gozi | ca81e59ee05627070f6a262bde7a2e7cdf49b015a8e0e36a68601edfce40c42a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entrat (2).exe
Size

227KB
MD5

bba73880ba1909ac9287d21891308dc2
SHA1

141070af9cc62be8b97abeb57bd40bd01e3eee78
SHA256

ca81e59ee05627070f6a262bde7a2e7cdf49b015a8e0e36a68601edfce40c42a
SHA512

d0dec7f477849d2d3c456fc8794e0496d8c0b455cb0663b2073377ea2313898c184c4d459e67039c585fc0c66b716cb43e70afef43f82b110700f5e8881fd219
SSDEEP

3072:i1jZTLdE15olca9PobsTONaz1igalL1TE1l2aWzgKr/so:ktLd/lzKY1OBTElWzz/

Score

10^/10

gozi 7639 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7639

31.41.44.43

62.173.147.143

31.41.44.63

62.173.147.113

Attributes

base_path
/drew/
build
250249
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

7639

185.31.162.9

31.41.46.120

31.41.44.71

62.173.147.138

31.41.44.79

62.173.147.142

62.173.147.64

Attributes

base_path
/drew/
build
250249
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 2620	2252	powershell.exe	71
PID 2620 set thread context of 3432	2620	Explorer.EXE	46
PID 2620 set thread context of 3812	2620	Explorer.EXE	47
PID 2620 set thread context of 4700	2620	Explorer.EXE	65
PID 2620 set thread context of 1932	2620	Explorer.EXE	98
PID 1932 set thread context of 4456	1932	cmd.exe	101
PID 2620 set thread context of 1164	2620	Explorer.EXE	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3104	5080	WerFault.exe	81

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

pid	Process
4892	net.exe
1932	net.exe
4332	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4804	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2248	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4456	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
4456	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	entrat (2).exe
5080	entrat (2).exe
2252	powershell.exe
2252	powershell.exe
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2620	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
2252	powershell.exe
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
2620	Explorer.EXE
1932	cmd.exe
2620	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1764	WMIC.exe
Token: SeSecurityPrivilege	1764	WMIC.exe
Token: SeTakeOwnershipPrivilege	1764	WMIC.exe
Token: SeLoadDriverPrivilege	1764	WMIC.exe
Token: SeSystemProfilePrivilege	1764	WMIC.exe
Token: SeSystemtimePrivilege	1764	WMIC.exe
Token: SeProfSingleProcessPrivilege	1764	WMIC.exe
Token: SeIncBasePriorityPrivilege	1764	WMIC.exe
Token: SeCreatePagefilePrivilege	1764	WMIC.exe
Token: SeBackupPrivilege	1764	WMIC.exe
Token: SeRestorePrivilege	1764	WMIC.exe
Token: SeShutdownPrivilege	1764	WMIC.exe
Token: SeDebugPrivilege	1764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1764	WMIC.exe
Token: SeRemoteShutdownPrivilege	1764	WMIC.exe
Token: SeUndockPrivilege	1764	WMIC.exe
Token: SeManageVolumePrivilege	1764	WMIC.exe
Token: 33	1764	WMIC.exe
Token: 34	1764	WMIC.exe
Token: 35	1764	WMIC.exe
Token: 36	1764	WMIC.exe
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1764	WMIC.exe
Token: SeSecurityPrivilege	1764	WMIC.exe
Token: SeTakeOwnershipPrivilege	1764	WMIC.exe
Token: SeLoadDriverPrivilege	1764	WMIC.exe
Token: SeSystemProfilePrivilege	1764	WMIC.exe
Token: SeSystemtimePrivilege	1764	WMIC.exe
Token: SeProfSingleProcessPrivilege	1764	WMIC.exe
Token: SeIncBasePriorityPrivilege	1764	WMIC.exe
Token: SeCreatePagefilePrivilege	1764	WMIC.exe
Token: SeBackupPrivilege	1764	WMIC.exe
Token: SeRestorePrivilege	1764	WMIC.exe
Token: SeShutdownPrivilege	1764	WMIC.exe
Token: SeDebugPrivilege	1764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1764	WMIC.exe
Token: SeRemoteShutdownPrivilege	1764	WMIC.exe
Token: SeUndockPrivilege	1764	WMIC.exe
Token: SeManageVolumePrivilege	1764	WMIC.exe
Token: 33	1764	WMIC.exe
Token: 34	1764	WMIC.exe
Token: 35	1764	WMIC.exe
Token: 36	1764	WMIC.exe
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeShutdownPrivilege	2620	Explorer.EXE
Token: SeCreatePagefilePrivilege	2620	Explorer.EXE
Token: SeDebugPrivilege	4804	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2620	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2252	1116	mshta.exe	92
PID 1116 wrote to memory of 2252	1116	mshta.exe	92
PID 2252 wrote to memory of 3512	2252	powershell.exe	94
PID 2252 wrote to memory of 3512	2252	powershell.exe	94
PID 3512 wrote to memory of 3576	3512	csc.exe	95
PID 3512 wrote to memory of 3576	3512	csc.exe	95
PID 2252 wrote to memory of 3976	2252	powershell.exe	96
PID 2252 wrote to memory of 3976	2252	powershell.exe	96
PID 3976 wrote to memory of 3120	3976	csc.exe	97
PID 3976 wrote to memory of 3120	3976	csc.exe	97
PID 2252 wrote to memory of 2620	2252	powershell.exe	71
PID 2252 wrote to memory of 2620	2252	powershell.exe	71
PID 2252 wrote to memory of 2620	2252	powershell.exe	71
PID 2252 wrote to memory of 2620	2252	powershell.exe	71
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	46
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	46
PID 2620 wrote to memory of 1932	2620	Explorer.EXE	98
PID 2620 wrote to memory of 1932	2620	Explorer.EXE	98
PID 2620 wrote to memory of 1932	2620	Explorer.EXE	98
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	46
PID 2620 wrote to memory of 3432	2620	Explorer.EXE	46
PID 2620 wrote to memory of 3812	2620	Explorer.EXE	47
PID 2620 wrote to memory of 3812	2620	Explorer.EXE	47
PID 2620 wrote to memory of 3812	2620	Explorer.EXE	47
PID 2620 wrote to memory of 3812	2620	Explorer.EXE	47
PID 2620 wrote to memory of 4700	2620	Explorer.EXE	65
PID 2620 wrote to memory of 4700	2620	Explorer.EXE	65
PID 2620 wrote to memory of 4700	2620	Explorer.EXE	65
PID 2620 wrote to memory of 4700	2620	Explorer.EXE	65
PID 2620 wrote to memory of 1932	2620	Explorer.EXE	98
PID 2620 wrote to memory of 1932	2620	Explorer.EXE	98
PID 1932 wrote to memory of 4456	1932	cmd.exe	101
PID 1932 wrote to memory of 4456	1932	cmd.exe	101
PID 1932 wrote to memory of 4456	1932	cmd.exe	101
PID 1932 wrote to memory of 4456	1932	cmd.exe	101
PID 1932 wrote to memory of 4456	1932	cmd.exe	101
PID 2620 wrote to memory of 3000	2620	Explorer.EXE	107
PID 2620 wrote to memory of 3000	2620	Explorer.EXE	107
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 3000 wrote to memory of 1764	3000	cmd.exe	108
PID 3000 wrote to memory of 1764	3000	cmd.exe	108
PID 3000 wrote to memory of 3464	3000	cmd.exe	109
PID 3000 wrote to memory of 3464	3000	cmd.exe	109
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 2620 wrote to memory of 1164	2620	Explorer.EXE	104
PID 2620 wrote to memory of 3416	2620	Explorer.EXE	110
PID 2620 wrote to memory of 3416	2620	Explorer.EXE	110
PID 2620 wrote to memory of 2232	2620	Explorer.EXE	112
PID 2620 wrote to memory of 2232	2620	Explorer.EXE	112
PID 2232 wrote to memory of 2248	2232	cmd.exe	114
PID 2232 wrote to memory of 2248	2232	cmd.exe	114
PID 2620 wrote to memory of 3796	2620	Explorer.EXE	116
PID 2620 wrote to memory of 3796	2620	Explorer.EXE	116
PID 2620 wrote to memory of 2116	2620	Explorer.EXE	118
PID 2620 wrote to memory of 2116	2620	Explorer.EXE	118
PID 2116 wrote to memory of 4332	2116	cmd.exe	120
PID 2116 wrote to memory of 4332	2116	cmd.exe	120
PID 2620 wrote to memory of 3916	2620	Explorer.EXE	121
PID 2620 wrote to memory of 3916	2620	Explorer.EXE	121
PID 2620 wrote to memory of 4800	2620	Explorer.EXE	123
PID 2620 wrote to memory of 4800	2620	Explorer.EXE	123

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\entrat (2).exe
  "C:\Users\Admin\AppData\Local\Temp\entrat (2).exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 564
    3⤵
    - Program crash
    PID:3104
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ydib='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ydib).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\A7ECD376-DA81-7167-1CCB-AE35102FC239\\\TextStop'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name uyrviqae -value gp; new-alias -name ykwlijixx -value iex; ykwlijixx ([System.Text.Encoding]::ASCII.GetString((uyrviqae "HKCU:Software\AppDataLow\Software\Microsoft\A7ECD376-DA81-7167-1CCB-AE35102FC239").ControlMask))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0rabiwf\z0rabiwf.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES692A.tmp" "c:\Users\Admin\AppData\Local\Temp\z0rabiwf\CSC246D8C362B64ECDB7E79DD5469084F2.TMP"
        5⤵
        
        PID:3576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bedwb1ri\bedwb1ri.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A62.tmp" "c:\Users\Admin\AppData\Local\Temp\bedwb1ri\CSC4B005356A0F449E09A72837388AB3AB.TMP"
        5⤵
        
        PID:3120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\entrat (2).exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4456
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:3464
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:3416
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:3796
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:4332
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:3916
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4800
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4284
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4680
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:680
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:4720
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1472
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:5060
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:484
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:1868
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4732
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1164
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1168
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1476
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:4892
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4028
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4752
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:4256
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2F15.bin1 > C:\Users\Admin\AppData\Local\Temp\2F15.bin & del C:\Users\Admin\AppData\Local\Temp\2F15.bin1"
  2⤵
  PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5080 -ip 5080
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2F15.bin

Filesize
64KB

MD5
5a0283ae7c3d5f55e77253d7b5dd17b5

SHA1
fbe3657d9559430a1283d0102ed52e14836d68f0

SHA256
894933b8012d5a9deddf17888259767308a2af64c926d234d7fb4fab1f64a953

SHA512
687f759c3bec33962edc7a10d23d010d9c2f81b992d3487a5d0290057459637f2cfb49f23b531f082c38b4e14ee3fe7d4e20a6d3538f3e0e1b7776bb61da18a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
44B

MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
2KB

MD5
da76a68bb99cbab7c3dd60a247d8ce5c

SHA1
b557e0b365d2f01581de5bc5837e3766ac2af90e

SHA256
e7966ac4c5f5c7d0d933c62ce1a3a337a191d9762d91421089d668ef9f8dc433

SHA512
c7a5c48a352bd674e47b32619aa0bbea5a050ed06dd16f1d5b50dbead90f12f5f81aaabc1de81355e5c7ea6699c299361351a0b8f7d066eb1e11211ff3393c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
2KB

MD5
fe86e315fdc83aa78923ac18baa06cb0

SHA1
202e3693648e202391fbca600b16ae87389cc3ce

SHA256
f15058bed0ba8d2d3390564ce166366cfab9b8c7527160e77c2662dbe27a1aa7

SHA512
e86ff7059fa30c282647b6ff4a866a5162bb6d0536230875f39f3035867195e00faebfaa4da88837e28051ee0e7dda880d1ab25a71966923e4f855e0ce334708

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
2KB

MD5
28da275101591a707191715a5445bc35

SHA1
4eabe61b92bf248c952916ea6a17acde4d97853e

SHA256
3abb23f6f7390da9fd3f1e406b522b80a7e2be0d4a4c266a122cfed9a5d3a033

SHA512
a2327bdbe8cc9b742244f4ae93aff163fb115c02567b485a93f063b35de2b62180606daa19b1f7bb41dcbc836d6186c641558b028ff74ebbd50736b146ac4935

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
2KB

MD5
28da275101591a707191715a5445bc35

SHA1
4eabe61b92bf248c952916ea6a17acde4d97853e

SHA256
3abb23f6f7390da9fd3f1e406b522b80a7e2be0d4a4c266a122cfed9a5d3a033

SHA512
a2327bdbe8cc9b742244f4ae93aff163fb115c02567b485a93f063b35de2b62180606daa19b1f7bb41dcbc836d6186c641558b028ff74ebbd50736b146ac4935

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
9KB

MD5
4b965b05d147f575109d6a7ba9687f31

SHA1
3de0d94c9d1dcbe5f2fdebaafc74e12cab865a89

SHA256
1e4ae6bce3afaa6157623e3e3536898a933d6c8629f031bf69cea49c9a2f323e

SHA512
f25e0f68b909d1a6f0239207776028abba503e00797f950d9c26c7ec744f9ac4b6064aaadde99af2f6732c341a4bcdca1e37c8d796f8c55357e7a24ac8cf4ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
9KB

MD5
4b965b05d147f575109d6a7ba9687f31

SHA1
3de0d94c9d1dcbe5f2fdebaafc74e12cab865a89

SHA256
1e4ae6bce3afaa6157623e3e3536898a933d6c8629f031bf69cea49c9a2f323e

SHA512
f25e0f68b909d1a6f0239207776028abba503e00797f950d9c26c7ec744f9ac4b6064aaadde99af2f6732c341a4bcdca1e37c8d796f8c55357e7a24ac8cf4ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
35KB

MD5
7d31925096f132cda33af4b84cc7139a

SHA1
c5f1f7c4d194217c6d96c199e07d58b2fc384752

SHA256
301cf2ebd22d5b9232e8d5c4976261c54c24d584fe2325d3a249cebc4ca1daf3

SHA512
eac437350af3f8e2ebd151fcdbc768bab21ed8f7751a80898b17fa0483b9a2e7b44e87ba149e6a466e36bf908f26eb0878507bf9b8cd2aa03207978998e0322b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
35KB

MD5
7d31925096f132cda33af4b84cc7139a

SHA1
c5f1f7c4d194217c6d96c199e07d58b2fc384752

SHA256
301cf2ebd22d5b9232e8d5c4976261c54c24d584fe2325d3a249cebc4ca1daf3

SHA512
eac437350af3f8e2ebd151fcdbc768bab21ed8f7751a80898b17fa0483b9a2e7b44e87ba149e6a466e36bf908f26eb0878507bf9b8cd2aa03207978998e0322b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
12b81f0ebe52beda188076773ef9022d

SHA1
d18e3f8b3282f31eaa05fb9d2df63aa9ad43c793

SHA256
e0077a29665adfb634d6e0c6c9ef5208b1cbe31e395c33e65e959a90723d7ae5

SHA512
6496c1cea0477c61671a28cdc419f213d53b78113ffd91e47a70449a4b63ff976494eba16ef8dc6276b37eeaab7e3cd8ad0b4773f8c27d513f6d96c618b58a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
12b81f0ebe52beda188076773ef9022d

SHA1
d18e3f8b3282f31eaa05fb9d2df63aa9ad43c793

SHA256
e0077a29665adfb634d6e0c6c9ef5208b1cbe31e395c33e65e959a90723d7ae5

SHA512
6496c1cea0477c61671a28cdc419f213d53b78113ffd91e47a70449a4b63ff976494eba16ef8dc6276b37eeaab7e3cd8ad0b4773f8c27d513f6d96c618b58a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
76174c1064c5f4f8fb749b8f0d98e231

SHA1
216ead376d1e1ebd88bae263561888739bd9619c

SHA256
18f51c4d28bed802e1754585b6a95f8457273726f894d6446e8b458862c922cd

SHA512
32ae1a9316684efad7e3c67379fca96fc58b38db84e19cc9bd23ebced32a998cab66022a5fde43d8c5336796d5f86d72c49dc93d09a8a2c712522a7f07c6c615

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
90f604431c38f83d4f6ccfd117051098

SHA1
c4639643ff8486816d5be5f26bb3c2a5986bedc4

SHA256
5efb6d893e79d75e1945f5417cf68397662585f480300ac3043278647361694a

SHA512
8aaeb668c6f84f8db50a4c87c85940f68f1f1d15d1794b130334702135b55c58c80771cf5d4f599dd475db02a3da954a6216a25c479da4b508006fe96e7f0ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
fcead0565ed7e74638383ef7956852e2

SHA1
211c56ac28b59627e71126e5c637d5240aaf76ae

SHA256
2d7d3f4da9f6773e079288a910a07a64eb6b0553afc948ef63248e3013428a47

SHA512
126d5750670155b5d0b1ceb475ee175e1cb7b3efbf03cfdf48613436947e39c584b5b4c1bb47830853e1b7120ade70c437418edebe9f126a9aa157aebd08606b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
0151dc623e3586fdfd113585ab9bd0ee

SHA1
eb737827e675d902ec4a1d62f24257ab34f607a9

SHA256
34b40cc63c049f6081590caad800448e138ca63542c81d11c7fe3717be43b0ce

SHA512
da57b4a85d74fbd3409e56041c214fd3b06a7d089fd00f012716dd9bf1cf5e82c1ac33edf407a5f596e64ccb8d4e2c963eadf1f53d5a0c32d63c64b07a429435

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
82ba7d15beadedd5354b5e17945490d1

SHA1
502a14c2eeaa8313ddd9bd94f2aaa4e5c4cc13f4

SHA256
3ca22246c9d5ea6c9d62c864c5196b14d68a70fa76933083ef0f808dc8166165

SHA512
09d1e7124d0445245551e2937e51430c49824fe0b923b798dbeb89c5898e0155fd360855d20dbc910c8bcff4b35c6eebf1073240a3305f00b472553770873682

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F15.bin1

Filesize
64KB

MD5
5a0283ae7c3d5f55e77253d7b5dd17b5

SHA1
fbe3657d9559430a1283d0102ed52e14836d68f0

SHA256
894933b8012d5a9deddf17888259767308a2af64c926d234d7fb4fab1f64a953

SHA512
687f759c3bec33962edc7a10d23d010d9c2f81b992d3487a5d0290057459637f2cfb49f23b531f082c38b4e14ee3fe7d4e20a6d3538f3e0e1b7776bb61da18a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES692A.tmp

Filesize
1KB

MD5
c531a7a0d00f238c641e22f66153044f

SHA1
f969fec632e32082fbf6964b1b555229faad619b

SHA256
0a4d452b6972edd1acc8b4703ed45b03b13e6ca4f7abd7419ee9b97430698504

SHA512
110815478d9e9fa49bf59748e37c267fffeb5f86ffc396ff05007eb965c82e5f5b4efa149300a96db02cc0d83a123ec8347a8212d8e1d2c8ff18ec3cf3032f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A62.tmp

Filesize
1KB

MD5
7abddb49f90608620b103c863c4ba254

SHA1
2bce08f65e728e01bdff19a83ca90a15708afa03

SHA256
9bbaa8603f6790602ed8b0aab23a9ba5155e9c8e1871980c17bec10f3af35664

SHA512
2166ef090eb642ea7a69b19ab79d4d0ab381d8d9f3d3490e380b6015dc8a04e7e79a000707e866bd137c9a5dd2037dc370339bfabf919ec901e2034d00d5bcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedwb1ri\bedwb1ri.dll

Filesize
3KB

MD5
b1eb2c7cf9737933a6486323c2bf17c9

SHA1
c640957bab794ee77592f9ec98ecb47b517c7a99

SHA256
7db09e9646b0295653e433386300a9988d017b39d574f24d4c4f565b974d70ea

SHA512
52606428f275f762d6923ecfd61bfea32cfdb31cc3c1680ea1b7304d4134c64e4f76ce160544dda4e65d8215bcb06ffb83bd81e887ac85967e00f67b57c2ca59

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0rabiwf\z0rabiwf.dll

Filesize
3KB

MD5
b5258b32ae1529d935125a6c259a6af5

SHA1
5d26d44f79990d18f9aafe7c709f199691c000fe

SHA256
adac1bddd7f61f3d87b2ce4606af61acd1d8d701756863ce8ce5f9921beea7a4

SHA512
98dfe3cde24703470000760d9792a6b64dca22f6700464aad3f567c63bacbf981323283a89dd98ba0a4d5fabcc54d47ec214d5a8e9f9cf78c6711af47cbe6b45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bedwb1ri\CSC4B005356A0F449E09A72837388AB3AB.TMP

Filesize
652B

MD5
41c4c1fd1ebb57e93776aae79f74a0fc

SHA1
e3ad461ae0c5b16dfc5bf88910b50a923a3014a9

SHA256
0911c00ca4aa8edb62bcb70118f03a471f1385ff6ad9a94e79db91c8ee3a7de1

SHA512
440bf4cbf2de32b5aac0847c8d8904b71c02f5fa1110a7177862574745f2d06828801ab618554aaced8b621a4c71cc678a312a47e6b668e3324dc46cad5b7a05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bedwb1ri\bedwb1ri.0.cs

Filesize
408B

MD5
0a5374e53f44ac8b609707a893f72b21

SHA1
83ec00746897bcacf4c5a049b7e090d057f62cf9

SHA256
0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

SHA512
ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bedwb1ri\bedwb1ri.cmdline

Filesize
369B

MD5
4c78944c407862147c7a9cb43df0a126

SHA1
50757f9fdb0b0a4be328ea4810dd539f37df5145

SHA256
b783be3cc5d8f7cb898a65c6faa47dcb117b83983fbf2f14c3c2bcedd2431722

SHA512
78cac2414592268607e5d60351ef75378e1da42ae3063e87221c2d26823c78718aca76b79e8519b87ba70870c2b02ec59b97c79fd20468952a4f0aa1853434b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0rabiwf\CSC246D8C362B64ECDB7E79DD5469084F2.TMP

Filesize
652B

MD5
bf3b5b54440b84ee5d336161b914b30f

SHA1
8895e84d3a804535a8657136490ce41b21165052

SHA256
a2bd88ea6f8940b42c2c6434757eff1a5493247da17d9f9ad68dc80031749f89

SHA512
6c9998f0fc375df46bf2ac35dd7d3348cadc3bd13af51aaca794115e7245654460766772382d933a7601c5cd9be9f62ad200c503a1b3c20b2a29630c54f7a0b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0rabiwf\z0rabiwf.0.cs

Filesize
408B

MD5
f58cc7462a9dc35fa5ccf9d605d846f9

SHA1
c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

SHA256
adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

SHA512
d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0rabiwf\z0rabiwf.cmdline

Filesize
369B

MD5
907e0e00fe23681d8b28ef16e1434678

SHA1
10bcf272761dcc3b77395fb965d916bb39ed71b1

SHA256
83ea7288bfd1929c8221a0220bd6db5512d97dc85c49c9c9a6dc135eeee7b78a

SHA512
9cddd4e1e40c4797d8b5e3f2036095f40a08a8671675a1aacdaa712fc964a7c5aa7d5dc53c974c3f0a402031df5dbb1f6fadf52da94a3e90f01ef8def3cf702d

Download Submit
memory/1164-171-0x0000000000366B20-0x0000000000366B24-memory.dmp

Filesize
4B

Download
memory/1164-172-0x0000000000EF0000-0x0000000000F86000-memory.dmp

Filesize
600KB

Download
memory/1932-179-0x0000021D6AD10000-0x0000021D6ADB2000-memory.dmp

Filesize
648KB

Download
memory/1932-166-0x0000021D6AD10000-0x0000021D6ADB2000-memory.dmp

Filesize
648KB

Download
memory/2252-159-0x000002E5F5260000-0x000002E5F5D21000-memory.dmp

Filesize
10.8MB

Download
memory/2252-142-0x000002E5F6CF0000-0x000002E5F6D12000-memory.dmp

Filesize
136KB

Download
memory/2252-143-0x000002E5F5260000-0x000002E5F5D21000-memory.dmp

Filesize
10.8MB

Download
memory/2252-160-0x000002E5F6D20000-0x000002E5F6D5C000-memory.dmp

Filesize
240KB

Download
memory/2620-164-0x0000000007F80000-0x0000000008022000-memory.dmp

Filesize
648KB

Download
memory/2620-184-0x0000000007F80000-0x0000000008022000-memory.dmp

Filesize
648KB

Download
memory/3432-161-0x00000249C3400000-0x00000249C34A2000-memory.dmp

Filesize
648KB

Download
memory/3812-162-0x000001E5E3D70000-0x000001E5E3E12000-memory.dmp

Filesize
648KB

Download
memory/4456-174-0x00000173BA9E0000-0x00000173BAA82000-memory.dmp

Filesize
648KB

Download
memory/4700-165-0x0000013FFBB70000-0x0000013FFBC12000-memory.dmp

Filesize
648KB

Download
memory/5080-132-0x00000000006D3000-0x00000000006E3000-memory.dmp

Filesize
64KB

Download
memory/5080-139-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5080-138-0x00000000006D3000-0x00000000006E3000-memory.dmp

Filesize
64KB

Download
memory/5080-135-0x0000000000620000-0x000000000062D000-memory.dmp

Filesize
52KB

Download
memory/5080-134-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5080-133-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download