Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 03:58
Static task
static1
Behavioral task
behavioral1
Sample
ac15ae1e49f4272e8d38b5fd5573ce35.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ac15ae1e49f4272e8d38b5fd5573ce35.exe
Resource
win10v2004-20231215-en
General
-
Target
ac15ae1e49f4272e8d38b5fd5573ce35.exe
-
Size
81KB
-
MD5
ac15ae1e49f4272e8d38b5fd5573ce35
-
SHA1
93a70b449926995d458b9513b8b36e988f73dc8a
-
SHA256
c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149
-
SHA512
23d7977aeac5a2f1856861519b34dbbd4aa52ed003d4001b73435024266d258d765613a3be8a1e2ae67548f9eb69f662925d663f8321f1610f200af6258025f8
-
SSDEEP
1536:D7Vs/tSdQLcSjAA0C0rEr2ofgNTX0g/+PmN/10BmglZqiqazVkP5tJCFPzRUR2lX:D5MmQLcxAarEDINTD/+Pmn0BmgnpzmcP
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/1260-5-0x0000000007CC0000-0x000000000822A000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-6-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-7-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-9-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-11-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-13-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-15-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-17-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-19-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-21-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-23-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-25-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-27-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-29-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-31-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-35-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-33-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-37-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-39-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-43-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-45-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-41-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-49-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-51-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-53-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-47-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-55-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-57-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-61-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-63-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-65-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-67-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-69-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 behavioral1/memory/1260-59-0x0000000007CC0000-0x0000000008224000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Drops startup file 2 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe @dr@[email protected] File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe @dr@[email protected] -
Executes dropped EXE 3 IoCs
Processes:
pid process 2376 @dr@[email protected] 896 build.exe 2796 CamSnap.exe -
Loads dropped DLL 2 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exepid process 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exedescription pid process target process PID 1260 set thread context of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe -
Processes:
build.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 build.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 build.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
build.exepid process 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe 896 build.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exebuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe Token: SeDebugPrivilege 896 build.exe Token: SeRestorePrivilege 2744 msiexec.exe Token: SeTakeOwnershipPrivilege 2744 msiexec.exe Token: SeSecurityPrivilege 2744 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build.exepid process 896 build.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
ac15ae1e49f4272e8d38b5fd5573ce35.exeac15ae1e49f4272e8d38b5fd5573ce35.exe@dr@[email protected]CamSnap.exebuild.execmd.execmd.exedescription pid process target process PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 1260 wrote to memory of 2704 1260 ac15ae1e49f4272e8d38b5fd5573ce35.exe ac15ae1e49f4272e8d38b5fd5573ce35.exe PID 2704 wrote to memory of 2376 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2704 wrote to memory of 2376 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2704 wrote to memory of 2376 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2704 wrote to memory of 2376 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe @dr@[email protected] PID 2704 wrote to memory of 896 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2704 wrote to memory of 896 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2704 wrote to memory of 896 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2704 wrote to memory of 896 2704 ac15ae1e49f4272e8d38b5fd5573ce35.exe build.exe PID 2376 wrote to memory of 2796 2376 @dr@[email protected] CamSnap.exe PID 2376 wrote to memory of 2796 2376 @dr@[email protected] CamSnap.exe PID 2376 wrote to memory of 2796 2376 @dr@[email protected] CamSnap.exe PID 2796 wrote to memory of 1928 2796 CamSnap.exe WerFault.exe PID 2796 wrote to memory of 1928 2796 CamSnap.exe WerFault.exe PID 2796 wrote to memory of 1928 2796 CamSnap.exe WerFault.exe PID 896 wrote to memory of 436 896 build.exe cmd.exe PID 896 wrote to memory of 436 896 build.exe cmd.exe PID 896 wrote to memory of 436 896 build.exe cmd.exe PID 896 wrote to memory of 436 896 build.exe cmd.exe PID 436 wrote to memory of 764 436 cmd.exe chcp.com PID 436 wrote to memory of 764 436 cmd.exe chcp.com PID 436 wrote to memory of 764 436 cmd.exe chcp.com PID 436 wrote to memory of 764 436 cmd.exe chcp.com PID 436 wrote to memory of 1668 436 cmd.exe netsh.exe PID 436 wrote to memory of 1668 436 cmd.exe netsh.exe PID 436 wrote to memory of 1668 436 cmd.exe netsh.exe PID 436 wrote to memory of 1668 436 cmd.exe netsh.exe PID 436 wrote to memory of 2732 436 cmd.exe findstr.exe PID 436 wrote to memory of 2732 436 cmd.exe findstr.exe PID 436 wrote to memory of 2732 436 cmd.exe findstr.exe PID 436 wrote to memory of 2732 436 cmd.exe findstr.exe PID 896 wrote to memory of 2296 896 build.exe cmd.exe PID 896 wrote to memory of 2296 896 build.exe cmd.exe PID 896 wrote to memory of 2296 896 build.exe cmd.exe PID 896 wrote to memory of 2296 896 build.exe cmd.exe PID 2296 wrote to memory of 2916 2296 cmd.exe chcp.com PID 2296 wrote to memory of 2916 2296 cmd.exe chcp.com PID 2296 wrote to memory of 2916 2296 cmd.exe chcp.com PID 2296 wrote to memory of 2916 2296 cmd.exe chcp.com PID 2296 wrote to memory of 3016 2296 cmd.exe netsh.exe PID 2296 wrote to memory of 3016 2296 cmd.exe netsh.exe PID 2296 wrote to memory of 3016 2296 cmd.exe netsh.exe PID 2296 wrote to memory of 3016 2296 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exeC:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:896 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:1668
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:2732
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:764
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2796 -s 7121⤵PID:1928
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid1⤵PID:3016
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ee8691f69adf3daed94e102a45e79dc
SHA18c82055615fe3fb35e985d8c81b3fc2ee9253342
SHA256d2cb498f1f8e7f89d5e6448e4182bf97ba2458aa9a4bde76fa46e623ef7772ed
SHA51220920364291fa3914ac95a7ad9573ab0ebe5b68453d5f0c8ce576ea00dffccb8e5647742515730dce5e02d8e7586c4fb3ce94611201761d055ca7c162ec546e9
-
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
1KB
MD593df10792e8a5a5afdba1e3cdf7238ae
SHA1f191d257e69bf44686383ae25a079062c622cd4f
SHA2563563af086891aa59852c419854e818366dbc0e2c5cdedb3b1d0db1e90a6442e3
SHA512377d57cac7414c3cc8239599a9890eaba46bfed1bf8028afe42f5043243c43ee4dc123bc669255a04df5ae249fce906baf0e4043469865e6cf8f3a46814e3a9d
-
Filesize
1KB
MD5a2efde5513517a0ff1b435cadd9ad5b8
SHA1b91abb63ad8bc8ee7d71d93d73f1ee64d775a409
SHA2563945e21d9a7fa10ba68d16f7c032bac739437462a45538fb7d376500e04e0418
SHA512551b7c85d7ff9fbcbf1e5fba2c098f6446f9d834f903580f52254bfb1694277d77bb310e30ef5fa5e12334b2696585686b14a949644dddeddc6cee3707377d6f
-
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\ProductKey.txt
Filesize29B
MD5cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097
-
Filesize
19B
MD5a4350f1904865bc46f3d72a225592712
SHA15677e63c7d182ae35bada0c77c91e7515828da43
SHA256516fd2e78c32dd8269d8816f2d0be0f4e26565eb931a0b6fe08de603ee2a7747
SHA51268eda9663995b10267a47a94aac4ee93bcb1b2358bc819ec5a2fbedced01bffda07a18e6af9192222490339c0f6f76e9fea1dd27a7b8c67673e1aab52c010e5a
-
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize35KB
MD5c4a2268064694b49bd6488c02cf529c6
SHA1862e09bc1b0014a2b6dea6b6ab5bdafe28291307
SHA2567c6ccf9ad96d0996df00fdc954aef16c076e362525f28734d5c927afd76d32a9
SHA5122824eb99cff9ccfa89ca84518e5dbba01049cd174062a798f2996f0a4f9ee40bc022a902bff06d471ceff56d01ee7f48bd3d58dc15fb802eefff855766f0a906
-
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize123KB
MD53987fc707ff5370a67d6480c00b1769f
SHA13d20c1558d8291ff65d91b201b259ee0a3dcbe5d
SHA25625101656f4e7f74c0f9a32fb8f7c6cd9f23523e40dc9166b86f4a8f2b8236644
SHA51272a52ac37d454053bbd4bf7d989482601524a0544a961bc88569ad62dbf1de9b24cd54fb59b1cf3d3d8f5cca9d1a0c7944399b0a80b6433872a08e8b25d20624
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
94KB
MD5550628b16ef8c4e27c4081950cf8fd66
SHA1ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA25609d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01
-
Filesize
36KB
MD5b4fcb5edddc0f75933bddac35e0db0ab
SHA122e1f640798959f312dee7fe7c36e8b4021d256a
SHA2560bb006acb80281859bc82b95907a741307d2b6573ad9b436e39ab822ab640bce
SHA5126fef2b7e85651d49242b6e4dbc57743f3ef5741b05133e3a0d8085527143ae5d073fa239cb542204c12b476dce22ee12098dde391f372e416fac843177857189
-
Filesize
57KB
MD525b2e18f1b3139316ae257ae9e14db25
SHA1395f087ebe9eebae191020a2a94de10361f4d980
SHA256d4c9179981b81f25f4a9ce969f08d21949e9b384e3ef83425b76d240e1c6d168
SHA512a0f60becc10e375d670c3ea1151113deea7430b39a72805b7df0ab2af6194d4786c1af858151dc814af481d3963038ad6a412218479105d943393dbafcb90b74
-
Filesize
99KB
MD5468acfd8e7a6bd0d7ee5b7c7e9fc2326
SHA19b1dbcccf56babb3361b91e05ade3cd4fb59e06f
SHA25681d8442e67dabd490b108f55ea9500ef2174e3d765d6e471b205b8fd9fc68762
SHA512c2bdb698a39b9b32d1e8f90ba293623624b279ce76c90351c74fab4ae31072daa1f2f1abe443e55f0ac71862b07171d45728bc6019afb64929d0333d214ea8d6
-
\Users\Admin\AppData\Local\Temp\@dr@[email protected]
Filesize68KB
MD556444d83014c9ab8d4c1fd75a090573e
SHA1ab88bc95077fcc8ba01c45a5b1255d1e13b247d2
SHA256b3b724b62af1d56eba721cc92a86f0698810f069f8b1dc3637209256bf8164ad
SHA5121c7a956f29627366a876d2c3714f48eecd2bcf7a1f29ec93513089ed392721346603e73162867f6b69167df7f4176161a9366004fff1c5544bba12019436a271
-
Filesize
64KB
MD551b0bca51ca74d831ee1714d72f4f82a
SHA1c45951f29491c64ad3847b9fc23741806c7db66d
SHA2563a1cb2eb8e1f6195a3c17220efef67dd84c746ea5617c103eae6d21f188f9d44
SHA512cfa62537b800a95ce79c04ffd7be8ab3997688527b9e3ffa5f80171d0c91b97ddc463181f8749ea40f3a4b3e0ad1b288b1808f5f46c219b93ae0c49056c66c47