Analysis Overview
SHA256
816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Threat Level: Known bad
The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.
Malicious Activity Summary
ZGRat
SmokeLoader
Detect ZGRat V1
RedLine payload
RedLine
Smokeloader family
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:40
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:40
Reported
2023-12-18 21:43
Platform
win7-20231215-en
Max time kernel
27s
Max time network
96s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71E6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2968 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601A.exe |
| PID 1232 wrote to memory of 2968 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601A.exe |
| PID 1232 wrote to memory of 2968 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601A.exe |
| PID 1232 wrote to memory of 2968 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\601A.exe |
| PID 1232 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71E6.exe |
| PID 1232 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71E6.exe |
| PID 1232 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71E6.exe |
| PID 1232 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71E6.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\601A.exe
C:\Users\Admin\AppData\Local\Temp\601A.exe
C:\Users\Admin\AppData\Local\Temp\71E6.exe
C:\Users\Admin\AppData\Local\Temp\71E6.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218214107.log C:\Windows\Logs\CBS\CbsPersist_20231218214107.cab
C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp" /SL5="$8011E,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/2144-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2144-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1232-1-0x0000000002D50000-0x0000000002D66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\601A.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2968-14-0x0000000000280000-0x00000000002D2000-memory.dmp
memory/2968-19-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2968-20-0x0000000004F80000-0x0000000004FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71E6.exe
| MD5 | 3a2b41a7c6533ce1fe64e0de785a3606 |
| SHA1 | f1cce22001bac89786882014007284abe7add91f |
| SHA256 | 382444e71250c4c180b70bdfeefe7862adf8bfff16cc01b4f35dc8988011b365 |
| SHA512 | 738b29c7b7074e0fb974398cbb7840c1f54a51b42474513a77ce6adecf9239ad4ef3416fc07755167622f2490cdd6fac866f7042c82e5ff5307513ee7d2be980 |
C:\Users\Admin\AppData\Local\Temp\71E6.exe
| MD5 | 488e2e1c7a75e7cbbcb12415856088bd |
| SHA1 | ae9681e95d9059757339c19f4070675109a4bf5f |
| SHA256 | 8a0180a5f2fb2e8fdde2b97a16a3a9c844d86737ebb0c7725b364e033ccd949e |
| SHA512 | c2531b38b21ac90e16c610742cd8cb8e9c8b31fd5cf40491db9f005b290845a473365e43d5e6dc348587bb6c0538817915752d3412fae49f669280c6f18fc355 |
memory/2804-28-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2804-29-0x0000000000A90000-0x0000000001882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | f0eb3563d14250c3de0f5caa51741b49 |
| SHA1 | 953f645eeef8a2e2c11e06e02181e79318350cdd |
| SHA256 | e453daebfd9e5bd84253292a9e165091325fa38871bd94bec9dba26a5addba94 |
| SHA512 | 6d23504ae05e7b64e5a0d2e61f20a2d7be7a89d5e893faa0313c5c817b704ef6451fa4db163c6b32130422dfdf020c4db6c39659baac64057ade353fdd699508 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 53052d8e690e4f56178c3b2fe16be4aa |
| SHA1 | 8c8bceb51998ac6175a33793819ac27221a53858 |
| SHA256 | 65ea49e2d44ece1383724a15b41915fc73857037e475d31470de476ed2e2846a |
| SHA512 | 38f4206869c4d0a2eeb83a604db4315a5f5fc3789dca5c97aa86324acb2494cbcc9b94b03341748c154b94fa1212be8f937936dfc2c45249d1c7fd3a11e5abd0 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | e4d311f881641d0ddf3fae3101231496 |
| SHA1 | dae143270faa27135ae494b4fe56ca51de4db3d0 |
| SHA256 | b6ef9e872e89b81439c5f974598c4a3ac1a07f09e125a285cfabaebb5dd137f0 |
| SHA512 | dd45a8772edfe769c1a899e3b24abe80b10255b361f03d53773fd8d30a2d699eec394862aff46a13ea4637be088b42cb49f41ee75f6e3641ce2447c166457cb6 |
\Users\Admin\AppData\Local\Temp\nso730F.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 31cf2cbe22d0f52698e9c42ee09d123b |
| SHA1 | 06b90ef13847c74cadd60de479e1affc1b59dec2 |
| SHA256 | 380316038a439396b3d637205014d45fae3be05c4f7e53b4476563f376642bd5 |
| SHA512 | e224ccbd0ab3a5b1a44ea1705e92ac8b805f58684ed8d76357e4eab1fafb12b5f87dec28bb71162a11d2a7974a2886beb888597811386fd8146f3d4f555ca175 |
memory/2196-62-0x0000000002660000-0x0000000002A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 27f29d39b97caa9fa1bdf3e891e0df89 |
| SHA1 | e60b25d660ab4c2bf1b5e0c0853e8974bb6c4f03 |
| SHA256 | e4ada19c51ae9eda3976160332fceb8e367c2413ba2b7f9c6258c982a84571a0 |
| SHA512 | 336ee99e9ae98740bafc4e3e1446633614d35e5852050be3d3a6972bba4ac1fdd3cec6685f60f82b4a80725be2f0d1fc7d5c5eec55feabd3b47d8d6f0036b14d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3064126fbd6ba09f5b220683ffd85167 |
| SHA1 | aa117440fbb895ff8c0fc20d66808589f84de509 |
| SHA256 | 219d77b16d9071242346104ceaae807093ea7a26d09afdc062615a4c6c0e5c2b |
| SHA512 | a5bd8d62646696a2d5932e36fd35471b101b02a1bd6ec3b22e13bf47986e59a058de0539c59e016404c7e9523470a8dfd77e538621da6039cec4f4701eb18b00 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1d0309071e482167458e948743145a4e |
| SHA1 | 6447ad780151c06f3abbc6af7c2f7cfe75e5b0ae |
| SHA256 | 0c706e27070feb04639f4d293328528635b52ffa066341e651b7f06a64e156cd |
| SHA512 | 4db32cc298ef37e19499c25d4f1662a192501330a141de2d94e36e9e10b9c2db6e09ee3cb1960f79d3afcb3d2531160228ead22f7da14fe51512636c2166b26b |
memory/2780-69-0x0000000000270000-0x0000000000370000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c754702fbf0b61c65963df019fabe65a |
| SHA1 | 7c8dc8067ea55902ae1a862368ec5fde46e9071e |
| SHA256 | ea0dccb5c61975f52375c4e8682dd6e0e29c9776e6479846a8cc1966601182e3 |
| SHA512 | e421f7567b308424d4a03cf03ebeaf5ab06f853a0c5dc037ea6089818bb91057838371eb4ceeefe51dda998c44ab96c41a80ebd4810fb91b15593373a30c5636 |
memory/1248-75-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2196-84-0x0000000002660000-0x0000000002A58000-memory.dmp
memory/2196-85-0x0000000002A60000-0x000000000334B000-memory.dmp
memory/1248-81-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp
| MD5 | d44822bcbc005ceac5612592ec50d185 |
| SHA1 | ea7cc85c4d50ed6bfe2c0caad63cc437846c2e1d |
| SHA256 | 7e68d089bb84a2e973a3dc0cb346f81c8acf0dbec5dabfa3687c00f357cf2447 |
| SHA512 | 114b9dbcf0b806cc2485ff983340f8f515fa4371572f94ca66ab16235863f9f70127b60fbd0a597de9ee9e452d5a3163c04d16aaa810b9fd1ea512a6eee2845a |
\Users\Admin\AppData\Local\Temp\is-OF46U.tmp\tuc3.tmp
| MD5 | a8da133492615125da2a3d00bf5c1045 |
| SHA1 | be39f6a290f2a6d2af3225496dff563f72533345 |
| SHA256 | 0f4a3e56b027046da80653e698b911bca7359b82da6a39ab86a3d720c3d4af35 |
| SHA512 | bd53e9ce786dd8e6def633d0d62ad72ec3d370a572bc824a24b52fdecaf1ff73b1269eaf2b474eb8aaa6c0eaef407ba00a828f4dd1a7e3d030159ff2e7583ae2 |
\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/1652-116-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2968-115-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2232-114-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2196-113-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-KC8LU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4e6f7fd52f6b54f4eda25550ce804e2a |
| SHA1 | 6a7f842255102dd5455b609413053e8484baf4f0 |
| SHA256 | 9069aad48fc30312844f2299f7c760864d41598497e92d9217bb583431ab03e2 |
| SHA512 | 7bc71c53180c97b27a0e7ad0f98bb10a2370e858150570109bc851aebd9446457fee3c1311827ff111d734b0170e75c0640af5c4c24c18795354b226b66473e3 |
\??\c:\users\admin\appdata\local\temp\is-of46u.tmp\tuc3.tmp
| MD5 | 4454bf8ed7fdfce1858e02666b647798 |
| SHA1 | 3867bc16ec55e94536c349183a14eb812a45be8e |
| SHA256 | 5a2dac61cbaa1cd45d9be24b4b2bff4aaccd21be0defd8e1b2e7b8211e11d0e6 |
| SHA512 | 0e58557f274e5d4fd7336e5da5ff77539cbc7916d5c9d5a2ca98d8d2b1b156e733e616872aefc806a9272ef6740ac80482d3893432c95ad5c5b8fdadf1f64a5c |
\Users\Admin\AppData\Local\Temp\nso730F.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 4d8f6d8c384fddd094ba3cf19caaa7b0 |
| SHA1 | c4694db3f10e1a61a028299f315f57899d0834fc |
| SHA256 | be3b6ce6304ecab69d5cb6a1102b8349742a24b50e3c5bff65c1c7b91e6a9aa4 |
| SHA512 | c24c67a4fbff0d3dc8960dfaf3eb29e534ea00dbb5ca43032e8ca334b5edee8e9ea892072d8d739ae26ee9f495042e1f678ab4766f358cd29e9e413c3e8868b0 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | d3780b5a6857a2f430453c9cccb4934b |
| SHA1 | 8086fb18c1285b46b2809c945de804ffc92c95ad |
| SHA256 | 38221aea59dd2198e88515d6414285ddc45d4509280629a799bc05f96491d18c |
| SHA512 | 04fc99bc423c7e98755c8b302800c60b0ddd6999a0eefe275bdfc6f473d7184a2b73f87d4ff910325022cf999f00299a02a08742030ce1fc0288e10417bea96e |
memory/2796-78-0x0000000000400000-0x0000000000418000-memory.dmp
memory/2804-74-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2780-73-0x00000000001C0000-0x00000000001C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 75f26ecc4aa932c2b41c87a162254988 |
| SHA1 | 30d44c14068a36749711d21f45a4150853ce7f1a |
| SHA256 | a4773fdc76a19af352c9478ce2aefc33c44a33c9c5b530e4301b34e8db9c1943 |
| SHA512 | c9ef2f3001e76202aa84207faf0ec9075313e14167c40b2ad16ae7aa56dce25e562d0534e44d6158393506cdc761dfb428bcd324dcf69f2bc65915304b1ecac7 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:40
Reported
2023-12-18 21:43
Platform
win10v2004-20231215-en
Max time kernel
43s
Max time network
92s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DF5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DDF.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DF5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 4576 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DF5.exe |
| PID 3532 wrote to memory of 4576 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DF5.exe |
| PID 3532 wrote to memory of 4576 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DF5.exe |
| PID 3532 wrote to memory of 4692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe |
| PID 3532 wrote to memory of 4692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe |
| PID 3532 wrote to memory of 4692 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe |
| PID 3532 wrote to memory of 1380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DDF.exe |
| PID 3532 wrote to memory of 1380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DDF.exe |
| PID 3532 wrote to memory of 1380 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DDF.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\DF5.exe
C:\Users\Admin\AppData\Local\Temp\DF5.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Users\Admin\AppData\Local\Temp\4DDF.exe
C:\Users\Admin\AppData\Local\Temp\4DDF.exe
C:\Users\Admin\AppData\Local\Temp\54F4.exe
C:\Users\Admin\AppData\Local\Temp\54F4.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\5B00.exe
C:\Users\Admin\AppData\Local\Temp\5B00.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.216.56.97:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.56.216.52.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
Files
memory/2732-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3532-1-0x0000000003250000-0x0000000003266000-memory.dmp
memory/2732-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DF5.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/4576-12-0x0000000000DF0000-0x0000000000E42000-memory.dmp
memory/4576-17-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/4576-18-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/4576-19-0x0000000005550000-0x00000000055E2000-memory.dmp
memory/4576-20-0x0000000005710000-0x0000000005720000-memory.dmp
memory/4576-22-0x0000000005510000-0x000000000551A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | 4af4821575a5d1a30b9440bdca98fee1 |
| SHA1 | faff50383e70e3dcf115957e5000a234e6bf4260 |
| SHA256 | 71731fbefdfb580a796b3e0ffeb7d6c67085a94337ca919e260e05a58307ccbe |
| SHA512 | 8467ee35cc9b3309ea68195ee2099e79a069dc8a9c3a2137d18314ee2eef7bcfa46a3adba4623777992d2910a893d737811333143001d02998685873278cd5ec |
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | e0ff312834ef285e2ee9fd299ee27090 |
| SHA1 | cf82f1c6cccef771e0ceb3674d06ee1c0a8b19b5 |
| SHA256 | b2d45d0d41c49a1875ea68b4d44a2f9de926c93b96e1ed9f9c7946bcc9692f1e |
| SHA512 | cfdb0dbb1e1462616380ace0a79eb95af5a9180365f706d34aa26158dba730ff7695fdcb115d6b826771344d12010d2e56054a81466fa769364c890e711bbd5e |
memory/4692-26-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/4692-27-0x0000000000B70000-0x000000000100E000-memory.dmp
memory/4692-28-0x0000000005AC0000-0x0000000005B5C000-memory.dmp
memory/4692-29-0x0000000005B60000-0x0000000005B70000-memory.dmp
memory/4576-30-0x0000000006EC0000-0x00000000074D8000-memory.dmp
memory/4576-31-0x00000000069F0000-0x0000000006AFA000-memory.dmp
memory/4576-33-0x0000000006930000-0x0000000006942000-memory.dmp
memory/4576-34-0x0000000006990000-0x00000000069CC000-memory.dmp
memory/4576-35-0x0000000006B00000-0x0000000006B4C000-memory.dmp
memory/4576-36-0x0000000009040000-0x00000000090A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4DDF.exe
| MD5 | 051584e416f087f2ddb6a86613a4abd3 |
| SHA1 | 688043766dead4fdf768773747ceb51c76b741f9 |
| SHA256 | 64f7d4dc637f63b36ec9ef1390e7c7a62afce7ad9e5bc3fe353452b6d85136de |
| SHA512 | f6a3394502e507036f180348db4072dec212a9f562000fb6bf81bfa4eb89fa5d1652543ca8d7337b6f05ece0ca5310144e24792c0f1d5d3882a5b6a545452394 |
C:\Users\Admin\AppData\Local\Temp\4DDF.exe
| MD5 | 05ae62360af7d5a5122b59f7a5f9ada3 |
| SHA1 | d8d6dae7b38ed3af4ad094b003bdea492ed63084 |
| SHA256 | 6bc0a740f6fc5c7f7bffbfed16d2f8e9f2f4ea330776783184be13a36713fd2e |
| SHA512 | 295f1c4764c7384a17de2df1576cad1a5ba1a50c860aad5b26825e432c37c6dd8183511ae8e88d6846a5ec0a0438bf8724af968e3d17f193329f1137e57b70dd |
memory/1380-41-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/1380-42-0x00000000000D0000-0x0000000000EC2000-memory.dmp
memory/4692-45-0x00000000064D0000-0x0000000006698000-memory.dmp
memory/4576-44-0x0000000009680000-0x0000000009842000-memory.dmp
memory/4576-46-0x0000000009D80000-0x000000000A2AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 871db998a8700fd580735670d88fecaa |
| SHA1 | b1de43abd9ade26df518d3ef9616ff5b20c74d7c |
| SHA256 | 0b2c67b6940dea56d46e01d8c9f90cb34c4503b1e615953984b28c31d676dd49 |
| SHA512 | 7a4e7807296ae7b78a892efe28e1ef0772a08bb51d3908c345bce0de33008be7a47822ee5aed752df3bb654857c36d7ec3bcf455f304fcfec8f0cd648f5ced28 |
C:\Users\Admin\AppData\Local\Temp\54F4.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 188f7bf02b58635ee0b36c1f6a32516e |
| SHA1 | 8eab48a6db6799538e51d1dff36b589b5554be7c |
| SHA256 | 464ea7724549f8ddacb022ce9d006cdcfec7d01f8402a145990e7b1b0e0d0ff3 |
| SHA512 | a606230b14c9bce8a3002956adbcf98aac58ef5027851c78f40f05690b4da5d2d3dc4feffaf00e2103aaff663df328b0b3e22a5c63eb81e6ec0051503f5293a9 |
memory/4692-58-0x00000000077A0000-0x0000000007932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 113a2741c2da0b1c673cfef03ca0350a |
| SHA1 | 8383832179ecf7f21f7c9b06e9f58c036bb27477 |
| SHA256 | 59834c1f952f1407feff5e62f5fa1b1a4e0ae229800b47791cd0f3fdd61d8835 |
| SHA512 | 1b8b7c10057fc38600c068b29a5d7e871feb062a8ab758c3ccf4a393893dd0e123016d0d699124e485c19db995ba34e5f8565282daa0aa52b540ae534824eeba |
memory/4692-75-0x0000000005BD0000-0x0000000005BE0000-memory.dmp