Analysis Overview
SHA256
642da4d1db6d446d3d119e7f8f56b98b41d5fc931e0112325bc4fbd70b05314c
Threat Level: Known bad
The file 0x0006000000023125-1062.dat was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
RedLine
SmokeLoader
Detect ZGRat V1
ZGRat
RedLine payload
Smokeloader family
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 12:12
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 12:12
Reported
2023-12-12 12:15
Platform
win7-20231020-en
Max time kernel
39s
Max time network
115s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABE9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E995.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 2144 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABE9.exe |
| PID 1180 wrote to memory of 2144 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABE9.exe |
| PID 1180 wrote to memory of 2144 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABE9.exe |
| PID 1180 wrote to memory of 2144 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABE9.exe |
| PID 1180 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E995.exe |
| PID 1180 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E995.exe |
| PID 1180 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E995.exe |
| PID 1180 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E995.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"
C:\Users\Admin\AppData\Local\Temp\ABE9.exe
C:\Users\Admin\AppData\Local\Temp\ABE9.exe
C:\Users\Admin\AppData\Local\Temp\E995.exe
C:\Users\Admin\AppData\Local\Temp\E995.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp" /SL5="$7011E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231212121339.log C:\Windows\Logs\CBS\CbsPersist_20231212121339.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\4378.exe
C:\Users\Admin\AppData\Local\Temp\4378.exe
C:\Users\Admin\AppData\Local\Temp\482A.exe
C:\Users\Admin\AppData\Local\Temp\482A.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | cb4e6896-3b7e-49b4-a61d-8649a129c2ab.uuid.myfastupdate.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| FR | 185.221.198.96:80 | tcp |
Files
memory/2348-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2348-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1180-1-0x0000000002A80000-0x0000000002A96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABE9.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/2144-12-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/2144-17-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2144-18-0x0000000004E40000-0x0000000004E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E995.exe
| MD5 | 4ee408d798b675ddb4fca13c0c10b77b |
| SHA1 | f331dfa9c7827d1bb045999165d8a684230247e1 |
| SHA256 | b7fd6c9a2511c009257fc4bff9758719ba6a255471aee463c537234c9628d9eb |
| SHA512 | e13ac88e59b104b9b2cf0e86aad04ef66246cefe17a21eb5748baca456a618bfc2f059d1a9da243c0c9e6a8a71b33fb2542fde374c0be5592378f55fe40e89e8 |
C:\Users\Admin\AppData\Local\Temp\E995.exe
| MD5 | b94260a800904aed3066679b3ec41659 |
| SHA1 | a737e1cdabd35dac53f00d4dfa9ff38119b96f29 |
| SHA256 | 9fcb235f51162ec30ef5349b69c89417bd6be6715c642997fbb525321902f2f1 |
| SHA512 | 7d7b7a758e3d28cf2852060b5aa7f7ffafe3e9e15bb55daed01d5078ba81ee3f0e3f9885c10ed6fc9cf6f075ddca8bf0de20987527b59b6768b466a06ba7d6e4 |
memory/2732-26-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2732-27-0x0000000000F60000-0x0000000002416000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 3d61b9dc5fdc57d259b7b299afd156bc |
| SHA1 | e2aed00ebc1c59672b37599e655f2b7a2a2487b9 |
| SHA256 | d2f159a5a666b1462910d84f1a6b73c43559fa8d25e6e5f34cc4050b42471519 |
| SHA512 | d62ae724ab09caa08bec5296e5bce105a23412cde3f918c08baf72080ef09e3fcea13b6548cd74bf4d9ff530969d343d8e088e3d3f62b72067902fd6e79fa7c5 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | ccd988d7e038840ff4c16ac2e1d34f73 |
| SHA1 | d77a73aebd1d564996dfb3b8d1a6d03bee3dd042 |
| SHA256 | 5c60ee5997512a97b5e4844ced37a3a7f51b2e8cf4155adb5fb7cfcf228fd4e9 |
| SHA512 | fc74a93b2cc25ca4be3cf273cefb2255fb4cc76622a5f291b27864b5d811b785176a6a9dcd1c021ac442f40a881f0685887b3a60fac76e8b5344d34eaa5a1d33 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 85cf2fdbc67f32a1104f27f56381e6d6 |
| SHA1 | 53a764d0e42f25c219f0820337b1ea4b3c350f8d |
| SHA256 | f596d65e4d0b057a81f7ea50144c192b8fa28494ce0e72b92141991ee5f84003 |
| SHA512 | c7420f0e49da906456bc044fb22daeb3f3f6c44b62d89e2f6c9503e97583957395618b1e39fbc2bba846d5e487adbf1cb4f54752dc5c7ae375c1b809db8f10c4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 61ce4c53d5198f9393633555b0358dbc |
| SHA1 | 0fb12a9e5e91a0c0761015630a930f200f7dedd1 |
| SHA256 | 0742c191b8b213689e6aba93bfe8141c311cb88b9bbdbf931aa81058f0975b12 |
| SHA512 | 60deb2bf17c53cb19af67805c7ef3fd10b4476c1f96de2933ce0b66d533a6835630013c23e47720eb86f862f9cfd9e2df4bd84cba6305a5fe7a9e6ba63d1fddf |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c9b44d171c72e258ee8590c289978206 |
| SHA1 | c1eeb36cd7b2b8eb23781f5bc916eaaa281b2e65 |
| SHA256 | 57548cdf319c57e781453c6ddb9fda5a6d22dbf95d195d60aad155ed8b550445 |
| SHA512 | 4247162453e36120d627a0a62c281d22d5134df9e7de55f805b48cf1a3899298595c138ba913f942d1a86deee1cfdf770cb3ce77ffaee5da9af88a589155e1d3 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d80b477a48342d09535f36919e139380 |
| SHA1 | c38fa2a9491e510575fe653423ef6fe24aa22a95 |
| SHA256 | 645385bae6c647647b2656a43a0993fb13a4866bfedcb0e8fe20043d05592585 |
| SHA512 | 130f1202e22dca67fc0d8a8825732b722eabb21e9e38f85ac9de6e0c53b38beb41cd0419fe2358001c61d4837907d9d0b3b1d1f5c13f1390b9498b69b7c9ae82 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9181420c8eda830a8022ce87c7a782a7 |
| SHA1 | ad33d01a43a59ed154695dcf4682ab500b4aa9c3 |
| SHA256 | 3fc9993a28dac134f3bf61ccb0a40cdb1d25688c153789194b953f8777c121d6 |
| SHA512 | 4e7ce8da945b5f38a356b40b2aab8fd2778e7951767060d2c8a53ff1c1cc448d7d5e5e6b56be1a79d0cc74eac8f72968419e3446746525fd15d954b102f96237 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 479e80ae84dd1db5aa6dded12cc92df2 |
| SHA1 | 3d6e1fc05ab7ebf96fcf2f68b693a18ab804750c |
| SHA256 | 69aaab7f475b5036db517b6ef6d9fbbad6afa529c7697c7391301d63641121db |
| SHA512 | 732df4db6dd69fb7ee9af1b820a04e5a1fdd36cac6f7b1755a7dfee88303d020c9402340f064766a3f04caf6827cac05eb219186185eab6dc5266ea4f793bde4 |
memory/2808-61-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 00dc8f86d96bfd96e0ccf9419c870d98 |
| SHA1 | c86017df86171b496532c81310759d4e5ad1ec06 |
| SHA256 | 84056a7cfda657c841597140ea0be296bccff4837a2f83935e4271b915d04cdf |
| SHA512 | d87b87becd344712ad9736191fd5fe9468145e3c795fae90b99c837b7b737661f6c71086f8b29f55e411450958d9d618345985852a05a48b3c7c462e318e1e7d |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5df4eb999cdc77ca08e40683ee0f5041 |
| SHA1 | bb13c97d01717cc218ddbbe991c8aac2335b43d1 |
| SHA256 | 41c99e6873f9569da65ec752f2dce556ee08d4c0c6ce05950c41a7e05cf626fd |
| SHA512 | 59f42991e9eee9fa8f90feceeb42775bda20bf4c989ae82ac7e593dd6255b670fee3be5e3f6732f97cb7f289eee91ba25c9ca70f4418772dabd90d52db284a74 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 40658b8fd84093d2d74605677394c8ca |
| SHA1 | eef7081d6334a85c3b0fa7933c64fb48892d3b83 |
| SHA256 | 3c9b07ffeb516c197199d0b64521c485ddbf037eeebe82a983c64f9f02ce8c5e |
| SHA512 | a80fe11abbd2827d60b9d615fefc8fe6cb5c4a5b474db69a0bb0c77f63882615b711209ba10af231c81e1143891343b69fbf39d325afc31a0b31f5299f3e8234 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 0a90f231fcfede6e071cfa5e88b244f7 |
| SHA1 | 161954936f6bef19c895d6798a9ebc1e36eb8d5f |
| SHA256 | 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e |
| SHA512 | 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171 |
C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp
| MD5 | 7a8cd2511d6ddbd7bb6bb3e32cd6fca3 |
| SHA1 | a12964cbaf25bfe85d8e2039a80b63510db3d05d |
| SHA256 | d4002faa1a4db8b6ab0dbc722b0b596074bc2d9a1e78568f86fed5a9e74f3c4b |
| SHA512 | cacc07df6d95fd19670e3ee62edb768d2bcf9dfe432d03a25dad7d6e61738dc63ed513d140f003e9e7f73f1dfd013b5c0352bdc2333d232b5199a6f7606adf71 |
\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp
| MD5 | 84c35e4d63f9a05eed6ed2ab79db5cb1 |
| SHA1 | 3c79ef1fc68391c6959aeee14e6e88f8e637b54d |
| SHA256 | a64c4169896e559cdf37df8a11ee8f9274754eb723aec18b789c72240adc267c |
| SHA512 | c1f8c0bf21b2954590c9992b720a0da6a3748a7403c8b3d890b9d0553cfcbd0633378439f7edd9c0f747390b08788a2d2c9ab1cd41893ee2b5b6e13cf0b69fd6 |
\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-A671J.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2004-100-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1940-79-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-7LA8S.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 1e8bd63c32c0ab2bdd62d30fd8686369 |
| SHA1 | ea0c1477d450837d1a01545b401ea4450de090a2 |
| SHA256 | 10cc6b44a356a155c2a60fce044cac0fdd2e8666deac687c9f43d33da02a5529 |
| SHA512 | 63006a7338ff30b368fba2f0550b37ed0d00df6243e8b08204529bfd0086f4cc994a73267645f896fdec9201f97f7709bb278b2a60f5c06ed5dc85dc9fc5db82 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 231853bc9e7500bf9a61f3b22fe99c21 |
| SHA1 | d250790d7d791be36b5d89eb9e2321967c9bafd3 |
| SHA256 | 06617d56d109315ab2986657c74cbec5ae06a18e45051b39cd39464a464feef2 |
| SHA512 | 866d9cd0823674c5346163f70ad949c3044f8fede228be2404d852fe9f0d884e668378c108664a98ec026eedc3173730c458e97ecd2b355846946f775eb65ec5 |
memory/2732-104-0x0000000074190000-0x000000007487E000-memory.dmp
memory/688-106-0x00000000027D0000-0x0000000002BC8000-memory.dmp
memory/3056-107-0x0000000000970000-0x0000000000A70000-memory.dmp
memory/1600-113-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 858cb15eee92b02fd28b281e14786d1f |
| SHA1 | a67c51848cc984c98b395809bf623b5d9beb6d6a |
| SHA256 | 677a1df6f0d6c277a495ae4b43f8e0d9aa4b6d12b32e7e15d13b54fedc4306c5 |
| SHA512 | 32e343da4b954b3efb99eced29668d22ec31cd0976e4936624ae242d0becc2e17beea07ff02fad2c1b86c6954b89151fe494d7872c445a2e341ba03a7d02ce13 |
memory/1600-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1600-111-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-110-0x0000000000220000-0x0000000000229000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 3e7734a0399be046c9cab551e137888d |
| SHA1 | 3d3759f0dcf6339941ac99856438e12d41315a7b |
| SHA256 | f5e6b14201df32b4ca0ba34ee5de092f0db509a2ca96985ad6f69cb10a07aa97 |
| SHA512 | 9c7526e2d9ac03190f24fc9fdabfd29cee968b7d3c782d538e26b11d0c3542048fbd70fbc0cadf6e20fefaaa96f93956b13b131caa7a644bc18aa78bcbd3ad5b |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 764588f1c1d4377c773101a4b4dceefc |
| SHA1 | c02a70bfc93bb7abc458f6fa0fbc0b2148bf3e5d |
| SHA256 | c89028a3f1bc078cad2b8f19905904707c2406417a8fb985c6f2ef3ab7bfda7b |
| SHA512 | 8894be855c0bd23eefe214790a5331fb7bdcfc956508ed51bbc448c45cd88f01cef4097d32e3436a0206cff95e3d12aed2d33266d1658a2e47a84537b2adbb7e |
memory/688-116-0x00000000027D0000-0x0000000002BC8000-memory.dmp
memory/2144-117-0x0000000074190000-0x000000007487E000-memory.dmp
memory/688-118-0x0000000002BD0000-0x00000000034BB000-memory.dmp
memory/688-119-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4b41c6d208b43153e89c8546ef2a6502 |
| SHA1 | d7e0c7ae0bba3ee1e305c9cfa68587f3ec458be9 |
| SHA256 | e0b4d92c1b1c0721b638f67cc508e99dd346571509f75d5ddefd58c1439555d5 |
| SHA512 | ceffce4b80531042384bbeec566ccf35ba5242479b82157b662364815350b49248c2f2e331234dcbd7fdaef4d870c4ecdca2dc8f077e69160168bf886db9c6a6 |
memory/2144-121-0x0000000004E40000-0x0000000004E80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b8e9dcf95af25c27651f966f89c6e533 |
| SHA1 | a87194057e1388cdf695af24b2c1b4facf26efb5 |
| SHA256 | 459b563ee81205752a903933a51ac214a754a31d1bebf91152612f81c1420ad7 |
| SHA512 | e2e5d9cee993cf42d662fdea6f72c9210700478859541e8baf0c8955c3aade542d95107b5cf3b305c5883adf5d52b445cb9969213f20ce3a1962ee0fa02b69c0 |
memory/688-123-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/688-124-0x00000000027D0000-0x0000000002BC8000-memory.dmp
memory/1180-125-0x0000000003B60000-0x0000000003B76000-memory.dmp
memory/1600-126-0x0000000000400000-0x0000000000409000-memory.dmp
memory/832-130-0x0000000002610000-0x0000000002A08000-memory.dmp
memory/2808-131-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2004-132-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1940-133-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2792-134-0x000000013F660000-0x000000013FC01000-memory.dmp
memory/832-140-0x0000000002610000-0x0000000002A08000-memory.dmp
memory/1940-135-0x0000000000240000-0x0000000000241000-memory.dmp
memory/832-148-0x0000000002A10000-0x00000000032FB000-memory.dmp
memory/2004-149-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/832-150-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | f47354f5f5b41a08668690480f143c82 |
| SHA1 | 09d10d77cb09a624cf795952b7a5959299a5d0e8 |
| SHA256 | e7786e675e970d1319d363536e87360c087c69719f7e7cd63dfec0032ee39f4d |
| SHA512 | b59598ae90e99a17e0d93de61b28580de7ef6238ffcdb5924a4481436d6629e5607225368cdb05e067421df251e1ab6e0c1efb7b8210cba1ebab6a7ab1453590 |
C:\Windows\rss\csrss.exe
| MD5 | 637d7d5763064d40cea855f65983abfe |
| SHA1 | ed58744377a8ef91cc1a6c270bd4baae3a599945 |
| SHA256 | 79273d4bc63566ca8e14db3ca22ff5b21e195ab2967e5ef33a1e8493494d685b |
| SHA512 | 6c78c86f04141b1fdc65cac6d7b34cef35b7f6a65416c19832e2d3a38620ebea91033a03eeea31103ee7d057324c1bac56e55c3b70b7f5cd2f173527885a06cf |
memory/832-159-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/904-160-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/904-161-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/904-162-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 58089347f524bdc785724e831cf9ba73 |
| SHA1 | d9e0962abe142a94138552a2ea5a58673e6004d5 |
| SHA256 | 6e53a4bbe5472e4157be02c5d2f355d5529d859835bdf8be2012dcc97534c1c8 |
| SHA512 | bdb5c0cef8c0e2dcf3d1609b84b4437c89c8dbd4e2de57523015d0d1fdbcf20e18ade928aa103be45d11b4ab23b880ff8782201464c8c144d946c8d4e7f70ca5 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | fff5e71ef3bf4df5bd1e9ad1b3b0f126 |
| SHA1 | 2a13f1dc9c8220c4927b3479b1e4c36092cb9525 |
| SHA256 | f2cc946ebbbf71136596fc1a0f8ba192c7d631da48ded4b8342e4d72ad6b7556 |
| SHA512 | 378dfd50a2c5b1a0eacd63566a14bad28ee5021054c0b6011a2fd338097d45e90aa66f8e348ef5158cbef79dcac5d23ba3a92df02ace86d1bf6772188774685e |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 784ce8153a4cf7d4b585f8e4fc582eef |
| SHA1 | 6a3f305a011397d4f107089510a9eb4d19931c0d |
| SHA256 | 33d668d732da391223d8e0c84b008aa3e07b47c370eab811c0a5daa1cac2af0b |
| SHA512 | 2ef6a52dcac46c21960ad976746f885b6e54a2d4c2de74144072a9b975c6309792a838c465105e506c1a22657b2dc7a68277df013866298fe45f23373955f681 |
memory/1692-169-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 88a9b4e88de89e6c388565ec11c92acf |
| SHA1 | 651183b0a4e94cabda11dec94aeb137d427cb5a5 |
| SHA256 | aa80b3267f08646d2fbf4533c787a95c2427848676c9b54d7ff168aabae9f1a4 |
| SHA512 | 292ba255a7055f7d56c64fa57734f67a0e33f02e608a84143d1c2da65a9262b2e6a5a100ad6421ecd58b7c4e2f4eb12ffd6a3216f3a205543dfdf12dab09c495 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 66df9e3495058bab45cf5b28604b6ff0 |
| SHA1 | 875e95d8d14a650a35eb3dae46a6df80cce36564 |
| SHA256 | b26428b10dbb7ba9855b4ae5f8da327473b5e1cab00c144a2a268f5f99f80cf0 |
| SHA512 | 3e7e9a62a8919872e62bae68b78a2d8e05bd9796b1d879b1432867e14073ce468d629f5c4a36f7c23bb855498f154f87fdd8328595159ffde6616101d21f14ef |
memory/1692-183-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0e96ee93d85989576503e17b0b3c5b2f |
| SHA1 | 421ae73f60b858b5ba4ce4aa731a95b106d52fa9 |
| SHA256 | 5afbf284fc788a3c76af751469f2c650207191be4dd499b82e3a9feba71e35cf |
| SHA512 | cedafdb6a583ce3bedd79fbdea1faf76cbee3b9075766e992605bb626ee08b77b1785a3c3f78d2c18bece05feb0642c4ad5cfeafcaeb25b662d01387a32be8fc |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 2572753843bbe9b47f53e92829d2a1ce |
| SHA1 | 8bcae7e0e0243e5d7c4150469d48c56d3e480f3c |
| SHA256 | 87edcac60c652e7c71a1f40c08c562beb50ba341cb55031fe154d245d7d14817 |
| SHA512 | 9d7673d8e9fe80e9974490278b05b784983635722f4d8ef37935ffbb10ed229659ab45f2f6a29536c58ffddf887095e77bec3a979fac69205dcb489911a43806 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | cd3bdd5ab2334e28fdb24ff515204af3 |
| SHA1 | b5be4ee87dafc51b2fddd48034af992db0c538b7 |
| SHA256 | 5bae926f87eccebe20d3dfa319f1e6e7278afa4774065465245b54520f80836a |
| SHA512 | 39c16a07ec42291621e47616a3fb36e1885b747f882b04aa49234db76a1ebacfeb59e2ca6dcc4933d916fcd0624ea75b4d4a6d328fe1298160a7d3b1c0951d89 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 9d6b40236806708ec751b48cfd15ee40 |
| SHA1 | b1b4732caa4b291d6452629bcdc474538c2e501b |
| SHA256 | 689427deec0dfc84bccab44c66295a5af353f691359980a1b5e8f8b1de6e9a9b |
| SHA512 | 61642b74e8917213cc7744eb40714922f806f857c4a0c90b3a5232b200315adff8c6e7b53efc8a18d490c6e82c015278e27876bf03fff931faf2b9b73cbbbaac |
C:\Users\Admin\AppData\Local\Temp\Cab3E79.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar4025.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\4378.exe
| MD5 | f83a510e8b059349e4c081c6c04c9339 |
| SHA1 | 9f2ded6d9fdcb89d92135c0ffd34c97dc4355f90 |
| SHA256 | b37260eacdf967cee8ed4532c47b00328373e2c8e2ce5fbf92c7d37e2fe686e5 |
| SHA512 | 1878abf77f6a44a9673cd7a9aa1c561c72fc491eb88efa9109b6bd715fb810121ab536ebdacff6767c5c9e0318c1bb4da93347968dd3de292d1deb0b800aff69 |
C:\Users\Admin\AppData\Local\Temp\4378.exe
| MD5 | 559ca9f57a525d3da72a915d8ff1df69 |
| SHA1 | a09e091539c0acac33092c6042e52f4697ce0b0b |
| SHA256 | 17816b5e3dbf8ae8d614d20425d62efe40edbfc0e7481959d90f053a194feacd |
| SHA512 | 9bca16d9f55cae285ebecf16c8502c3fd4b07f083d900a3b4f0a6ca52877455b45beaafba0ba144e1abad7f50f472fd0d0724f1b1fffadbc08123a6a3cf5a577 |
memory/2632-250-0x0000000000B10000-0x0000000001004000-memory.dmp
memory/2632-252-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2632-254-0x00000000050A0000-0x00000000050E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\482A.exe
| MD5 | 63353d70a6e90b54fac07e0187bbf0ba |
| SHA1 | 6149408d97958692b1dc9308a97e1eb4601b8a89 |
| SHA256 | 86a107ab19bda413112664d0e8df906836d882039fdb2b35391af217788cc77a |
| SHA512 | f16f328e14fbd2ba8841ca723ca145a70061dfb117306160780c3f11d6df423e611042742bbf9e3f96f8d39611271c5dd5b4b1e3d9ed2d8da41a93af841771ab |
C:\Users\Admin\AppData\Local\Temp\482A.exe
| MD5 | 708ccdb88001ddca9d8c7136f6a00cbb |
| SHA1 | 99cd1ae87a9dd36c81710fa9b5580836d8a005ba |
| SHA256 | b60c0da9547c83564b85cf7190bc7cf86cac15e6866f814d2fd158d5685e35e4 |
| SHA512 | 09e09afea3ca33f0db87da539c6491578f31a9eb5434ad88ff93c92d9a834634d2ceb5d179f8931fbb35c90626a3d6b29706b30a5d729d1076b73ba7781ff183 |
memory/2604-260-0x00000000002E0000-0x000000000031C000-memory.dmp
memory/2604-261-0x0000000074190000-0x000000007487E000-memory.dmp
memory/2604-262-0x0000000007180000-0x00000000071C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 12:12
Reported
2023-12-12 12:15
Platform
win10v2004-20231127-en
Max time kernel
70s
Max time network
135s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23BF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6B58.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3432 wrote to memory of 216 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23BF.exe |
| PID 3432 wrote to memory of 216 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23BF.exe |
| PID 3432 wrote to memory of 216 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23BF.exe |
| PID 3432 wrote to memory of 4696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6B58.exe |
| PID 3432 wrote to memory of 4696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6B58.exe |
| PID 3432 wrote to memory of 4696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6B58.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023125-1062.exe"
C:\Users\Admin\AppData\Local\Temp\23BF.exe
C:\Users\Admin\AppData\Local\Temp\23BF.exe
C:\Users\Admin\AppData\Local\Temp\6B58.exe
C:\Users\Admin\AppData\Local\Temp\6B58.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp" /SL5="$90048,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Users\Admin\AppData\Local\Temp\BC96.exe
C:\Users\Admin\AppData\Local\Temp\BC96.exe
C:\Users\Admin\AppData\Local\Temp\C6E8.exe
C:\Users\Admin\AppData\Local\Temp\C6E8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| US | 8.8.8.8:53 | 96.198.221.185.in-addr.arpa | udp |
Files
memory/1424-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1424-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3432-1-0x0000000002E60000-0x0000000002E76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\23BF.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\6B58.exe
| MD5 | 2996b3040e70cf76c8ffcacd0bcc360e |
| SHA1 | 08da260cbfa1ba1a851973563da2ed582079ff66 |
| SHA256 | d007b35c733b8c983fe142ce8785852f0782c56a60d5d49556316cfdfc21ab28 |
| SHA512 | 510a8969159ea383915d704dac74e342dc69ab47ff086c384d921a72286bacdcd3b9d46fdc87970ac9fa9b6a3431c124cf2aec96aa23a27c84a566f8085f6ee4 |
C:\Users\Admin\AppData\Local\Temp\6B58.exe
| MD5 | d0c59443e41e1160209139841fa39c9f |
| SHA1 | 76be0077ce9dc5ef6756b8c202a6d5d94c759535 |
| SHA256 | de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c |
| SHA512 | d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28 |
memory/4696-16-0x0000000074720000-0x0000000074ED0000-memory.dmp
memory/4696-17-0x0000000000870000-0x0000000001D26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 62a117accf1701d57d4d3b2e30daf6ff |
| SHA1 | 0ac915f51c25856b99d303aefcc516a06a8fae9c |
| SHA256 | 066c6c0b72add7e6ef1a9d0c1499fd91c9ef0a61e4aea41aedc70c253fa8569b |
| SHA512 | 7d05124016a176a9ed10fae15af24090598f2aa56444271462478decf6c682b18958ad07108e478e75bf23353392a633ae5e3ff86c7269884ecbfab3a7adb9c7 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 98eff24d7fa8551dd0b43091ba9e863d |
| SHA1 | e8443f8d734e425c6251c69518552f0bcd1c22a9 |
| SHA256 | 524316c79ec405709dfe99e82100dcb3758960fc250796c2cd2b26eaddbd5451 |
| SHA512 | 6ec7635c29e8d74539930f055fa7e0a677b93acb622ec49f5059d5331ce22a8767ec5bf4ba673e770f2a3be346cabc974c232e64ba81f4b263b9315be1519ec4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | cce61c1ece398cb8c0354e2375f36002 |
| SHA1 | e8536625266a75d3c2d632346ded77f6e2188bdf |
| SHA256 | baf5260412a3ad620bb50edd5e35dc682b1442a691f66dd498c47250d28670e0 |
| SHA512 | 04d139cc553da0865cf885ec4fa1afa9cb22448b49ab30592aed96ae53214842399e9991577af85e93c779382c47ed1ec7ca38531410f731a5bb9694633f6f7d |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 7b80714b983fcb5e0609d602d79a6103 |
| SHA1 | 9708ef6dbc0a5f80d772e0aafd0fc7d1a75d3abf |
| SHA256 | 6dba9f1361c70e6976540cc437cff09fafc9e67e66c28062a10f370719bb76a4 |
| SHA512 | da5b01d072c3a6dc1df08290c29e571f5ddc256880b9c3125b623341559193b70cc3f5409235f127db98425d38d9ed900c5af068f4c06333276b037bb7d2ff44 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 2a1ead0f193538b1e134cda851538d51 |
| SHA1 | e88412aaae131de89926535a0c631706b4f3456d |
| SHA256 | 0bd3b948312dbc87df5959fcc1a2560064fb660b9a4b19a31fa4457e87e4b094 |
| SHA512 | a9dc2fbd74928f394741a8a9cd6bd3148d070a7cc452e1966954fb07761a8957a564911a058d327af4bdbe59639455c900493330734a55f73554cb0e2a6b74e1 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bb62eb5da4f2a9ab8434396d9752fdb0 |
| SHA1 | ad269614474763d1b6f1b39e51ff58b99bdd2e13 |
| SHA256 | 08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e |
| SHA512 | e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 1ac6f91f68a718573bc6e310e5267f9c |
| SHA1 | a30f1f046da88ec78fcab903e37f0b8520625d5d |
| SHA256 | 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a |
| SHA512 | 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381 |
memory/5016-60-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4404-64-0x0000000000E20000-0x0000000000E21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 8f8606e11468cfb930caef0754c46b26 |
| SHA1 | 8510cd7a79ff518db0976a70d62e26388e3ed1b0 |
| SHA256 | 6e572f82fcfefc19cfe1792eb7c75324c36ea50001a23a54739300eefcb5f892 |
| SHA512 | daf1a39442df774cf586e75ad77f17faa3fa08010bca914591cd405bb3192c3316d16904379cf6e6866f56c8308e8a517597e9d1f4f41f2df6d1a893f2a7b57d |
C:\Users\Admin\AppData\Local\Temp\is-GSPDH.tmp\tuc3.tmp
| MD5 | 54bb0d4e8255b55f339cb4e20b537b0b |
| SHA1 | 9b8957c8631a57142545c9bd1229cdae402bafea |
| SHA256 | 82eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8 |
| SHA512 | da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | e77422fac1e9d2d11cf7f1c1d57071a4 |
| SHA1 | 53e63414263dc20ea044c6cbb4fb4fc2c2be6140 |
| SHA256 | 9d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320 |
| SHA512 | d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53 |
memory/4696-76-0x0000000074720000-0x0000000074ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2AKA5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-2AKA5.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1392-77-0x0000000000760000-0x0000000000761000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 950328525b0af55ad797db64ca914d61 |
| SHA1 | 7f5700b5e124e6f08cd949e3b73357bb1da768dd |
| SHA256 | cd3f378a7666337bfeb874c137fe88f9e14ec93ecd834bef96d551bff28d961f |
| SHA512 | 84a04353c8b7ccbe1b7347271e40b869c5a6dfda3bd08278f89c76920af49ed901f96de7357204ada7d33ca2439f32b06b234f892f65c9de5f37986aa280b40a |
memory/3676-220-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 00b5db4a1ddb79833fb147a3e61a974e |
| SHA1 | 1da109d6ddfec278e5a9af3fd57ad4ab1dc1eb97 |
| SHA256 | 9b8004de254854611347d62e6a4887218aba7e05b184aef309d8c177c3dfc0a7 |
| SHA512 | 07ee3c2f32d0d3d97108e7ef4dfaeb20bf7ebae76f5f25482ab64ada71f9bf4c5a118e1ea6f05dbcfcd548dbf541f707ee94dcfe5c1ef722a20f8af1fa8aed1b |
memory/3676-224-0x0000000000400000-0x0000000000785000-memory.dmp
memory/3676-221-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Program Files (x86)\xrecode3\xrecode3.exe
| MD5 | 6fd8416a8283d2b8e9e07849389240e2 |
| SHA1 | 7b1199727ddfce41daca65c14dc46bf9b4c73653 |
| SHA256 | 3c01fbbf42a07df2f5fdc7041c68520197f431454d068b85801ea5f756316406 |
| SHA512 | a11f7189a04025a1c0f67e025996b38e5537298885bf39f6eb211c20e7e2f7bf328a1996c3e69d00a8e0033dccbadca1167f78dd9c8bac1cdd224b60334d994e |
memory/652-227-0x0000000000400000-0x0000000000785000-memory.dmp
memory/652-229-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BC96.exe
| MD5 | 4cf3b5310fe387a54cb3055997843750 |
| SHA1 | 7d4fc5919400c41ea0aab417bb59ea23a2dca211 |
| SHA256 | 61a0177ff0237daf0e18f02c4d958ad82a2bcfb5c7a8f4c5d5aa6df1c89f6836 |
| SHA512 | 6f6b6a8f3a86c5299047df86f5ad99d340213317dd5dca932cbf920e9b8a088a644961253c9a92aa4c5f86dbce64e92fd0b17814a9da6993887ef67cbcf2f9c6 |
memory/4404-235-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1392-237-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/5016-236-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2360-238-0x0000000000D00000-0x00000000011F4000-memory.dmp
memory/1748-240-0x00007FF62DC60000-0x00007FF62E201000-memory.dmp
memory/2360-241-0x0000000074020000-0x00000000747D0000-memory.dmp
memory/2360-242-0x0000000006190000-0x0000000006734000-memory.dmp
memory/2360-243-0x0000000005B10000-0x0000000005BA2000-memory.dmp
memory/2360-244-0x0000000005CE0000-0x0000000005D7C000-memory.dmp
memory/2360-247-0x0000000005DF0000-0x0000000005E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C6E8.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/884-250-0x0000000074020000-0x00000000747D0000-memory.dmp
memory/2360-251-0x0000000005AF0000-0x0000000005AFA000-memory.dmp
memory/884-252-0x00000000000D0000-0x000000000010C000-memory.dmp
memory/884-253-0x0000000006F90000-0x0000000006FA0000-memory.dmp