gozi_ifsb | 4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/09/2022, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e.exe
Size

37KB
MD5

ff981f29daba877bc365211aabfe8801
SHA1

f9d94bb62c230210afdde498ec0b0c119edb3466
SHA256

4e9c392b5532fd3823e854c4db17212b392d41c0f3310021022d9cbf1bca8658
SHA512

14740e902bec6ebe8fafd62b8042d087888a35f4f7906c13723fe8c85f48fb5cc65aa37222404d0b641ba60c37fa44aeea03bfd12fd37dc1d832fd13e2c48d43
SSDEEP

768:WtGIijUZYyyS3LaihVw8X/vrJEKmK9FhbYaMx4LqLriNdDAVGYRa09BV31C:gZi947aivwmrJEKmK9VMxWOrMd4X7p

Score

10^/10

gozi_ifsb 1900 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1900

tel.msn.com

194.76.225.60

185.212.47.133

Attributes

base_path
/doorway/
build
250235
exe_type
loader
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

1900

apnfy.msn.com

194.76.225.61

185.212.47.186

45.11.180.215

45.11.180.219

Attributes

base_path
/doorway/
build
250240
exe_type
worker
extension
.drr
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 2484	4000	powershell.exe	29
PID 2484 set thread context of 3424	2484	Explorer.EXE	6
PID 2484 set thread context of 3696	2484	Explorer.EXE	24
PID 2484 set thread context of 4056	2484	Explorer.EXE	95
PID 2484 set thread context of 4648	2484	Explorer.EXE	21
PID 4056 set thread context of 1856	4056	cmd.exe	97
PID 2484 set thread context of 1576	2484	Explorer.EXE	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

pid	Process
2064	net.exe
3936	net.exe
3456	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3304	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3604	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1856	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1856	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	4e.exe
3972	4e.exe
4000	powershell.exe
4000	powershell.exe
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2484	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4000	powershell.exe
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
2484	Explorer.EXE
4056	cmd.exe
2484	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5036	WMIC.exe
Token: SeSecurityPrivilege	5036	WMIC.exe
Token: SeTakeOwnershipPrivilege	5036	WMIC.exe
Token: SeLoadDriverPrivilege	5036	WMIC.exe
Token: SeSystemProfilePrivilege	5036	WMIC.exe
Token: SeSystemtimePrivilege	5036	WMIC.exe
Token: SeProfSingleProcessPrivilege	5036	WMIC.exe
Token: SeIncBasePriorityPrivilege	5036	WMIC.exe
Token: SeCreatePagefilePrivilege	5036	WMIC.exe
Token: SeBackupPrivilege	5036	WMIC.exe
Token: SeRestorePrivilege	5036	WMIC.exe
Token: SeShutdownPrivilege	5036	WMIC.exe
Token: SeDebugPrivilege	5036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5036	WMIC.exe
Token: SeRemoteShutdownPrivilege	5036	WMIC.exe
Token: SeUndockPrivilege	5036	WMIC.exe
Token: SeManageVolumePrivilege	5036	WMIC.exe
Token: 33	5036	WMIC.exe
Token: 34	5036	WMIC.exe
Token: 35	5036	WMIC.exe
Token: 36	5036	WMIC.exe
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeShutdownPrivilege	2484	Explorer.EXE
Token: SeCreatePagefilePrivilege	2484	Explorer.EXE
Token: SeDebugPrivilege	3304	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 4000	320	mshta.exe	89
PID 320 wrote to memory of 4000	320	mshta.exe	89
PID 4000 wrote to memory of 3996	4000	powershell.exe	91
PID 4000 wrote to memory of 3996	4000	powershell.exe	91
PID 3996 wrote to memory of 1476	3996	csc.exe	92
PID 3996 wrote to memory of 1476	3996	csc.exe	92
PID 4000 wrote to memory of 4956	4000	powershell.exe	93
PID 4000 wrote to memory of 4956	4000	powershell.exe	93
PID 4956 wrote to memory of 4192	4956	csc.exe	94
PID 4956 wrote to memory of 4192	4956	csc.exe	94
PID 4000 wrote to memory of 2484	4000	powershell.exe	29
PID 4000 wrote to memory of 2484	4000	powershell.exe	29
PID 4000 wrote to memory of 2484	4000	powershell.exe	29
PID 4000 wrote to memory of 2484	4000	powershell.exe	29
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	6
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	6
PID 2484 wrote to memory of 4056	2484	Explorer.EXE	95
PID 2484 wrote to memory of 4056	2484	Explorer.EXE	95
PID 2484 wrote to memory of 4056	2484	Explorer.EXE	95
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	6
PID 2484 wrote to memory of 3424	2484	Explorer.EXE	6
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	24
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	24
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	24
PID 2484 wrote to memory of 3696	2484	Explorer.EXE	24
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	21
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	21
PID 2484 wrote to memory of 4056	2484	Explorer.EXE	95
PID 2484 wrote to memory of 4056	2484	Explorer.EXE	95
PID 4056 wrote to memory of 1856	4056	cmd.exe	97
PID 4056 wrote to memory of 1856	4056	cmd.exe	97
PID 4056 wrote to memory of 1856	4056	cmd.exe	97
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	21
PID 2484 wrote to memory of 4648	2484	Explorer.EXE	21
PID 4056 wrote to memory of 1856	4056	cmd.exe	97
PID 4056 wrote to memory of 1856	4056	cmd.exe	97
PID 2484 wrote to memory of 2200	2484	Explorer.EXE	98
PID 2484 wrote to memory of 2200	2484	Explorer.EXE	98
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2200 wrote to memory of 5036	2200	cmd.exe	102
PID 2200 wrote to memory of 5036	2200	cmd.exe	102
PID 2200 wrote to memory of 3980	2200	cmd.exe	103
PID 2200 wrote to memory of 3980	2200	cmd.exe	103
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2484 wrote to memory of 1576	2484	Explorer.EXE	100
PID 2484 wrote to memory of 1336	2484	Explorer.EXE	104
PID 2484 wrote to memory of 1336	2484	Explorer.EXE	104
PID 2484 wrote to memory of 2928	2484	Explorer.EXE	106
PID 2484 wrote to memory of 2928	2484	Explorer.EXE	106
PID 2928 wrote to memory of 3604	2928	cmd.exe	108
PID 2928 wrote to memory of 3604	2928	cmd.exe	108
PID 2484 wrote to memory of 3432	2484	Explorer.EXE	110
PID 2484 wrote to memory of 3432	2484	Explorer.EXE	110
PID 2484 wrote to memory of 2452	2484	Explorer.EXE	112
PID 2484 wrote to memory of 2452	2484	Explorer.EXE	112
PID 2452 wrote to memory of 2064	2452	cmd.exe	114
PID 2452 wrote to memory of 2064	2452	cmd.exe	114
PID 2484 wrote to memory of 1792	2484	Explorer.EXE	115
PID 2484 wrote to memory of 1792	2484	Explorer.EXE	115
PID 2484 wrote to memory of 1724	2484	Explorer.EXE	117
PID 2484 wrote to memory of 1724	2484	Explorer.EXE	117

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\4e.exe
  "C:\Users\Admin\AppData\Local\Temp\4e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Rgv1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rgv1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\16F27831-7D02-B8E1-B7AA-016CDB7EC560\\\ReturnStop'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kqvsplvr -value gp; new-alias -name kslcmhencs -value iex; kslcmhencs ([System.Text.Encoding]::ASCII.GetString((kqvsplvr "HKCU:Software\AppDataLow\Software\Microsoft\16F27831-7D02-B8E1-B7AA-016CDB7EC560").FileDesktop))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axh1y0g5\axh1y0g5.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5091.tmp" "c:\Users\Admin\AppData\Local\Temp\axh1y0g5\CSC16933F81FB9C42F7BEAF6E9575918462.TMP"
        5⤵
        
        PID:1476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuqivz02\yuqivz02.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4956
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES517B.tmp" "c:\Users\Admin\AppData\Local\Temp\yuqivz02\CSC52CBA811162C4C72B0826B3FD8D3EC27.TMP"
        5⤵
        
        PID:4192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\4e.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:3980
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:3604
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:2064
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1724
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:2580
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:2440
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3304
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1432
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:4996
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:3960
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1232
- C:\Windows\system32\cmd.exe
  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1420
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:1476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:4688
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1480
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1516
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:3044
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:3188
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1220
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:3936
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:2568
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:5036
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:3456
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:864
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6FDD.bin1 > C:\Users\Admin\AppData\Local\Temp\6FDD.bin & del C:\Users\Admin\AppData\Local\Temp\6FDD.bin1"
  2⤵
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6FDD.bin

Filesize
64KB

MD5
41812f1540c54bf44e8335af64ecfcf0

SHA1
d6b4ff7866a71721582303ed1af8754a26df9854

SHA256
d863eb25e2f6d2abde17a3d3b1ddcb4462f2044f5ba8c4b5cca80e5433788a63

SHA512
191dc1110e64378ab634934a723637b029be9865745b6014940b48d117feec3aeedfc7672dfa193b45fb8716527523d6ad06f9dedfff3cf285d3d50e71373256

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
44B

MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
2KB

MD5
d04792fb2359c12e551839b6f69f0c97

SHA1
fb75e3ac877b966fb5455b2a7c4efca5dedaecd6

SHA256
b39812506069d6a84aa6d6c8f88eb4229aff9d7675ac047d6801f5449fe8a6fb

SHA512
111d1669fabc6fb4cefe10d5a12d3e641d4f9e4abbe912905c0f98f0c44901873f1da034dd1e054e1f41136fabe043ef2f4ee47076ee853f57b655cc9eea80ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
2KB

MD5
d04792fb2359c12e551839b6f69f0c97

SHA1
fb75e3ac877b966fb5455b2a7c4efca5dedaecd6

SHA256
b39812506069d6a84aa6d6c8f88eb4229aff9d7675ac047d6801f5449fe8a6fb

SHA512
111d1669fabc6fb4cefe10d5a12d3e641d4f9e4abbe912905c0f98f0c44901873f1da034dd1e054e1f41136fabe043ef2f4ee47076ee853f57b655cc9eea80ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
2KB

MD5
44c840378af6f9ee9f1b6edc32f6605a

SHA1
5662ea85901bdeed51b00da2a6014f586b221d17

SHA256
8cb2121209ac6180c4079f356407bbbd8ea7955996aff4220b64741dabcdac98

SHA512
912a6c113c0591679beae9a210085b10aef48003242794e4eb62b0b62b30c1e3c62ed7bddda99652099a080a932a7dd99590207b2518febd9e35e18e82f2d1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
2KB

MD5
80e8525cd311c43059b99e6161c7f938

SHA1
599e01a87c3f54d1d6accdb53ed2d5ecd7713ef4

SHA256
3efaecc589f6073af8e8660f18154f44e1eece6c66781edb7876d13e3d15cc3b

SHA512
96fada12791e173b2e67ff04162f39c15f22f67440aac8b25b0180a3dcbb30e53c171946160f1d086cec163475cc8ed9c9d60d1531da087af78f41fa46bc95ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
2KB

MD5
95997fcba9cccde94f65a9786cde97c1

SHA1
83465c0eb5db9b5daf44473649da66d8fead1aa8

SHA256
1c71bc3e08c37d69c5d5444e8542531291da19482ca4cfe2f017b977c7dba7b3

SHA512
30b8ab9e2eb3630a08fe9238ef8ffbf2a0ca3de90fbbdb18b8d5be987b2dee1f54ea14b5e9a2dde8f17c669ed78de180c8027a83cde6e9210da6f7c4a5d3994a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
9KB

MD5
0f1fd4f8bfacfc80a30b0161633111cb

SHA1
d9bd8f3032e44db3ff09c3c081df1d16d4224079

SHA256
b0feb8d446d9cb89367a8eca313ae0b816973ff297c6dcc2f7324510acd97ea5

SHA512
b3b9d0204caba6ef98461664bb45e64c53495d5fea5c986a7e03a81817a002def95ac68b5a877a675501289e938e7db4f60ee46772bf39467e27b3d0b902e06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
9KB

MD5
f95928ce073b82706349cf97f4c0c187

SHA1
330b80c17a118a57e8e95151eaa94080eb791ce5

SHA256
c95fcfebba5a66f6d6c40aa305dc7134fc7b01d68012444cfbaa3fe37879febe

SHA512
d4c89e6c04097ed6591f650991dc0b8cb4daf18101098cc88bcbb25280c95d88c05ce90907d7e8ffe9d72412b4657d73a81a7ccfa827e851aa05850dbe98015d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
35KB

MD5
80999ad5d5ac21c00ffc68a5fce5624e

SHA1
fbc027dcc7ec9e25becffd23e6a75b148e2a9a67

SHA256
f230cf3c925cf64c4c3d3ae613c0c9b9ba22e406a0b93668275d3a7181814e9d

SHA512
f8e246b7086ace9ee17edef72e64caa6cdf21310f04a5f0d9d8d1ebc1113bf48be37afca32c39a6efb3028e8df6ffeba5d6d0c5d6a434927af85dc2429d6e008

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
35KB

MD5
80999ad5d5ac21c00ffc68a5fce5624e

SHA1
fbc027dcc7ec9e25becffd23e6a75b148e2a9a67

SHA256
f230cf3c925cf64c4c3d3ae613c0c9b9ba22e406a0b93668275d3a7181814e9d

SHA512
f8e246b7086ace9ee17edef72e64caa6cdf21310f04a5f0d9d8d1ebc1113bf48be37afca32c39a6efb3028e8df6ffeba5d6d0c5d6a434927af85dc2429d6e008

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
5762e69f2bbef87720a2f6802294041d

SHA1
55e62869ef9a7aefd72a1c94ca69a6f7cdfdbdac

SHA256
383425e825b9813bee27216ad3127fad7d35d2eeb5f3990a30c79e5f8bf8c541

SHA512
0446b76a0374dee394d68e4c6e6bc82f65b8d82a5fa734f7ec85a401a695b7dc31fc0a6b8b2f6e4cabab4ab6c8a985778f423ed83907f65bc7e91701fdf58e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
5762e69f2bbef87720a2f6802294041d

SHA1
55e62869ef9a7aefd72a1c94ca69a6f7cdfdbdac

SHA256
383425e825b9813bee27216ad3127fad7d35d2eeb5f3990a30c79e5f8bf8c541

SHA512
0446b76a0374dee394d68e4c6e6bc82f65b8d82a5fa734f7ec85a401a695b7dc31fc0a6b8b2f6e4cabab4ab6c8a985778f423ed83907f65bc7e91701fdf58e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
a15a8a7efdba42458dbdf31f273bf81d

SHA1
f87800b71f3d7447948fbbc6291d30040a36ff36

SHA256
62ebe9061645671c1b1f093ba063af1f7806b620a261a85e24543d4527e69935

SHA512
d60e427f79bdc1ace6d5b867390f5aa90d27798e3e3450a7f134a84f10b25a53d473043cede98101f50b8b45f34581eb623370dcd2bd5de193655e98ea69db6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
a15a8a7efdba42458dbdf31f273bf81d

SHA1
f87800b71f3d7447948fbbc6291d30040a36ff36

SHA256
62ebe9061645671c1b1f093ba063af1f7806b620a261a85e24543d4527e69935

SHA512
d60e427f79bdc1ace6d5b867390f5aa90d27798e3e3450a7f134a84f10b25a53d473043cede98101f50b8b45f34581eb623370dcd2bd5de193655e98ea69db6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
7cf7fe5e9aa4e4ec4716547499a7732a

SHA1
a757cf52071f0a443c2d40bfad501e7f0c4f34f2

SHA256
385d9903726af90d0d6bbfed5934f5f816501efea3a05e046820481654be4378

SHA512
6eeaedb8b30db1269382744dfaf344e91382a95db7abca4747bbccff952d79ef41a0c21eec49a991f5dd1a947b3497c5f92ecf26443620021fba7a63fcbead91

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
a3f617d97d017221643614b415469d9d

SHA1
cd0a5a5027dec22f6821ebd9a434abdd4dfda69c

SHA256
ea370e9ac570986fa02f3cdd583c7fb67a0f71c88adbba9a1736fe0c8e5a1ec1

SHA512
ea3f62432e42e1132c83cc08911986090355c23a8fbe962359ef712d11d14aec6f2e691e0dbb873251dcbaee927ce4f4771d30d9674da4f89f4c37afec987487

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
e056f900fde2ad6ddb3e5373be27aacd

SHA1
08137a96674844709a1bc1dace494034f77915bb

SHA256
6175dad0dec10b5b8247cf2503d132437f04e283461ba830b7425ebc4d245978

SHA512
991ac38b02239a294f3877724c1b655ec52c8994097ef033291f52541cafd304d8a47691d9bef7319cbcd2220a6a48d73f9381bf9fa0187f734b6e7e4046fc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FDD.bin1

Filesize
64KB

MD5
41812f1540c54bf44e8335af64ecfcf0

SHA1
d6b4ff7866a71721582303ed1af8754a26df9854

SHA256
d863eb25e2f6d2abde17a3d3b1ddcb4462f2044f5ba8c4b5cca80e5433788a63

SHA512
191dc1110e64378ab634934a723637b029be9865745b6014940b48d117feec3aeedfc7672dfa193b45fb8716527523d6ad06f9dedfff3cf285d3d50e71373256

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5091.tmp

Filesize
1KB

MD5
55e32799d3f00127d10352506feb0dbb

SHA1
cb2fafb43c08fa0a2434e9cf42fccfc040f024ff

SHA256
7ed5837c7fb8a97827b4c7956c24d73e6558c65df541499abfb6fa0e18799ece

SHA512
5393c9b4527bf18e43e4b3c842b2e0545437d1489adffeeecc0ee8ed5bb3bd44a4e1ee3108777b2ee90a8f03c86147f32eb2f3f82c98e1d57d4d0a99cd9927cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES517B.tmp

Filesize
1KB

MD5
3eb3b5e3d778b2b9d638ab6220cedcd4

SHA1
5acbc363ad2b3e85a710d0c593ae9da92673f24e

SHA256
d59efccf19b8c8986283994c53074402062ec60ca48a4920ecb796a631737d94

SHA512
3a40e0ab4eddec3ad06299533b21d8e45ef6c51d800f6f50c68d28237bc2379a87d16121d8818b19d38a23d680fc52a76fa2ab2f43a96b9197547b8f96623496

Download Submit
C:\Users\Admin\AppData\Local\Temp\axh1y0g5\axh1y0g5.dll

Filesize
3KB

MD5
700be7a9e81df548f98d498bda3bb15c

SHA1
7b7800bdcd5009c8854a34268c254d2aad0c33e2

SHA256
801bd040699add5e0ded8d189b548d9c4efae95f7854b199126d32fead004b1f

SHA512
628909a399e9e0614e0a4bd7ff94779e5543f1c1736131b0d597166769dde2b2b12e9cd66859c992864723d60d339b74edbec4827152f7150c80743eb71521b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuqivz02\yuqivz02.dll

Filesize
3KB

MD5
3ba3d3c9fad9b1f971a7e137e9f5dcc6

SHA1
e9f8bd160c4ef038fb07dd9a65bdae24e2d19b16

SHA256
e932365e74f365c51e252f3e082b64793d22460616ace025a97cfdeec9cf0c9e

SHA512
46e9c3e7d8b968e6ca4f3f2fdc06c2af5ee14f1d258497c5b2b79b439c6e39c534c8ad4026c7f7819e19d6b9f4ad62b8eb3c41206e3b970ed05b858f3aadcd05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axh1y0g5\CSC16933F81FB9C42F7BEAF6E9575918462.TMP

Filesize
652B

MD5
72ae963ffb5781be6e3bec7e1f2947ce

SHA1
f92bb63db35369d0cc963db19665f0593faedb2f

SHA256
7f10e1eccebfcb702429cd279fbf36e220ebe24be6893783ee0f868ac38857e2

SHA512
610618cdc640da1987a1c76dee6532a191a3cf8859bdc24b4e092c8757bf44d0ffdec2037ffc1bbbb1a9e957eaa9558f3e06ad302abb9b922cac6fe92f4a2662

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axh1y0g5\axh1y0g5.0.cs

Filesize
410B

MD5
9a10482acb9e6952b96f4efc24d9d783

SHA1
5cfc9bf668351df25fcda98c3c2d0bb056c026c3

SHA256
a0424e1530f002761a882c19c22504153a5e86d7fbb41391e940452bfa15f377

SHA512
e932914ad99d7bd39561e020d1e8c1f4e175c16eae66df720100c65e40ccc3383b5145f703432885f3f1ce080e8a4feb045ddd5c8bbc2f3231c619d04182ac28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\axh1y0g5\axh1y0g5.cmdline

Filesize
369B

MD5
29226647e2959b625531a4247291f976

SHA1
061c96b12b3903c6cf92242b372ed9e260ee04c7

SHA256
7f502de1d293d198c2b2d526e81bce58157c8d6dc10e3cafc56885da39c89f56

SHA512
516c65819b70c225795e6e06ce2c42c523816816eefd754d72b854c41135bc9570dd1c1e71ee6237a4bbae18ef82ee6c02ffae1212f7fd6a9049c57219b6659d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yuqivz02\CSC52CBA811162C4C72B0826B3FD8D3EC27.TMP

Filesize
652B

MD5
48097c0fb8a16f7f2d4ddf811c9dd2f5

SHA1
7b3c9443372a9760c83845888bd1e59790c56cad

SHA256
284bf2445f58cd1e4b531e12d5a97b076a2d9229d9638a5616040c461309ba9b

SHA512
232c02a3eb72e5359cc7e6a225a8e4ed81df24e89de24192ebd4f8c48fd8073cadb9246f35c64a1b4973ad1639eff260075ccc767d06c10c611812b0589486ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yuqivz02\yuqivz02.0.cs

Filesize
400B

MD5
aca9704199c51fde14b8bf8165bc2a4c

SHA1
789b408ccad29240bd093515cbd19a199ad2c1c8

SHA256
cb3da8a9768252634f8ed4c62e026dc8217b055e00f11b6012a52ed130c92c27

SHA512
a8c1df598581f508ecbf1e516744f11abfb71ec6bb9895d0b61f15e70e56e27cb40b4e5395b9411b787f8bb4f264ca704d815260677909dc1e599d601d0b5de6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yuqivz02\yuqivz02.cmdline

Filesize
369B

MD5
98e3186cf54b2b41d606ab3d4e87c4b0

SHA1
be67bd24e4c952d557c510ba16e17745783cc426

SHA256
ad53e6d4dda40e77d954a817428c75fb7eaef48f5c14a2a8fb58702114141490

SHA512
dabac75df7afdf20f0910fb52115fe4aedf823136bb22df44964f4e9e63d0facef5b9c12ad827218e4e7201f1be04a61db17e4a6a2c6e9fa9b6f94df59cf8d58

Download Submit
memory/1576-168-0x0000000001690000-0x0000000001726000-memory.dmp

Filesize
600KB

Download
memory/1576-164-0x0000000000976B20-0x0000000000976B24-memory.dmp

Filesize
4B

Download
memory/1856-167-0x00000207441C0000-0x0000020744263000-memory.dmp

Filesize
652KB

Download
memory/2484-179-0x0000000008400000-0x00000000084A3000-memory.dmp

Filesize
652KB

Download
memory/2484-157-0x0000000008400000-0x00000000084A3000-memory.dmp

Filesize
652KB

Download
memory/3424-156-0x0000020213A40000-0x0000020213AE3000-memory.dmp

Filesize
652KB

Download
memory/3696-163-0x00000119D5D20000-0x00000119D5DC3000-memory.dmp

Filesize
652KB

Download
memory/3972-132-0x0000000000450000-0x000000000045D000-memory.dmp

Filesize
52KB

Download
memory/4000-138-0x00007FF8D02D0000-0x00007FF8D0D91000-memory.dmp

Filesize
10.8MB

Download
memory/4000-154-0x00007FF8D02D0000-0x00007FF8D0D91000-memory.dmp

Filesize
10.8MB

Download
memory/4000-155-0x000001EBDE430000-0x000001EBDE46D000-memory.dmp

Filesize
244KB

Download
memory/4000-137-0x000001EBC5F80000-0x000001EBC5FA2000-memory.dmp

Filesize
136KB

Download
memory/4056-165-0x000001C1A25D0000-0x000001C1A2673000-memory.dmp

Filesize
652KB

Download
memory/4648-166-0x000001658B960000-0x000001658BA03000-memory.dmp

Filesize
652KB

Download