gozi | d37a1ad57c494e0a18f57ec18615582c270e8c74fdf5c01005e1cb42fcdb3aa7

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

metaplatform02.pdf..lnk
Size

293.6MB
MD5

d8564cb88267993101b3f0f54048c6a4
SHA1

75dad371e05629179c7e30bd24a068553336aefd
SHA256

e80e664931e44044b7d162100524858755203db39402ddc8f816a508404ea3c5
SHA512

a41b87daa0aea3057a4e1cdd29a7aa81e488880e714139529c75bc714ac803dd43e6a0acac143d2c3edbfac4582205c66e822c4561e817a4337fcb910abb0d57
SSDEEP

24576:87MkCMWioaEMPQjw1coi5qsSrKz6Fwoh73sVDGSQ7wqfU:0hQRoAz6quxhC

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

https://colodart.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

4 644 mshta.exe
6 644 mshta.exe
8 644 mshta.exe
10 644 mshta.exe
12 644 mshta.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1588 regsvr32.exe
888 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

688 timeout.exe
1528 timeout.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

flow	pid	process
4	644	mshta.exe
6	644	mshta.exe
8	644	mshta.exe
10	644	mshta.exe
12	644	mshta.exe

pid	process
1588	regsvr32.exe
888	regsvr32.exe

pid	process
688	timeout.exe
1528	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe

Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

mshta.exe

pid process

644 mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1352 powershell.exe

pid	process
644	mshta.exe

pid	process
1352	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1352	powershell.exe
Token: 33	1684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1684	AUDIODG.EXE
Token: 33	1684	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1684	AUDIODG.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

cmd.execmd.exemshta.exepowershell.exeregsvr32.exeregsvr32.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1588 wrote to memory of 1940	1588	cmd.exe	cmd.exe
PID 1588 wrote to memory of 1940	1588	cmd.exe	cmd.exe
PID 1588 wrote to memory of 1940	1588	cmd.exe	cmd.exe
PID 1940 wrote to memory of 1692	1940	cmd.exe	certutil.exe
PID 1940 wrote to memory of 1692	1940	cmd.exe	certutil.exe
PID 1940 wrote to memory of 1692	1940	cmd.exe	certutil.exe
PID 1940 wrote to memory of 644	1940	cmd.exe	mshta.exe
PID 1940 wrote to memory of 644	1940	cmd.exe	mshta.exe
PID 1940 wrote to memory of 644	1940	cmd.exe	mshta.exe
PID 1940 wrote to memory of 644	1940	cmd.exe	mshta.exe
PID 644 wrote to memory of 688	644	mshta.exe	timeout.exe
PID 644 wrote to memory of 688	644	mshta.exe	timeout.exe
PID 644 wrote to memory of 688	644	mshta.exe	timeout.exe
PID 644 wrote to memory of 688	644	mshta.exe	timeout.exe
PID 644 wrote to memory of 1352	644	mshta.exe	powershell.exe
PID 644 wrote to memory of 1352	644	mshta.exe	powershell.exe
PID 644 wrote to memory of 1352	644	mshta.exe	powershell.exe
PID 644 wrote to memory of 1352	644	mshta.exe	powershell.exe
PID 1352 wrote to memory of 1528	1352	powershell.exe	timeout.exe
PID 1352 wrote to memory of 1528	1352	powershell.exe	timeout.exe
PID 1352 wrote to memory of 1528	1352	powershell.exe	timeout.exe
PID 1352 wrote to memory of 1528	1352	powershell.exe	timeout.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 644 wrote to memory of 1588	644	mshta.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 1588 wrote to memory of 888	1588	regsvr32.exe	regsvr32.exe
PID 888 wrote to memory of 1592	888	regsvr32.exe	cmd.exe
PID 888 wrote to memory of 1592	888	regsvr32.exe	cmd.exe
PID 888 wrote to memory of 1592	888	regsvr32.exe	cmd.exe
PID 1592 wrote to memory of 772	1592	cmd.exe	net.exe
PID 1592 wrote to memory of 772	1592	cmd.exe	net.exe
PID 1592 wrote to memory of 772	1592	cmd.exe	net.exe
PID 772 wrote to memory of 1780	772	net.exe	net1.exe
PID 772 wrote to memory of 1780	772	net.exe	net1.exe
PID 772 wrote to memory of 1780	772	net.exe	net1.exe
PID 888 wrote to memory of 1748	888	regsvr32.exe	cmd.exe
PID 888 wrote to memory of 1748	888	regsvr32.exe	cmd.exe
PID 888 wrote to memory of 1748	888	regsvr32.exe	cmd.exe
PID 1748 wrote to memory of 1168	1748	cmd.exe	nltest.exe
PID 1748 wrote to memory of 1168	1748	cmd.exe	nltest.exe
PID 1748 wrote to memory of 1168	1748	cmd.exe	nltest.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\metaplatform02.pdf..lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist C:\Users\Admin\AppData\Local\Temp\temp1_mplatform.zip\metaplatform02.pdf..lnk (certutil.exe -decode C:\Users\Admin\AppData\Local\Temp\temp1_mplatform.zip\metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)else (certutil -decode metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\certutil.exe
certutil -decode metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta
3⤵
PID:1692

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\System32\timeout.exe" /t 30
4⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAIgA7AHQAaQBtAGUAbwB1AHQAIAAxADUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" 15
5⤵
- Delays execution with timeout.exe
PID:1528

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\x.dll
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\x.dll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\7FB0.tmp
6⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\net.exe
net group "domain computers" /domain
7⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
8⤵
PID:1780

C:\Windows\system32\cmd.exe
cmd /c "nltest /dclist:" >> C:\Users\Admin\AppData\Local\Temp\4B5C.tmp
6⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\nltest.exe
nltest /dclist:
7⤵
PID:1168

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1976

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ecb6d1bde86c77e5258e0c389ab07640

SHA1
85de14be97847a3d44316b8c99065e9142a026a5

SHA256
e83c8cc0bb431d66c83cf0888d85b8c333defc1a41bf7e103064db66c52eb32b

SHA512
3e7c6f9767202df55609a6cea1185f7efb8058ecbb038fe0175a8b11dfe1631fd2d3de89bd6c757fbeaacff1a12e3157c0ba3617f9a88682bcc984dc7c609112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
44d7b6c1d601a0b4b40035c8b2a54add

SHA1
46de1fbd84a89fd338a7d8e5730180c86926c098

SHA256
a7d5ae813bcb5af5f3d53d76a45b9d82f8ff77f28ef97c40da8f3a721ec4b26f

SHA512
929a547d5c1157a01a5aa709b1938514a530063f414c149c03fc5c104ad76b7ec54103d9fc27e0bda1ba2495a920ed4d7e823a984ccadee1ecfc014efaeb447e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.hta
Filesize
29.4MB

MD5
31c3b2996567f246db9e134fd2f0df7d

SHA1
4b7c90a53bf6b56e64fff86ba87a27aa742e9310

SHA256
9738aa16bc292b49423c290c09136c40d0e08727595f7e8e5a44496bb4af7228

SHA512
e30d7170d743a8bfe0e8b4c44d6ed82a901c0289c8f595ae18e74dc80f5a67813babb3de39f5ed72cdf522e2868024eeb467a2907d5e8056e8a7017735625613

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B5C.tmp
Filesize
36B

MD5
c58986635c266e6c06609b908580bede

SHA1
4672dce03d3dd9560cf74035aff3d9aebb7201e4

SHA256
a2f1bb2817f976e129974b003e3ec12fb8a644c1952bb667116317fd26416042

SHA512
36241e4bda8ad7e4137624bbfbb999c643d34a2095ba078f9886d92f4726913bdb9dc1e1f44141a6738c1e4d9042b802e49f774c0f1c6901735f4b069834449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FB0.tmp
Filesize
78B

MD5
aaec14b2de8e2fdaf8427672122af65c

SHA1
ca953efad669c93af85b968d747baa544d4465fb

SHA256
14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

SHA512
a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA2A8.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA2F9.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
memory/888-212-0x00000000005B0000-0x00000000005C3000-memory.dmp

Filesize
76KB

Download
memory/888-208-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/888-206-0x0000000001D50000-0x0000000001E03000-memory.dmp

Filesize
716KB

Download
memory/888-215-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/888-237-0x0000000001D50000-0x0000000001E03000-memory.dmp

Filesize
716KB

Download
memory/888-241-0x0000000001D50000-0x0000000001E03000-memory.dmp

Filesize
716KB

Download
memory/1352-200-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/1352-201-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download
memory/1352-199-0x00000000024C0000-0x0000000002500000-memory.dmp

Filesize
256KB

Download