d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85

General

Target

VanGoth.exe
Size

36KB
MD5

afff555062c4e6fb3a34e7c2be519fcd
SHA1

73ed552ba04e57e8cd991f9f82a182aa298c4baa
SHA256

d27a5719ec67c146a1b338302074de39f5ad49b17f81cb014cc2c57c4f464d85
SHA512

31b3b0cf4e877f848fae85c7afd08fe165ae5bcb114d41781d28403e276f524d383e34f7d3e39b96beb8e39f023ae1d150115bf751a3196e3c773eb688a6277f

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

VanGoth.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\gmreadme.txt VanGoth.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	VanGoth.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

VanGoth.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ResumeMeasure.png => C:\Users\Admin\Pictures\ResumeMeasure.png.VanGoth	VanGoth.exe
File renamed	C:\Users\Admin\Pictures\UninstallResize.png => C:\Users\Admin\Pictures\UninstallResize.png.VanGoth	VanGoth.exe
File renamed	C:\Users\Admin\Pictures\EditUnregister.png => C:\Users\Admin\Pictures\EditUnregister.png.VanGoth	VanGoth.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

Processes:

VanGoth.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wsmanconfig_schema.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxhb2-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\Amd64\MSPWGR.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfhb1-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6OFm0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\wbem\xsl-mappings.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsXPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\ekusbbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxpclcolor-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\icsxml\osinfo.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\MPDW-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saBPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCP6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiaek002.inf_amd64_f5e1942118a448c2\DeviceModelInfo\EKWInScnCapXml.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclv.inf_amd64_e2158c7cf3110141\DL-XPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkycl1.inf_amd64_d830c6577c8a2c44\kyw8-xps-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlxclv.inf_amd64_e0d61070674d9678\LX-XPS-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms001.inf_amd64_6df3b80c4f6b8f8d\MXDW-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\Amd64\MSECP.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4ClassSMP_0000.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl4.inf_amd64_9412589272562044\amd64\HP-PCL3GUI-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkmcl4.inf_amd64_01e54ba5b8932b04\kocl4-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rctcpbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saactcpip.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCXP-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deacwsd.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf3-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nexpscolor-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4PCL6-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrBAPSc0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	VanGoth.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\Tokens_SR_en-US-N.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\EK-PDL-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rcwsdbidi.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_bidiwsd.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deacusb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deCP6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxpclbw-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl1.inf_amd64_c6040b9adc0369af\amd64\hpbxusbbidiextnwb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deSP-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl1.inf_amd64_c6040b9adc0369af\amd64\hpbxiodrveventwb.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrOFPSc0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\AppxProvisioning.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\NdfEventView.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\xpsrchvw.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlxclw.inf_amd64_7cbd66040de48539\LX-PCL-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6BAm0-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf4-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxhb1-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhpcl3.inf_amd64_0e666fb8f1b0545e\amd64\hpcPCL6_PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsPCL6-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\Amd64\MSXPS2.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms011.inf_amd64_3aa7e4fc9c545305\Amd64\MSAppMon-pipelineconfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nehb0-PipelineConfig.xml	VanGoth.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saacevents.xml	VanGoth.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt	VanGoth.exe

Drops file in Program Files directory 64 IoCs

Processes:

VanGoth.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	VanGoth.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\Assets\xbox_windows_logo-01.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-100.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-16.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim2.smile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Effects\Particles.jpg	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated_contrast-white.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Snowfall_Success_.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\1d.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png	VanGoth.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	VanGoth.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3007_40x40x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-150.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_40x40x32.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1605.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageLargeTile.scale-200.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9724_24x24x32.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Came_To_Play_.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\SmartSelect.mp4	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png	VanGoth.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF@3x.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-100.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\telemetryrules\hxcalendarappimm.exe_Rules.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-400.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_SaveAutomatically_LTR_Phone.mp4	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\heart.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-64_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\LargeTile.scale-125.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Paint_Logo_with_Trademark_ABOUT_POPUP.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xj_60x42.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-80.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_4_Point_Star.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\skype.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256_altform-unplated.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1914_32x32x32.png	VanGoth.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	VanGoth.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png	VanGoth.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargePyramidTile.jpg	VanGoth.exe

Drops file in Windows directory 64 IoCs

Processes:

VanGoth.exe

description	ioc	process
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-white_scale-100.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Assets\RemindersSplashScreen.contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_11h.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-150.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.15063.0_none_2bd1e3a1cfd67be0\TileSmall.contrast-black_scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteWideTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Assets\StoreLogo.Scale-180.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pr_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png	VanGoth.exe
File created	C:\Windows\Media\Windows Feed Discovered.wav	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..actsupport.appxmain_31bf3856ad364e35_10.0.15063.0_none_a5ca1360f9ef4c6d\LargeTile.scale-100_contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-black_scale-125.png	VanGoth.exe
File created	C:\Windows\Web\Wallpaper\Theme2\img12.jpg	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\aq_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png	VanGoth.exe
File created	C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy\Assets\TinyTile.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	VanGoth.exe
File created	C:\Windows\diagnostics\index\KeyboardDiagnostic.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PeopleLargeTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-white.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-40_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ne_60x42.png	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.scale-150.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\SmallTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-24_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\AppList.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileLargeSquare.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\sadsmile.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-40_altform-unplated.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\AppxManifest.xml	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\SmallTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\LightGray.png	VanGoth.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_c7203a9c4dfdf241\SmallTile.scale-400.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..om-miantuan.cortana_31bf3856ad364e35_10.0.15063.0_none_edfba5bd1d34275c\WideTile.scale-100.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Mining_For_Gold_Unearned_small.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_2.jpg	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nu_16x11.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\MicrosoftEdgeEPUB.targetsize-48.png	VanGoth.exe
File created	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-white_scale-150.png	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..tom-cortana.cortana_31bf3856ad364e35_10.0.15063.0_none_e76db50250be7285\AppListIcon.targetsize-32.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_2a7da49f7e9ba8db\InstallSqlStateTemplate.sql	VanGoth.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	VanGoth.exe
File created	C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.15063.0_none_e328baf08c907e79\Exchange.Theme-Light_Scale-100.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-cfx_core_sql_files_b03f5f7f11d50a3a_4.0.15552.17062_none_ee17823a4ff68608\SqlWorkflowInstanceStoreSchema.sql	VanGoth.exe
File created	C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Assets\Square30x30.contrast-black_Scale-180.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kr_60x42.png	VanGoth.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-100_contrast-black.png	VanGoth.exe
File created	C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_providers_b03f5f7f11d50a3a_4.0.15552.17062_none_4f07a11dac6a7e88\ManageConsolidatedProviders.aspx	VanGoth.exe
File created	C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxmanifest.xml	VanGoth.exe

C:\Users\Admin\AppData\Local\Temp\VanGoth.exe
"C:\Users\Admin\AppData\Local\Temp\VanGoth.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3512-115-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3512-117-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3512-118-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/3512-119-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3512-120-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads