gozi | 44fbfc91f971975f6351843b984d157279f503681d6cb9e652d421f4eefc2236

Resubmissions

25/03/2025, 21:22

250325-z7241awn18 10

25/03/2025, 21:19

250325-z553wasxfy 10

25/03/2025, 21:15

250325-z39chswnx3 10

Analysis

max time kernel
143s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
Size

1.3MB
MD5

34686f47e7d2f9206fd5dab3814ed870
SHA1

447fbec5fb2ffe97d839ce8ed56a75383dca02c1
SHA256

60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30
SHA512

092c9f37b44781031cd731a7c8fd358a3de4ac8be1192176bbb558e87a313c664918cc895e6c1971138342fb4bf24423afb6398ef6431d05c24f28a7c8788076
SSDEEP

6144:Zi9kVg2B54Ah7JHNhbvxPKf1wGYew0CATXH4R+LcKzwi1w3R1V8KyIvSzxRUXkjN:ZA

Score

10^/10

gozi 3300 banker discovery execution isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3300

addlock.mitial.at/api1

Attributes

build
250141
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
loader
server_id
730

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
4956	regsvr32.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000aa45811284467628ba17c3e416147af8b1d826c48ec3420d676d54bf266c6587000000000e80000000020000200000004eb9e5d73091ae42cc81d0cca2d6f5a2f2576c87d0ebff56cb69d5f39c8e54fc20000000a2684a630d04a5693308e82c227558d86125a63fb388d858a9f43ac82bc969bc4000000060568afe3249ee1ac7194bc2758ac637c49f986c8a8686c65934bc3702321394210565dffa5267c351af5e94c7c9c6cc17f8d20ed2d6210fe2d5e503cb1386d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000db19f570128f469169555e90aed548505e208dd136f04d2150f08176d64ac7b6000000000e80000000020000200000007f85277f5197a45cdceafaa308bacf61a4554f35f5c870c2605206ab941fcdab2000000073597f7f6ca64ea5f9ee9c0534ed7d6d7bc5ae66884ff515cb5114f6deff98ba4000000051f64c13176c64afd567e9138c0d79fe8b121751f5bfa9a680932912cc15dd438f61572dbff7e58e24dfde36e83d44cb8417d66b78629cdaa367642e1700b1c1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80dd1d2ecc9ddb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C82148C-09BF-11F0-A824-42A920109295} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a70000000000200000000001066000000010000200000001b95d380a831aca3c31eabcbc6ec177129ab16a51e1759b69e49cda894082344000000000e80000000020000200000001ef9daee66d88d5ff862ec5e3949a48f84f1952519ad9e1b021492a4656fccd020000000b03923591961841ec779fd76f20950dd026176d7f38f72283414134364df3448400000001bd5e6d3a6e239d945070d84fe705649bb104a98868597507b24e37f410c9869a2dfb4dde3f4bf43ead1ffd7a64bd526352db49a2e78a5660a6bba9657fef04b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a70000000000200000000001066000000010000200000007b8e7404267b5c14cadaae7c272493c5a107b47a27c5b3df4587462b0b601560000000000e8000000002000020000000841e7cd36243d143f9b686f711e8cb761a188a75615f4e446c5e51dce410da3520000000f2a07aa66b0e9858287ec745616ec29ccde395e371e56906337a8bec19cf791d400000000515d3b7687e92164e383d76b9937c4e0af92ca6cc19d95beaf39cedc4b569e15991f6c878552214997cd850bc9f4029dd7993be67cd7d39469805b3f4243825	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{721FB027-09BF-11F0-A824-42A920109295} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f6112ecc9ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d25035cc9ddb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F48899A-09BF-11F0-A824-42A920109295} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000281c451904688951f793e681a5ca98a77e5fa4f59dde0ea88761474ecb5dd2b6000000000e80000000020000200000000f8b3eb271978c486212ccc0de0fff9560eba7a72d94000b6593f44260b065d020000000c7ee45fdae0d1127918c3b2459cc675c17286e1163310a6e6a74ffbddeaa778d400000002802b6f2480436f1c9ffb73c80d45b84ac3d43ad1c6ad91a15e0aa40057320689f421d5e3f338becf2d40eff24bed086553a0a673b1418920fb568e6718f281c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58DB6342-09BF-11F0-A824-42A920109295} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2288	iexplore.exe
392	iexplore.exe
2664	iexplore.exe
1432	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2288	iexplore.exe
2288	iexplore.exe
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
392	iexplore.exe
392	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
2664	iexplore.exe
2664	iexplore.exe
4752	IEXPLORE.EXE
4752	IEXPLORE.EXE
1432	iexplore.exe
1432	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2988	2664	wscript.exe	91
PID 2664 wrote to memory of 2988	2664	wscript.exe	91
PID 2988 wrote to memory of 4956	2988	regsvr32.exe	92
PID 2988 wrote to memory of 4956	2988	regsvr32.exe	92
PID 2988 wrote to memory of 4956	2988	regsvr32.exe	92
PID 2288 wrote to memory of 1204	2288	iexplore.exe	104
PID 2288 wrote to memory of 1204	2288	iexplore.exe	104
PID 2288 wrote to memory of 1204	2288	iexplore.exe	104
PID 392 wrote to memory of 1520	392	iexplore.exe	114
PID 392 wrote to memory of 1520	392	iexplore.exe	114
PID 392 wrote to memory of 1520	392	iexplore.exe	114
PID 2664 wrote to memory of 4752	2664	iexplore.exe	117
PID 2664 wrote to memory of 4752	2664	iexplore.exe	117
PID 2664 wrote to memory of 4752	2664	iexplore.exe	117
PID 1432 wrote to memory of 920	1432	iexplore.exe	119
PID 1432 wrote to memory of 920	1432	iexplore.exe	119
PID 1432 wrote to memory of 920	1432	iexplore.exe	119

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\60eafa94ceb03b819234435aebd7784597eb212f6a796a4a1052b19beb854a30.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\regsvr32.exe
    -s C:\Users\Admin\AppData\Local\Temp\\AiJkqydZbl.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4956

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2288 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1520

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AiJkqydZbl.txt

Filesize
204KB

MD5
952bc67de7e7e40d3938ae5d9118bde9

SHA1
c9479c7cbe08c9b9c8d022f0a9dc0d64277936e8

SHA256
52b9735c9182c90dcf54bb2d1ae287bd702417070fa3dd403232b0a5c26b857f

SHA512
667a6894b3e772822a926e6543819f351639436e6a8d98f7bc6238f77c2d3d62227ab11b3beb007326437317c52e690a62f539ce196258f6c07192acbb1565ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB76DDCB6D89A70B6.TMP

Filesize
16KB

MD5
7a326b47cabc944b746b8b8e2a34d764

SHA1
993e3e24f8306161bc851a2b8974898945c49ad6

SHA256
086d6b63c9e07ff750dde7a09031a12225c123eea64462d6f1002ea674186c47

SHA512
7f08d5c6e66b263208b376c9f012c0daa94b5c37f838d34db3e4a810bb41a29999b02a29e0be22a685f0a8fdfcc593a0902b99638cc2b70380790f26f60d997d

Download Submit
memory/4956-3-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download
memory/4956-4-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4956-5-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4956-6-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/4956-10-0x0000000000418000-0x000000000041B000-memory.dmp

Filesize
12KB

Download
memory/4956-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads