a310logger | b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 20:35 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

113f59d0bd4384226e40c17bf899935d.exe
Size

955KB
MD5

113f59d0bd4384226e40c17bf899935d
SHA1

4bf159402cefe87d328182fee0e82297b1fff5c5
SHA256

b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25
SHA512

d8e3717916475013e8ec8cc5a5fef303c4467fe66b944f1031ee73ad964a6a699d3c872a305173ac7565e5000ade605e8cef1cbe3ca9438ac1f85993a69a3b78
SSDEEP

12288:gFrXv++Cjkemhes5D9Bq1U50kb9zU9uRyM3/CsUABjFG3CiEN4/PosRbOt/kUQQj:gFrpCDsz2SCyiJA+O9ENGZOMb

Score

10^/10

a310logger stormkitty zgrat collection rat spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3040-4-0x0000000000520000-0x0000000000536000-memory.dmp	family_zgrat_v1

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral1/memory/2840-36-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2840-34-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2840-32-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2840-28-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2840-26-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/1644-151-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/1644-153-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

A310logger Executable 8 IoCs

resource	yara_rule
behavioral1/memory/2840-36-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2840-34-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2840-32-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2840-28-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2840-26-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/files/0x000c000000014490-131.dat	a310logger
behavioral1/memory/1644-151-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/1644-153-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger

Executes dropped EXE 2 IoCs

pid	Process
644	MZ.exe
1084	MZ.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	InstallUtil.exe
1644	InstallUtil.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 2376 set thread context of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 set thread context of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 set thread context of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
644	MZ.exe
644	MZ.exe
1084	MZ.exe
1084	MZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	113f59d0bd4384226e40c17bf899935d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	MZ.exe
Token: SeDebugPrivilege	1084	MZ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	113f59d0bd4384226e40c17bf899935d.exe
2376	113f59d0bd4384226e40c17bf899935d.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 3040 wrote to memory of 2376	3040	113f59d0bd4384226e40c17bf899935d.exe	30
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2376 wrote to memory of 2840	2376	113f59d0bd4384226e40c17bf899935d.exe	28
PID 2840 wrote to memory of 644	2840	InstallUtil.exe	31
PID 2840 wrote to memory of 644	2840	InstallUtil.exe	31
PID 2840 wrote to memory of 644	2840	InstallUtil.exe	31
PID 2840 wrote to memory of 644	2840	InstallUtil.exe	31
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 2376 wrote to memory of 1644	2376	113f59d0bd4384226e40c17bf899935d.exe	34
PID 1644 wrote to memory of 1084	1644	InstallUtil.exe	35
PID 1644 wrote to memory of 1084	1644	InstallUtil.exe	35
PID 1644 wrote to memory of 1084	1644	InstallUtil.exe	35
PID 1644 wrote to memory of 1084	1644	InstallUtil.exe	35
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36
PID 2376 wrote to memory of 1612	2376	113f59d0bd4384226e40c17bf899935d.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
  "C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644

Network

DNS

icanhazip.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

icanhazip.com

IN A

Response

icanhazip.com

IN A

104.18.114.97

icanhazip.com

IN A

104.18.115.97
GET

http://icanhazip.com/

InstallUtil.exe

Remote address:

104.18.114.97:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 25 Dec 2023 16:04:01 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=j195QP26EccaH4v5qfKFcSyeCRRlQoREwnkrJQa_c74-1703520241-1-AWv2K+e427s53nPPUo6mlYj1r1DY0QuZa0oj+Etu8abN28XNl+2alPZ6BQ6SDRFY57ziJ3cp79aRbfmBUQqqFbY=; path=/; expires=Mon, 25-Dec-23 16:34:01 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 83b25147cf40459a-LHR
alt-svc: h3=":443"; ma=86400
DNS

api.mylnikov.org

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

api.mylnikov.org

IN A

Response

api.mylnikov.org

IN A

172.67.196.114

api.mylnikov.org

IN A

104.21.44.66
DNS

api.mylnikov.org

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

api.mylnikov.org

IN A
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

InstallUtil.exe

Remote address:

172.67.196.114:443

Request

GET /geolocation/wifi?v=1.1&bssid=Failed HTTP/1.1
Host: api.mylnikov.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 25 Dec 2023 16:04:09 GMT
Content-Type: application/json; charset=utf8
Content-Length: 93
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: MISS
Last-Modified: Mon, 25 Dec 2023 16:04:09 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=6SrgHY6bO2a%2Bq5MhdYR8odOiqCQKKe2J9BvJ4Cy93eYVLDon2Aj%2F%2B5p%2BtpMlIuGBGF9X%2FmvDwfypFJzG4VxB00UEywXqSyzg4fAa23zPu49mwXgwp22mTU2NBDbWQz66hZYJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 83b251769fdf6530-LHR
alt-svc: h3=":443"; ma=86400
DNS

apps.identrust.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

apps.identrust.com

IN A

Response

apps.identrust.com

IN CNAME

identrust.edgesuite.net

identrust.edgesuite.net

IN CNAME

a1952.dscq.akamai.net

a1952.dscq.akamai.net

IN A

96.17.179.184

a1952.dscq.akamai.net

IN A

96.17.179.205
GET

http://apps.identrust.com/roots/dstrootcax3.p7c

InstallUtil.exe

Remote address:

96.17.179.184:80

Request

GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com

Response

HTTP/1.1 200 OK

X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Robots-Tag: noindex
Referrer-Policy: same-origin
Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
ETag: "37d-6079b8c0929c0"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Mon, 25 Dec 2023 17:04:05 GMT
Date: Mon, 25 Dec 2023 16:04:05 GMT
Connection: keep-alive
DNS

www.microsoft.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

2.17.5.133
DNS

www.microsoft.com

InstallUtil.exe

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A
GET

http://icanhazip.com/

InstallUtil.exe

Remote address:

104.18.114.97:80

Request

GET / HTTP/1.1
Host: icanhazip.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 25 Dec 2023 16:04:51 GMT
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
Set-Cookie: __cf_bm=sh2oB_t8HF2m8ajPTtikKPrP5M0SmgnZ.e.ayUjNDc4-1703520291-1-AV99sbp2yHoRJAkpJE2/34N1Z/s2rk/k6pklNmf7kJtfrg6xsCOMPT1M2QBZhhkE4KxZIV2cfd63eUhnUKxh2ds=; path=/; expires=Mon, 25-Dec-23 16:34:51 GMT; domain=.icanhazip.com; HttpOnly
Server: cloudflare
CF-RAY: 83b252801d8223e9-LHR
alt-svc: h3=":443"; ma=86400
GET

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

InstallUtil.exe

Remote address:

172.67.196.114:443

Request

GET /geolocation/wifi?v=1.1&bssid=Failed HTTP/1.1
Host: api.mylnikov.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Mon, 25 Dec 2023 16:04:52 GMT
Content-Type: application/json; charset=utf8
Content-Length: 93
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: max-age=2678400
CF-Cache-Status: HIT
Age: 43
Last-Modified: Mon, 25 Dec 2023 16:04:09 GMT
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iToXKfrRnikluFdqigvIBhPSvbw2hbGuAzderD1KUWubGwiR1Jc3eq9TX2XHnN1lQmnET7MgCjOSS%2BEEpN3Xn9xKfD6%2F97n1rnqjHE6aD2ypDwOy4yEtKBtrOewxpEIK5LSF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 83b25283593b60f4-LHR
alt-svc: h3=":443"; ma=86400

104.18.114.97:80

http://icanhazip.com/

http

InstallUtil.exe

345 B
1.2kB
6
4

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
172.67.196.114:443

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

tls, http

InstallUtil.exe

1.1kB
7.1kB
13
9

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

HTTP Response

200
96.17.179.184:80

http://apps.identrust.com/roots/dstrootcax3.p7c

http

InstallUtil.exe

369 B
1.6kB
5
4

HTTP Request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

HTTP Response

200
104.18.114.97:80

http://icanhazip.com/

http

InstallUtil.exe

392 B
659 B
6
3

HTTP Request

GET http://icanhazip.com/

HTTP Response

200
172.67.196.114:443

https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

tls, http

InstallUtil.exe

837 B
5.8kB
10
9

HTTP Request

GET https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=Failed

HTTP Response

200

8.8.8.8:53

icanhazip.com

dns

InstallUtil.exe

59 B
91 B
1
1

DNS Request

icanhazip.com

DNS Response

104.18.114.97

104.18.115.97
8.8.8.8:53

api.mylnikov.org

dns

InstallUtil.exe

124 B
94 B
2
1

DNS Request

api.mylnikov.org

DNS Request

api.mylnikov.org

DNS Response

172.67.196.114

104.21.44.66
8.8.8.8:53

apps.identrust.com

dns

InstallUtil.exe

64 B
165 B
1
1

DNS Request

apps.identrust.com

DNS Response

96.17.179.184

96.17.179.205
8.8.8.8:53

www.microsoft.com

dns

InstallUtil.exe

126 B
230 B
2
1

DNS Request

www.microsoft.com

DNS Request

www.microsoft.com

DNS Response

2.17.5.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63c363fd0c4e207d06b22aea2786d585

SHA1
91902fcddbee90a15acefde10b1feaec076520bf

SHA256
d0e92c48567fc9f6d3a707ed4f59f538d90a987c1b0d7deee179049271766b23

SHA512
d671aed9f2cb68ea917f8c5b0f9344fd8c7192be742efcaec3c6c82ec5a738d912f85e760f25abf6b182d4b1f074cb62c182f38c08ca649074123326eea63be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
458b85ac42a9e8cc8cff6a6587f995bb

SHA1
f2377eda42228106dbe264caaa73f54c5a7fa26a

SHA256
4d432a5bfc5d97c6c598456f6d976674ea6a8383b61864369bfafc41ab32e128

SHA512
c64cb8b9fafd779da8ae5060c632e42b15df2db4723ab7c6844752d32001ae343ae7428313e662826f45742287e67bc1fb841942f69c7db1b9eb64e2234e7c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ceb75ea5170f8d14eaa694fb4372f9ad

SHA1
da24db9b37db4414ee108116b8683fa2fb31f995

SHA256
daa37aa8e03a06fcf87bf3d21822a7c96d542fc99b3acd30244bb6b19ced2d3a

SHA512
1a614805d8785fdbef8a1ee0f1525fd44ab32fb07ef95321c530536ecfba3e78f5a0a55a7e0eebcde9f5cee03a47e9a22cd20ef03a1f9dcc4db2349a986fd623

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

Filesize
20KB

MD5
1bad0cbd09b05a21157d8255dc801778

SHA1
ff284bba12f011b72e20d4c9537d6c455cdbf228

SHA256
218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

SHA512
4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

Download Submit
memory/644-134-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/644-135-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/1084-185-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1084-184-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/1084-183-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1084-186-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

Filesize
9.6MB

Download
memory/1612-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-154-0x0000000073910000-0x0000000073EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-153-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1644-151-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1644-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-155-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/1644-156-0x0000000073910000-0x0000000073EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-187-0x0000000073910000-0x0000000073EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-137-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-15-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-39-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-37-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-24-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-36-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-32-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2840-136-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-38-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/2840-34-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3040-18-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-4-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/3040-3-0x0000000000A30000-0x0000000000AA8000-memory.dmp

Filesize
480KB

Download
memory/3040-2-0x0000000005070000-0x00000000050B0000-memory.dmp

Filesize
256KB

Download
memory/3040-0-0x0000000001070000-0x0000000001164000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.