Analysis Overview
SHA256
e8e31ad00eb7d6e4124e0d9dcd2a2e4ca20afa68007c0e655ae8cc5ca4bfdad9
Threat Level: Known bad
The file 59b1a1f58b7ca014b73a2eebda7eae53 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Azorult
Raccoon
Raccoon Stealer V1 payload
ZGRat
Oski
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-01-13 23:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-13 23:33
Reported
2024-01-13 23:36
Platform
win7-20231215-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Azorult
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2204 set thread context of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe |
| PID 584 set thread context of 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe |
| PID 1560 set thread context of 2152 | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs"
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
"C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 112
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 185.53.177.54:443 | telete.in | tcp |
| US | 8.8.8.8:53 | gordonas.ac.ug | udp |
| US | 8.8.8.8:53 | gordonas.ac.ug | udp |
Files
memory/2204-0-0x0000000001180000-0x00000000012BA000-memory.dmp
memory/2204-1-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2204-2-0x0000000004F10000-0x0000000004F50000-memory.dmp
memory/2204-3-0x0000000005F40000-0x000000000606E000-memory.dmp
memory/2204-4-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2204-5-0x0000000008470000-0x000000000857A000-memory.dmp
memory/2204-6-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-7-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-11-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-9-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-13-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-15-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-21-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-19-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-17-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-29-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-27-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-25-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-23-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-35-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-33-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-31-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-41-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-43-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-39-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-37-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-47-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-45-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-49-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-51-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-53-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-55-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-57-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-63-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-61-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-59-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-65-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-69-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-67-0x0000000008470000-0x0000000008573000-memory.dmp
memory/2204-71-0x0000000004F10000-0x0000000004F50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs
| MD5 | f7b6cda2dca4391f30cf8df1f0605418 |
| SHA1 | 656a46ae3716bf4e883b1bfb13723b92feb26b84 |
| SHA256 | 97cb704bd02eb625b99a8cac924c826be3435912f220352bf21ccbcb9370e7ed |
| SHA512 | 6be78872227b0a8c328d177b0f7a7670834c7c803aa7eacc77f1ffa7c824541a895ea255b6b4777f9fd7753a4c975eaf50f4b63a51cf8c9164d56ccd86300725 |
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
| MD5 | 4cb2b6e2c86e81a6b2ddd2aca707e66a |
| SHA1 | f13428a8ea50c72c6a24bd552804ab7a11428ec1 |
| SHA256 | 157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a |
| SHA512 | 156e0c11011753cf46fd4817888c56294ab001c98fc32613e70104d9fd900be874baa30ac3bf5c09e7140eaf336b06f06e85568c7c6a7de0617f06e270048ce7 |
memory/584-1780-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/584-1781-0x0000000000190000-0x0000000000244000-memory.dmp
memory/584-1784-0x0000000004760000-0x00000000047A0000-memory.dmp
memory/2204-1792-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2368-1793-0x0000000000400000-0x0000000000492000-memory.dmp
memory/584-1794-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/584-1795-0x00000000050C0000-0x000000000516A000-memory.dmp
memory/584-1796-0x0000000006110000-0x00000000061D4000-memory.dmp
memory/584-1920-0x0000000004760000-0x00000000047A0000-memory.dmp
memory/2368-2278-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs
| MD5 | 078aaa3bf115f219f01322a31f475c54 |
| SHA1 | e95ad53a3ad196dfb5384824d213f64056fb8155 |
| SHA256 | db761125f2f3e644b56284126bdb2ebeec230ddaea1540e41e61188e38a845b4 |
| SHA512 | 98b4016beda2682652dfdef3f0b25432c1444b52064949e9ecd20d7533b76f17ebaf514b91e5bd967d20ed8025b0d8a8f6e387331806418cfef00ff3e1fd1734 |
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
| MD5 | efd30cfcab12aa54745c2145a2ee763f |
| SHA1 | 4bfa0e547c820b576bb57fb109e6d95996e981f3 |
| SHA256 | 1c01c74fd903447e61c5824271ab41ed22f4217ac85f3c9e2a6d0f083897bfc3 |
| SHA512 | 57ffda0b59997a32df775cbc281a594312d4cccf22c6c86404435cace951765aeff8b702ff362078e403f7f1b3ce37b655bb96bfba84d19f06dd250ad05bcb8c |
memory/1560-3766-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/1560-3769-0x0000000000D70000-0x0000000000DD8000-memory.dmp
memory/1560-3772-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/584-3775-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2464-3774-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2464-3776-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1560-3777-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/1560-3778-0x0000000000410000-0x000000000046E000-memory.dmp
memory/1560-3779-0x0000000005F00000-0x0000000005F78000-memory.dmp
memory/1560-4692-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1560-6173-0x0000000074C50000-0x000000007533E000-memory.dmp
\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
| MD5 | 28ef291e4e82fe00e58b3e239ecf1ca5 |
| SHA1 | 164978ae23be1ebbc7c1a265e4b21eb6ce48eab8 |
| SHA256 | 332550fb3b430ba3430d9518b36948ba92c60cc905959489e57848a01baa131a |
| SHA512 | 19d3efd094f70d040041f6eed20827dd21bc124f23a5049930e9e11388ff853bbe41c038e6a4bb450c60276867516762a8334f4a947ac96f1833ed5c387ae711 |
\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
| MD5 | acf368d12ace361955ca56cf379b286a |
| SHA1 | 58e7e72ac7855bb51ecff68736f7fa4668e74f6b |
| SHA256 | 07f36b6c43f6f3928e1b687a225bc81dbfe0e9f1c1293467ae78a19f000f8b7f |
| SHA512 | a4ddfcff5598cd5099676cdf41573820a00c87804ff93cdcd642af87562e5da0e3eb7383412982a6eff5df6ac3dab1ed8cdd9355fc74eeaef4ea1882d4650a84 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-13 23:33
Reported
2024-01-13 23:36
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
159s
Command Line
Signatures
Azorult
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5076 set thread context of 4996 | N/A | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe |
| PID 1956 set thread context of 3340 | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe |
| PID 4660 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
"C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs"
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
C:\Users\Admin\AppData\Local\Temp\59b1a1f58b7ca014b73a2eebda7eae53.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
"C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs"
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
"C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe"
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 756 -ip 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1300
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| DE | 185.53.177.54:443 | telete.in | tcp |
| US | 8.8.8.8:53 | 54.177.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gordonas.ac.ug | udp |
| US | 8.8.8.8:53 | gordonas.ac.ug | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gordonhk.ac.ug | udp |
Files
memory/5076-0-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/5076-1-0x00000000001F0000-0x000000000032A000-memory.dmp
memory/5076-2-0x00000000053E0000-0x0000000005984000-memory.dmp
memory/5076-3-0x0000000004D00000-0x0000000004D92000-memory.dmp
memory/5076-4-0x0000000004F70000-0x0000000004F80000-memory.dmp
memory/5076-5-0x0000000004DC0000-0x0000000004DCA000-memory.dmp
memory/5076-6-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/5076-7-0x0000000004F70000-0x0000000004F80000-memory.dmp
memory/5076-8-0x0000000006810000-0x000000000693E000-memory.dmp
memory/5076-9-0x00000000069C0000-0x0000000006A36000-memory.dmp
memory/5076-10-0x0000000006C80000-0x0000000006D8A000-memory.dmp
memory/5076-11-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-12-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-14-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-16-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-18-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-20-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-22-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-24-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-26-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-28-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-30-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-32-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-34-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-36-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-38-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-40-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-42-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-44-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-46-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-50-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-48-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-52-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-54-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-56-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-58-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-60-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-62-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-64-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-66-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-68-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-70-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-72-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-74-0x0000000006C80000-0x0000000006D83000-memory.dmp
memory/5076-1773-0x0000000000740000-0x000000000075E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Nrwclnomc.vbs
| MD5 | f7b6cda2dca4391f30cf8df1f0605418 |
| SHA1 | 656a46ae3716bf4e883b1bfb13723b92feb26b84 |
| SHA256 | 97cb704bd02eb625b99a8cac924c826be3435912f220352bf21ccbcb9370e7ed |
| SHA512 | 6be78872227b0a8c328d177b0f7a7670834c7c803aa7eacc77f1ffa7c824541a895ea255b6b4777f9fd7753a4c975eaf50f4b63a51cf8c9164d56ccd86300725 |
memory/4996-1783-0x0000000000400000-0x0000000000492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bwxgmfnmlwaconsoleapp3.exe
| MD5 | 4cb2b6e2c86e81a6b2ddd2aca707e66a |
| SHA1 | f13428a8ea50c72c6a24bd552804ab7a11428ec1 |
| SHA256 | 157e30e05a61154cbc5bb5e36dc43b33e500bd552f8a0624d3a02d9f1249665a |
| SHA512 | 156e0c11011753cf46fd4817888c56294ab001c98fc32613e70104d9fd900be874baa30ac3bf5c09e7140eaf336b06f06e85568c7c6a7de0617f06e270048ce7 |
memory/5076-1785-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/1956-1787-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1956-1788-0x0000000000350000-0x0000000000404000-memory.dmp
memory/1956-1789-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/4996-1790-0x0000000000400000-0x0000000000492000-memory.dmp
memory/1956-1791-0x00000000067A0000-0x000000000684A000-memory.dmp
memory/1956-1792-0x0000000006D10000-0x0000000006DD4000-memory.dmp
memory/1956-1848-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1956-2290-0x0000000004F00000-0x0000000004F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Eyyozukgtsxfcpfq.vbs
| MD5 | 078aaa3bf115f219f01322a31f475c54 |
| SHA1 | e95ad53a3ad196dfb5384824d213f64056fb8155 |
| SHA256 | db761125f2f3e644b56284126bdb2ebeec230ddaea1540e41e61188e38a845b4 |
| SHA512 | 98b4016beda2682652dfdef3f0b25432c1444b52064949e9ecd20d7533b76f17ebaf514b91e5bd967d20ed8025b0d8a8f6e387331806418cfef00ff3e1fd1734 |
C:\Users\Admin\AppData\Local\Temp\Gqgistxtagnubptvmqtbtconsoleapp9.exe
| MD5 | efd30cfcab12aa54745c2145a2ee763f |
| SHA1 | 4bfa0e547c820b576bb57fb109e6d95996e981f3 |
| SHA256 | 1c01c74fd903447e61c5824271ab41ed22f4217ac85f3c9e2a6d0f083897bfc3 |
| SHA512 | 57ffda0b59997a32df775cbc281a594312d4cccf22c6c86404435cace951765aeff8b702ff362078e403f7f1b3ce37b655bb96bfba84d19f06dd250ad05bcb8c |
memory/4660-3762-0x00000000009C0000-0x0000000000A28000-memory.dmp
memory/4660-3761-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1956-3760-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/3340-3763-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4660-3764-0x0000000005160000-0x0000000005170000-memory.dmp
memory/3340-3765-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4660-3766-0x0000000006ED0000-0x0000000006F2E000-memory.dmp
memory/4660-3767-0x0000000007290000-0x0000000007308000-memory.dmp
memory/4660-3961-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4660-4627-0x0000000005160000-0x0000000005170000-memory.dmp
memory/4660-6152-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/756-6153-0x0000000000400000-0x0000000000434000-memory.dmp