Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
01a908923cbc76874658c47d432424a0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
01a908923cbc76874658c47d432424a0.exe
Resource
win10v2004-20231215-en
General
-
Target
01a908923cbc76874658c47d432424a0.exe
-
Size
86KB
-
MD5
01a908923cbc76874658c47d432424a0
-
SHA1
5397fdeeb8e9365b3d9a6b8f599e658e050de1d7
-
SHA256
6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247
-
SHA512
77b789fd17f8ea650ecb68a04238b195d1cfea9885f7fce637c83bfada95974326831b610509e18b5886fe48bb5ec0f70b57a835bc565af655a7ab0253614140
-
SSDEEP
1536:Em65rG4SzbXVzjvf1nRmyr20DmjyleT0FfWU4f23F0Wbub7B4B/:E6HXVzhvI0FfWU4O10kuPKF
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/3000-3-0x00000000080A0000-0x000000000860A000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-4-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-5-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-7-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-9-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-11-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-13-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-15-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-17-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-19-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-21-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-23-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-25-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-27-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-31-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-29-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-37-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-35-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-33-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-39-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-41-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-43-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-45-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-47-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-51-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-49-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-67-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-65-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-63-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-61-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-59-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-57-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-55-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 behavioral1/memory/3000-53-0x00000000080A0000-0x0000000008604000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Drops startup file 2 IoCs
Processes:
KORID0R.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe KORID0R.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe KORID0R.exe -
Executes dropped EXE 3 IoCs
Processes:
KORID0R.exebuild.exeCamSnap.exepid process 652 KORID0R.exe 2412 build.exe 840 CamSnap.exe -
Loads dropped DLL 2 IoCs
Processes:
01a908923cbc76874658c47d432424a0.exepid process 1664 01a908923cbc76874658c47d432424a0.exe 1664 01a908923cbc76874658c47d432424a0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01a908923cbc76874658c47d432424a0.exedescription pid process target process PID 3000 set thread context of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe -
Processes:
build.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 build.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
build.exepid process 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe 2412 build.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
01a908923cbc76874658c47d432424a0.exebuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3000 01a908923cbc76874658c47d432424a0.exe Token: SeDebugPrivilege 2412 build.exe Token: SeRestorePrivilege 2056 msiexec.exe Token: SeTakeOwnershipPrivilege 2056 msiexec.exe Token: SeSecurityPrivilege 2056 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build.exepid process 2412 build.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
01a908923cbc76874658c47d432424a0.exe01a908923cbc76874658c47d432424a0.exeKORID0R.exeCamSnap.exebuild.execmd.execmd.exedescription pid process target process PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 3000 wrote to memory of 1664 3000 01a908923cbc76874658c47d432424a0.exe 01a908923cbc76874658c47d432424a0.exe PID 1664 wrote to memory of 652 1664 01a908923cbc76874658c47d432424a0.exe KORID0R.exe PID 1664 wrote to memory of 652 1664 01a908923cbc76874658c47d432424a0.exe KORID0R.exe PID 1664 wrote to memory of 652 1664 01a908923cbc76874658c47d432424a0.exe KORID0R.exe PID 1664 wrote to memory of 652 1664 01a908923cbc76874658c47d432424a0.exe KORID0R.exe PID 1664 wrote to memory of 2412 1664 01a908923cbc76874658c47d432424a0.exe build.exe PID 1664 wrote to memory of 2412 1664 01a908923cbc76874658c47d432424a0.exe build.exe PID 1664 wrote to memory of 2412 1664 01a908923cbc76874658c47d432424a0.exe build.exe PID 1664 wrote to memory of 2412 1664 01a908923cbc76874658c47d432424a0.exe build.exe PID 652 wrote to memory of 840 652 KORID0R.exe CamSnap.exe PID 652 wrote to memory of 840 652 KORID0R.exe CamSnap.exe PID 652 wrote to memory of 840 652 KORID0R.exe CamSnap.exe PID 840 wrote to memory of 872 840 CamSnap.exe WerFault.exe PID 840 wrote to memory of 872 840 CamSnap.exe WerFault.exe PID 840 wrote to memory of 872 840 CamSnap.exe WerFault.exe PID 2412 wrote to memory of 1556 2412 build.exe cmd.exe PID 2412 wrote to memory of 1556 2412 build.exe cmd.exe PID 2412 wrote to memory of 1556 2412 build.exe cmd.exe PID 2412 wrote to memory of 1556 2412 build.exe cmd.exe PID 1556 wrote to memory of 752 1556 cmd.exe chcp.com PID 1556 wrote to memory of 752 1556 cmd.exe chcp.com PID 1556 wrote to memory of 752 1556 cmd.exe chcp.com PID 1556 wrote to memory of 752 1556 cmd.exe chcp.com PID 1556 wrote to memory of 1956 1556 cmd.exe netsh.exe PID 1556 wrote to memory of 1956 1556 cmd.exe netsh.exe PID 1556 wrote to memory of 1956 1556 cmd.exe netsh.exe PID 1556 wrote to memory of 1956 1556 cmd.exe netsh.exe PID 1556 wrote to memory of 1064 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1064 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1064 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1064 1556 cmd.exe findstr.exe PID 2412 wrote to memory of 2340 2412 build.exe cmd.exe PID 2412 wrote to memory of 2340 2412 build.exe cmd.exe PID 2412 wrote to memory of 2340 2412 build.exe cmd.exe PID 2412 wrote to memory of 2340 2412 build.exe cmd.exe PID 2340 wrote to memory of 2408 2340 cmd.exe chcp.com PID 2340 wrote to memory of 2408 2340 cmd.exe chcp.com PID 2340 wrote to memory of 2408 2340 cmd.exe chcp.com PID 2340 wrote to memory of 2408 2340 cmd.exe chcp.com PID 2340 wrote to memory of 2328 2340 cmd.exe netsh.exe PID 2340 wrote to memory of 2328 2340 cmd.exe netsh.exe PID 2340 wrote to memory of 2328 2340 cmd.exe netsh.exe PID 2340 wrote to memory of 2328 2340 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exeC:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\KORID0R.exe"C:\Users\Admin\AppData\Local\Temp\KORID0R.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 840 -s 7205⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2412 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:752
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:1956
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:1064
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2408
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵PID:2328
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
94KB
MD5550628b16ef8c4e27c4081950cf8fd66
SHA1ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA25609d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD590e05e64959dcc96ed6dfb89d65334a6
SHA176840a3fb0a3a37a497a2232912753f9a9e5733a
SHA2565b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510
-
Filesize
1KB
MD5beec1701396ac7524912ab02234005f6
SHA1b734752ff28dbbaf63aaee72ff2e34fd9153e4d7
SHA256f33b1e4564a0faf92e228c4005f12aa220f34eec04193d9991dc9df0ee47e06d
SHA512cb88b209adf6daf6232355a2c6550c976ff3e731147009ec4a11efc838cbd6de11ada402e0b22b11e33ff500c8f04b15f664ab25e790a4ffa857beb8c6d8b997
-
C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\ProductKey.txt
Filesize29B
MD5cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097
-
Filesize
19B
MD5ef62bd9c27ebdd78b92d51329374d697
SHA189f915eb9057e7099a541d8b1e5dacc5779b94b5
SHA256a7c73df21361821920b3b18665ab54b984320dcc512a5b71bb09415d270ca32e
SHA5127060b4cfaeddd9729b08d1175f733501b567bc319ef589353a00ceed7c621540e3fcc0d6273f4637933893ea3a3fa31392f1c079d805929bc246d1635d11b1a6
-
Filesize
1.4MB
MD5222b8cba0f63d84500e3743f6532dfc4
SHA17fd3d70518259831c933236e9516b8aba7910821
SHA25693796d923cb11c16352528f9c1e80df197df567d1d03819d7d21899fd64e424f
SHA5124c728ea58bc42f29f585f2b1e4704418aa27f6464176967f4d7a3d46a10e24508d12cdc3035d4dfb32fc26f9714b13b05b4d81c4c7129246076b6f4e786a7162
-
Filesize
1.6MB
MD523c3a4f4136d15ceaca2a2a6af88ab59
SHA10f67a288d3d943282f0f28274dd6c8c29c40ea24
SHA2567bde84ef1142b6460f2818f5a3137c1cdc508148c875caf7a91ac69ae026f942
SHA5125741470ef32f6fca036220d0b57b9ec8ec4997dba23eb35a3cfa60631c30419c306925c22ed7247df26ef3d044130514c81470fce62d605e7f78184acd032fc9