE
732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5900 wrote to memory of 1736	5900	wscript.exe	90
PID 5900 wrote to memory of 1736	5900	wscript.exe	90
PID 1736 wrote to memory of 4008	1736	regsvr32.exe	91
PID 1736 wrote to memory of 4008	1736	regsvr32.exe	91
PID 1736 wrote to memory of 4008	1736	regsvr32.exe	91
PID 3812 wrote to memory of 3948	3812	iexplore.exe	106
PID 3812 wrote to memory of 3948	3812	iexplore.exe	106
PID 3812 wrote to memory of 3948	3812	iexplore.exe	106
PID 4652 wrote to memory of 1820	4652	iexplore.exe	114
PID 4652 wrote to memory of 1820	4652	iexplore.exe	114
PID 4652 wrote to memory of 1820	4652	iexplore.exe	114
PID 5212 wrote to memory of 2972	5212	iexplore.exe	116
PID 5212 wrote to memory of 2972	5212	iexplore.exe	116
PID 5212 wrote to memory of 2972	5212	iexplore.exe	116
PID 2892 wrote to memory of 732	2892	iexplore.exe	118
PID 2892 wrote to memory of 732	2892	iexplore.exe	118
PID 2892 wrote to memory of 732	2892	iexplore.exe	118

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\regsvr32.exe
    -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4008

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3812 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4652 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5212 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt

Filesize
204KB

MD5
952bc67de7e7e40d3938ae5d9118bde9

SHA1
c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

SHA256
52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

SHA512
667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF0781D37832AAA04B.TMP

Filesize
16KB

MD5
0e95301d14fe6bc05ecc466cca7e7d31

SHA1
08053247dc48caa5411b678cb3e78e9644838719

SHA256
e275f1f660789586ffbc91431defc2819c8354502d7d9e7b0c22364319ab944b

SHA512
aa75bcd9d2b38c49aa9fd633cbf4502fa568101e8a508ef4beb3768f5c8f7e23677cede99d64aef46b8ce77f363a271cf4aebc1715f027126de9b194f6e00d49

Download Submit
memory/4008-3-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download
memory/4008-5-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4008-4-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4008-6-0x00000000014C0000-0x00000000014D0000-memory.dmp

Filesize
64KB

Download
memory/4008-10-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads