Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
ac15ae1e49f4272e8d38b5fd5573ce35.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ac15ae1e49f4272e8d38b5fd5573ce35.exe
Resource
win10v2004-20231215-en
General
-
Target
ac15ae1e49f4272e8d38b5fd5573ce35.exe
-
Size
81KB
-
MD5
ac15ae1e49f4272e8d38b5fd5573ce35
-
SHA1
93a70b449926995d458b9513b8b36e988f73dc8a
-
SHA256
c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149
-
SHA512
23d7977aeac5a2f1856861519b34dbbd4aa52ed003d4001b73435024266d258d765613a3be8a1e2ae67548f9eb69f662925d663f8321f1610f200af6258025f8
-
SSDEEP
1536:D7Vs/tSdQLcSjAA0C0rEr2ofgNTX0g/+PmN/10BmglZqiqazVkP5tJCFPzRUR2lX:D5MmQLcxAarEDINTD/+Pmn0BmgnpzmcP
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-5-0x0000000008010000-0x000000000857A000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-7-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-6-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-9-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-11-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-13-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-15-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-17-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-19-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-21-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-23-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-25-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-27-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-29-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-31-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-33-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-35-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-37-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-39-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-41-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-43-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-45-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-47-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-49-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-51-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-53-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-55-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-57-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-59-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-61-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-63-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-65-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-67-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 behavioral1/memory/1740-69-0x0000000008010000-0x0000000008574000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Drops startup file 2 IoCs
Processes:
description ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe @dr@[email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe @dr@[email protected] -
Executes dropped EXE 3 IoCs
Processes:
pid process 2864 @dr@[email protected] 2560 build.exe 1236 CamSnap.exe -
Loads dropped DLL 2 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exepid process 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exedescription pid process target process PID 1740 set thread context of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe -
Processes:
build.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 build.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
build.exepid process 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe 2560 build.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exebuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe Token: SeDebugPrivilege 2560 build.exe Token: SeRestorePrivilege 2024 msiexec.exe Token: SeTakeOwnershipPrivilege 2024 msiexec.exe Token: SeSecurityPrivilege 2024 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build.exepid process 2560 build.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exeac15ae1e49f4272e8d38b5fd5573ce35.exe@dr@[email protected]CamSnap.exebuild.execmd.execmd.exedescription pid process target process PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1740 wrote to memory of 2640 1740 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 2640 wrote to memory of 2864 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2640 wrote to memory of 2864 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2640 wrote to memory of 2864 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2640 wrote to memory of 2864 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2640 wrote to memory of 2560 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2640 wrote to memory of 2560 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2640 wrote to memory of 2560 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2640 wrote to memory of 2560 2640 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2864 wrote to memory of 1236 2864 @dr@[email protected] CamSnap.exe PID 2864 wrote to memory of 1236 2864 @dr@[email protected] CamSnap.exe PID 2864 wrote to memory of 1236 2864 @dr@[email protected] CamSnap.exe PID 1236 wrote to memory of 2056 1236 CamSnap.exe WerFault.exe PID 1236 wrote to memory of 2056 1236 CamSnap.exe WerFault.exe PID 1236 wrote to memory of 2056 1236 CamSnap.exe WerFault.exe PID 2560 wrote to memory of 2436 2560 build.exe cmd.exe PID 2560 wrote to memory of 2436 2560 build.exe cmd.exe PID 2560 wrote to memory of 2436 2560 build.exe cmd.exe PID 2560 wrote to memory of 2436 2560 build.exe cmd.exe PID 2436 wrote to memory of 1320 2436 cmd.exe chcp.com PID 2436 wrote to memory of 1320 2436 cmd.exe chcp.com PID 2436 wrote to memory of 1320 2436 cmd.exe chcp.com PID 2436 wrote to memory of 1320 2436 cmd.exe chcp.com PID 2436 wrote to memory of 1348 2436 cmd.exe netsh.exe PID 2436 wrote to memory of 1348 2436 cmd.exe netsh.exe PID 2436 wrote to memory of 1348 2436 cmd.exe netsh.exe PID 2436 wrote to memory of 1348 2436 cmd.exe netsh.exe PID 2436 wrote to memory of 3024 2436 cmd.exe findstr.exe PID 2436 wrote to memory of 3024 2436 cmd.exe findstr.exe PID 2436 wrote to memory of 3024 2436 cmd.exe findstr.exe PID 2436 wrote to memory of 3024 2436 cmd.exe findstr.exe PID 2560 wrote to memory of 968 2560 build.exe cmd.exe PID 2560 wrote to memory of 968 2560 build.exe cmd.exe PID 2560 wrote to memory of 968 2560 build.exe cmd.exe PID 2560 wrote to memory of 968 2560 build.exe cmd.exe PID 968 wrote to memory of 292 968 cmd.exe chcp.com PID 968 wrote to memory of 292 968 cmd.exe chcp.com PID 968 wrote to memory of 292 968 cmd.exe chcp.com PID 968 wrote to memory of 292 968 cmd.exe chcp.com PID 968 wrote to memory of 2612 968 cmd.exe netsh.exe PID 968 wrote to memory of 2612 968 cmd.exe netsh.exe PID 968 wrote to memory of 2612 968 cmd.exe netsh.exe PID 968 wrote to memory of 2612 968 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exeC:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1236 -s 7165⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2560 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1320
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:1348
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:3024
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:292
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid5⤵PID:2612
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51c26cded0e72b7957d17ed1e1ac5eb20
SHA14ef9345e507f9107cbc779cb0e5fad6068cc7d59
SHA25604a722f4f791477f25a5130fa9ac8ef8507248d2bb7932fb8d60148b18fcdd1a
SHA512ab068c0b1382c243aedd282d220573cbbc254818cc32617ea7f2ad42295d40f2e95f5e99fd741567c591fd60760f2cd5edbd062adde4d8c919aced1b8cef5971
-
C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD590e05e64959dcc96ed6dfb89d65334a6
SHA176840a3fb0a3a37a497a2232912753f9a9e5733a
SHA2565b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510
-
Filesize
320B
MD57a63b53a5ae6d72741dfcedb88f9d26b
SHA1c05423356152e671818f4ae99533453d3982d54b
SHA2562ff7745396d0088e7aabab766edc660190a7232ec825fc4ba92e7be315eaddc3
SHA512b043221dc42d01d953d465f9515313659ac2c63916f5f9a462320e19bedcac7276c8a7777a68de28a7ad653bfa60633576854253d1dc3aaa3a835eb70bde7eea
-
C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\ProductKey.txt
Filesize29B
MD5cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097
-
Filesize
19B
MD5a2dae724d24a1e29870171dce039bf15
SHA1416fdb59913b9c31d9ece9aed1595c87d9c0892a
SHA256ac772cd81f0405910e60618df6b0013162bee48cd0582cc2901d6a283b74fefd
SHA512fdebbe09f010dfbfd875d0c8b2c45572ce253589fa307d08f9dcf8dd642f6a49cd4c5a1687bd0fa27f61ae30c3085aafad83b7ef967e4f9d620c8226159c3f7f
-
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize690KB
MD5b2b2aee98a316af7df9af63534632f59
SHA16773875ab6fbd5538a72beae7968904cdb9852a6
SHA256693c7ba6dc0b416bd9076a4acaffcd2feb9012021ca739e4706070649ed96c0d
SHA51209a8a2063ea7410b067719aead7f762532719bbf19dc87dc8372cc8edf9da1c5609ad2e6ed1e8dcd32bc1b64d4296d691bce688788a560b730191f3be53ec2a7
-
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize679KB
MD5bfb8866406a887f611b58af3cda8f246
SHA1c7ca14280875961a729b0c4d98fcc54781d05c42
SHA25610314807ff47014bfeb31e2c2ec55193cd534290672223ab31ea5a5e82cc5385
SHA51270fa652963a93f69a4cf48ff4b9f3d53594ca797220245c73f0095de31620c8ef7b2b6a16ea0df788e0c54e830994ff64202cc9a7388a8c7e7f1da023a58760d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
34KB
MD5fcc259c12d3015ec2f490578f20ae36f
SHA16a5964bc2f5e523589c5b648e6493a8d4a769632
SHA256c0eba00c6c2351a93922918feae6bacfde45d711c4f03e64d97bd917433f45f2
SHA51250d645ff714033adf17cd3c5aa279d53cd086f31270efb9bfff8da80f2167123d80440d7496be16c33d50e3336e3624dbb7c89efb4cec00ae07c35186534de60
-
Filesize
68KB
MD568f87ada1c861946dfb374f15907fe4e
SHA15ad786ccd2e29d92a7216433e97565b6dfadcf4a
SHA256b98925b2c7ed1364e3d63c18e6af82fed20444eb00ed6875b7134f8b6720a49d
SHA51277d1aabff3b923cbf1476f4f4775e301b3d61514ac3e0c987517a92587f2e31cc0d9fbce2806aa8e3404238d4eab021f439a8bdb7ceba51a4450ddb8d600b1f1
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1.0MB
MD5778e1e34ee77a25c58aedc48d24486ae
SHA1cd6bbd316d083a4f59598e85556259fd2adebbb9
SHA256cbcbdfda8eb75d10a118940ae6a0b46002329f814056f91feefcb624863657d1
SHA512c93ee11f0874833c58f67f9bdc05f5b2afe8175bc206997a02e1ca75a3e6c7a9ad53291a102197c77341f56387e41603cdf0a5a09381d0d0c4263153858e0108
-
Filesize
631KB
MD546ea7d3de90f2da13dd8d76aa4c6ed6c
SHA12c1a47205a21507fb86c3d8be44a68ab2f91a15a
SHA25659c4ba9f7ce429d30b6cb292fb8e34fb7cd45a3650d8a6c8696709ebceb7f2da
SHA512e0b7977153019ccc50e7fdd9274124a5cafd291f914fc4a27e6b454c3f6e4a4c6f5ecc1070fde3da067f2fc43648627b9c84cd0da231ce4362ccadd1001c6825
-
\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize1006KB
MD52a79f09a92f9358c9a0308e1d81d212f
SHA1403f52d25db2814e67481e25636077145ab2a2e7
SHA2568bba33bfb730fa047e7391306f3b1c25f1ad4ee72b9026459cf170546fdbeba6
SHA5126f9be195427795588aa149080a9b6f9bb52a03c488b753158945f5bffb386d81d8c9275269218dfe3a295d74af4dbd78a8ed74feda0b11c49f2606dc6852fcc5
-
Filesize
932KB
MD5de7430fc6f9e99788387676e6d85e550
SHA138d1d76936371445f76e24c3e197083af898f18c
SHA256f16f03472223270fcde63c9358eec7ed75b0974f43d629f855f0dc28bfbdd3be
SHA5124a2fa0e3181f0fb9b8fb0f09e751c6b7e38f049817624330e68d57b5d6b25422c38688a1f47cadfa9f02bfcee06bcee5fce52478158b597e669f1cf82819b167