Analysis Overview
SHA256
df09728a6383db0b8bb9f28a04ccd0c358e3f525c1d340c94d481fe8c97b4adb
Threat Level: Known bad
The file b333502d7915bbd0911087435549fd31.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine payload
Smokeloader family
ZGRat
RedLine
Detect ZGRat V1
Downloads MZ/PE file
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 23:36
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 23:36
Reported
2023-12-18 23:38
Platform
win7-20231215-en
Max time kernel
28s
Max time network
61s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6529.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2768 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6529.exe |
| PID 1136 wrote to memory of 2768 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6529.exe |
| PID 1136 wrote to memory of 2768 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6529.exe |
| PID 1136 wrote to memory of 2768 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6529.exe |
| PID 1136 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\788B.exe |
| PID 1136 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\788B.exe |
| PID 1136 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\788B.exe |
| PID 1136 wrote to memory of 2732 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\788B.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe
"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"
C:\Users\Admin\AppData\Local\Temp\6529.exe
C:\Users\Admin\AppData\Local\Temp\6529.exe
C:\Users\Admin\AppData\Local\Temp\788B.exe
C:\Users\Admin\AppData\Local\Temp\788B.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp" /SL5="$B0118,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218233632.log C:\Windows\Logs\CBS\CbsPersist_20231218233632.cab
C:\Users\Admin\AppData\Local\Temp\800B.exe
C:\Users\Admin\AppData\Local\Temp\800B.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/2956-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2956-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1136-1-0x0000000002D30000-0x0000000002D46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6529.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2768-14-0x0000000000270000-0x00000000002C2000-memory.dmp
memory/2768-19-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2768-20-0x00000000004B0000-0x00000000004F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\788B.exe
| MD5 | 725aed39d183d02126c33fa967f20a15 |
| SHA1 | e5a2b5af28faaf9bba011f5a23b05f795ed3e57c |
| SHA256 | 7dcfd89566be780eed24403d3525237ae4ddb65c3e781771c5c5ef07dd8622a0 |
| SHA512 | 25e12f63397a3b8e368059776b163ac874e6727d94cfd3c1a48ccd96f11a61011946d2599667a00438cbc3b2b3f53802e77e4944108f55f4949bba063fa8187b |
C:\Users\Admin\AppData\Local\Temp\788B.exe
| MD5 | bafc3a00205620e87674e44812e735d7 |
| SHA1 | f451866e8b53a9dc19dcb04de51e0674744cf739 |
| SHA256 | 491c5b0f041e35eab6e2daff307f05edfa4c3eb4cadbb994808f823e29d89511 |
| SHA512 | 4fe344a8c876bdadfe39f536f4c3edbfa4b3eda08ea5ca963c275972670072e9a12fed32b520c858cb69f24b082a66fb745c49ac60f8461869554c12ca4c2210 |
memory/2732-28-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2732-29-0x0000000000CE0000-0x0000000001AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 590fed46197e0cf3d4f5de6198046ba0 |
| SHA1 | 69e2b969ccc8fe46953a7c78649b491979f19d82 |
| SHA256 | a4c8ffbe8e69ef10ef0559a0eac1ed37c70144d03a64413f5696ad08c8863725 |
| SHA512 | d0465694287cfc0db5f436e95796b3b712cb06cbfae12dea63a5fb67a0433269dc9e6841b3e11fb3f9f0a4ef22999afaa790b94ae15f9e290d00cf06de73a915 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 8a6c5942ca2a116d0ecd4a1581249024 |
| SHA1 | 27b1a8b2a1b63548effea4f4af6ef9a5ee9fb0c6 |
| SHA256 | 84fb114d38fa540485af6ab7c26576465f319da7615c1aad8206b6af218b3795 |
| SHA512 | 27b86fea5eb2eeedd84f7569a1c468e59655fd7e1efae83247b759260d0fc883ac4afa803b5675492a324bb6c33376ca358573dbd7a2f82331c79fcb07101bf3 |
\Users\Admin\AppData\Local\Temp\nso79C3.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 8efd10517b244be1e9823598fd1064dd |
| SHA1 | 6b1907fde87ecd45d7499a2c67459acbc3851f60 |
| SHA256 | 0da86d3a8f0dcb8ec9e83b2a728adea630441ab7a7e74a712e76c08c338dee1e |
| SHA512 | 63e53d2f5f75a9c365ccdb6e5ca5122d0cf99d0a6c4cefd901ac1c117d726f3282808a3c68d76ec623a4921d5a86685676b40dbababfc81c63b79583ed23de10 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b7852328f0472435cc5b825a59d4106b |
| SHA1 | 569de491ea4caf23013a8b5ddc5c61bd2355fd3b |
| SHA256 | e1da6b19e68d55bfe20198d51be1d9364edb9485652c082b6e04beba63750080 |
| SHA512 | d46f233f4fe0a98b61b36a8c67a7af6a41bbf744e5c7c5953202fed927c62a2a849fe85b48cee329b4d2f4235c83a105a4976e682eda1076454c44ab52f514a0 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c4ac162c472df49b72d70d7300d525b4 |
| SHA1 | ea32ec77b7a359c2f64277868bffe507cea960d3 |
| SHA256 | 25bbdc4b18fdc307f410972cb0e154c17a62d3f28001680ae6ab07fc9fb48398 |
| SHA512 | 0e4e4da4e3ee4a12556e75c00db109177ebf3ca6f95f0548f738bc491e03e3c9ff90e75fc1605680fbd11f20a30f0e39884bbeb34d9a225a11544abfe92923b7 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 22e856a31d351769a20175d76885a7a4 |
| SHA1 | 99f4664d3730659d103e4523a78d7f52e51f00cd |
| SHA256 | e1c6aab4309495a3dc499a3664a8ffce685e29754a146bad86a1eacb83e7723e |
| SHA512 | 8689708af076f1555600dada7d26672160204d1f04455511174098ce351db2b95cc24b3308559e7b829d8b3703bd1ee62b26fb587c8a896e63cf106ef480343a |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c49612730cd659854c1765f433a2e73c |
| SHA1 | 011217a69068c89c80037e71deab52ef8198a00f |
| SHA256 | 174e8a0b7b93f6b3037c827e80f4f5895f868c3c3da0042be28712ed1ef1c65f |
| SHA512 | 2e289f23dee4ace4f9d51dad151bc6b8cdf3c61655fd9d156d27cbc070ca0fbaea8d283e7a510433fc41bf9799b94a9405dd8a5c5da266688f3f06286efd0f2e |
memory/2732-71-0x00000000746A0000-0x0000000074D8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 8c117fb339d72646ba3d78ec53b2fa66 |
| SHA1 | 1eaefe2d23cf8f6944adfa6c08e13be3428b5c83 |
| SHA256 | 05a772dc390416f522036d33ab7dca7568387d276521f8b2e3d597a35101384a |
| SHA512 | 25f8f565dc7784b2dcb652d604ec07b83185666a27e9e69548069f417c4b72de5e4fc56d56d7cbf6ee9d882dcdc5974cf9ddbb5ecf820b4500a821d6e22763a5 |
memory/2948-70-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1244-62-0x0000000002830000-0x0000000002C28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 92ca2d993473f3049394cc183e58a2fe |
| SHA1 | 9ec1192c250f8fe9951acd5e5986ced53cea3219 |
| SHA256 | 4a45a6b65a1cdb3c1bc4b04b24a6b40ac22c47fe42202178ecb7b842aab9208c |
| SHA512 | afcae58626229dd07d8104fd536a1550f58a59c2f2451c475c9ef576f4a8afe92658b0c4546272a1835881e7eb2a3ce76ad995befa1e172934c2d87447cbe1c6 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a79a7522238303c575638d02da904bdd |
| SHA1 | bb945a0cc4a85092428dd893aedeaebe239e98cb |
| SHA256 | 3bf49798905162ff2539651f8b767689c5c0a0b1f81022f02a19e24d8f532e38 |
| SHA512 | c9a7579aaa06918b976e8a3fe891a52a691ef29021044c510acdc227f591f9434329d9e742d892653cc61c72476a0d15037a748e4efc949ff58a0781993b4525 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 4c454b9b8e14cc85c5574325ab530dc5 |
| SHA1 | e91f1b7d1ca624cfc6f055ecd110396db491b5a2 |
| SHA256 | 578b3ccac47d6d8d67fe5e06ab580a8aeb41afd302fa51ca109a8869da7dd83f |
| SHA512 | 7038d277b39e8faa01abdf0727d86c74d7a1d93e9a5a4e32bec460f227a7cc7f37fa5fbb73ad888ff0888492916871cf0c5dd85da9844f3af58c2260c9eee1fc |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 80b0e2eb66024840a74640de53777e5e |
| SHA1 | 2a58361112b6669a416024508d084824beffce44 |
| SHA256 | 6785708e6b04b7a3d24c9853ed0e784ace03c7fbb7c1f07104b1398fdc459abc |
| SHA512 | e235ae2053de7a4bd10d1f915446fee5b74fa560bf30fdbf745eb87c3f7fd3843dccc61f300039bf9293345618dbdd7913474d0837a566e12d0bb2a54d30ef8d |
\Users\Admin\AppData\Local\Temp\nso79C3.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2844-85-0x0000000000970000-0x0000000000A70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp
| MD5 | e2bbe2ff3a975baf7e2ed94b4760519a |
| SHA1 | 842fae703269a343986b7fb77cf0862dd404c62e |
| SHA256 | 5019563a037e4b6541aafc29c88af7500e8b7b3bf4e7dda726930ff1d6db9b05 |
| SHA512 | ba08082d2c5ee85fc8461482bf56a371736af709d30e493f37ee430a56d7cf01111a36645dc65350f426762cf29161bcfa00d632bdc2119326e6fe8e7404cf17 |
memory/2844-90-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1244-96-0x0000000002C30000-0x000000000351B000-memory.dmp
memory/2484-94-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1020-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1020-97-0x0000000000400000-0x0000000000409000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-qsbm8.tmp\tuc3.tmp
| MD5 | 1b2854540f25867b739031919305c0b8 |
| SHA1 | 19782ad63276161f7a6d2bf201bc16dad0749766 |
| SHA256 | ee8361b693a16e91518733deb225fc4e05b85f51b285cf6cda77f6821aa50526 |
| SHA512 | 9ef955d9fd887a0a8d0e39197b5a12089c441ba4e7328473c05eb1deec01064855beae0beb6b53741405a1b1a0950fe2d3931d187d2115ac947884e31646380c |
\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1020-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1244-114-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1KC81.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2160-101-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-QSBM8.tmp\tuc3.tmp
| MD5 | ae3d3fae806bf6c98761b11790b0a0ea |
| SHA1 | 2b523094d7b2e121ed755d9b0b4b75fd713c344f |
| SHA256 | 93eb1543f77ecb3e38e0261b10ce402e3472124cebaa8e680579addafd2479f8 |
| SHA512 | f33c4322bf9880d7a5dcce2b7f5fef4be3d23d7a7ddfaae951a5f03cb03e81826697ad1ee2d9e94a290d76bba749a19abe6579c21c2010d807bd3b0012526f23 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9fc43b3decc3b0d6b0e49c4c624834b2 |
| SHA1 | 590caa2697a8095c2560056dae3d308566630d06 |
| SHA256 | 183f8abd02fad3f81652a9310a5431d7d3e466d395a728d37b2a4fd7cf29d82c |
| SHA512 | 57a4dabcfd35e78e85e170f58aa2a53fc6fbdee74182ce6c5aa63ef94e642db65513f8c7e6310e34b7d5f62855cbb75eeb46b76e96c72cb9a90006a6bfd2a468 |
memory/1244-84-0x0000000002830000-0x0000000002C28000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 23:36
Reported
2023-12-18 23:38
Platform
win10v2004-20231215-en
Max time kernel
39s
Max time network
78s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F3A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FE7.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F3A7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F3A7.exe |
| PID 3552 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F3A7.exe |
| PID 3552 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F3A7.exe |
| PID 3552 wrote to memory of 1608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5.exe |
| PID 3552 wrote to memory of 1608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5.exe |
| PID 3552 wrote to memory of 1608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C5.exe |
| PID 3552 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FE7.exe |
| PID 3552 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FE7.exe |
| PID 3552 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2FE7.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe
"C:\Users\Admin\AppData\Local\Temp\b333502d7915bbd0911087435549fd31.exe"
C:\Users\Admin\AppData\Local\Temp\F3A7.exe
C:\Users\Admin\AppData\Local\Temp\F3A7.exe
C:\Users\Admin\AppData\Local\Temp\3C5.exe
C:\Users\Admin\AppData\Local\Temp\3C5.exe
C:\Users\Admin\AppData\Local\Temp\2FE7.exe
C:\Users\Admin\AppData\Local\Temp\2FE7.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\37F6.exe
C:\Users\Admin\AppData\Local\Temp\37F6.exe
C:\Users\Admin\AppData\Local\Temp\3E8F.exe
C:\Users\Admin\AppData\Local\Temp\3E8F.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.85.108:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.85.217.52.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3552-1-0x00000000028F0000-0x0000000002906000-memory.dmp
memory/4572-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F3A7.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/3124-12-0x00000000001A0000-0x00000000001F2000-memory.dmp
memory/3124-17-0x0000000075180000-0x0000000075930000-memory.dmp
memory/3124-18-0x0000000005190000-0x0000000005734000-memory.dmp
memory/3124-19-0x0000000004CC0000-0x0000000004D52000-memory.dmp
memory/3124-20-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/3124-21-0x0000000004CA0000-0x0000000004CAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C5.exe
| MD5 | 63fc8fdcdac9bcbc11a2d6e7f254101e |
| SHA1 | fb0e56a9a57b9e477c6914abeaaa0e660fc3509e |
| SHA256 | 6c7d17d9e24d0f5f17d69170ddfa999a11aeab30738b555bad52603d68e15811 |
| SHA512 | 1d6e24a0a73b7c64c2639045944fdb53c07e9183d1cef1bf3d011ce10c3341a1c5653375899c87bba070d84585455f467812d1ac3716c35de2525f278ca58fe4 |
C:\Users\Admin\AppData\Local\Temp\3C5.exe
| MD5 | 85eea05f6f09b8e6c628d22b52a9bc68 |
| SHA1 | c0a31fd14e974948e59b783f3d63972fe33dcbf9 |
| SHA256 | 06b8e22b62ec1453cdb38befb979a0565baea42ec1e1249b14eb0368cc65802e |
| SHA512 | ef4d5b73cfdc917c1a6982be6a3c191eb91eef62415380ffbb79f6f430ef4431fbf3ee1e133534d48a1c180fbeaa86af32f667c3eb29a8da650999ab34a3cd4f |
memory/1608-27-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1608-26-0x0000000000070000-0x000000000050E000-memory.dmp
memory/1608-28-0x0000000005080000-0x000000000511C000-memory.dmp
memory/3124-29-0x00000000062B0000-0x00000000068C8000-memory.dmp
memory/1608-31-0x0000000005150000-0x0000000005160000-memory.dmp
memory/3124-32-0x0000000007B30000-0x0000000007C3A000-memory.dmp
memory/3124-33-0x0000000006170000-0x0000000006182000-memory.dmp
memory/3124-34-0x00000000061D0000-0x000000000620C000-memory.dmp
memory/3124-35-0x0000000006220000-0x000000000626C000-memory.dmp
memory/3124-36-0x0000000008770000-0x00000000087D6000-memory.dmp
memory/3124-37-0x0000000008B70000-0x0000000008BC0000-memory.dmp
memory/3124-38-0x0000000008D90000-0x0000000008F52000-memory.dmp
memory/3124-39-0x0000000009490000-0x00000000099BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2FE7.exe
| MD5 | f95880c575df6f8c0141558b55f36892 |
| SHA1 | 7d91d24fab8089112aa32b823ee9447a2f2f074b |
| SHA256 | 6a8905ff3cbfd4f997c0f36d8d07a14293924ee662b51a39ad7b4ac45037b9e8 |
| SHA512 | 30aa67424807c6b53138c126f6c1ab8fa3ea47714e50b04f8d56f0cb24e3eb9c26591a6d3ba8e7951059fef112890198082cb993fd98567807c14242449d07e5 |
C:\Users\Admin\AppData\Local\Temp\2FE7.exe
| MD5 | 718733b13df8469f430bc86b91e1946c |
| SHA1 | bd381c596389c398d5fbe243fb6122da950d055b |
| SHA256 | 9e9300fa34e75bf113ef34699de103a98042fb97618a690a900d92e91bda85a0 |
| SHA512 | 99f98ffd9f9aacf2813050aec8b56dbb28e6fba273466e718d1e90ab412ec0d430f2c57231aef836018e7aa2b948de767d212ed1cd2620bea242d5d508c40005 |
memory/2436-44-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1608-45-0x0000000005A40000-0x0000000005C08000-memory.dmp
memory/2436-46-0x00000000006E0000-0x00000000014D2000-memory.dmp
memory/1608-47-0x0000000006D10000-0x0000000006EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1608-54-0x0000000005150000-0x0000000005160000-memory.dmp
memory/1608-53-0x0000000005150000-0x0000000005160000-memory.dmp
memory/1608-55-0x0000000005140000-0x0000000005150000-memory.dmp
memory/1608-56-0x0000000005150000-0x0000000005160000-memory.dmp
memory/1608-57-0x0000000005150000-0x0000000005160000-memory.dmp
memory/1660-59-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3124-60-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1608-61-0x0000000005150000-0x0000000005160000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\37F6.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
memory/1608-70-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1608-71-0x0000000007480000-0x0000000007580000-memory.dmp
memory/1608-69-0x0000000007480000-0x0000000007580000-memory.dmp
memory/1608-66-0x0000000005150000-0x0000000005160000-memory.dmp
memory/1660-72-0x0000000075180000-0x0000000075930000-memory.dmp