Analysis
-
max time kernel
267s -
max time network
290s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19-04-2024 03:18
General
-
Target
ISetup2.exe
-
Size
412KB
-
MD5
db549bf7b1403909f8cc9d199c0df2ce
-
SHA1
a19c7a98aab63e793bec2c62dc17d0cd8e9e62a0
-
SHA256
746bf7bf51a835dd5a31e5de08e37900e8c49a2b4f5dac494bd897385f21d9f4
-
SHA512
6e18623990df23f9d80e1f901519e728870ef5f79ee3583e6caaf9ca107c36d893f46eb70962df9180a05043e4b510786e6a553d92e9933cb18b01ea5ce346b2
-
SSDEEP
6144:te64OHLc0cFFQ4hGCAid5LQwpgJHkGNCcxAtrMMYX7XD/:TLc0cFFzwCAbdmkmMMQD/
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
Detects Arechclient2 RAT 1 IoCs
Arechclient2.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 15 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ISetup2.exe"C:\Users\Admin\AppData\Local\Temp\ISetup2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u24g.0.exe"C:\Users\Admin\AppData\Local\Temp\u24g.0.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exeC:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\u24g.1.exe"C:\Users\Admin\AppData\Local\Temp\u24g.1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cbd917ecdddf4d7ea513e7205a2d5392a887f48f5bd59f61319893cd307908d2\54890a9d5b794ef580f6c768c6685a36.tmpFilesize
1KB
MD569abd9e7090eb685dd2e39372fe42a5b
SHA10e6d334598864f3c3e014f2ced2535aa790f2f41
SHA2560511b804fadf9c2425aa2c5d5f8937c092f40b19395a975efea6011cf530841e
SHA512f1ffb50dcc6fb8b6a8b235b1cfd8bc425906d13ae29c07b309613ef7b829a6743f0071c28cd658213b50cbf11b172cb4fb135436a9af68368609ef8b6d169551
-
C:\Users\Admin\AppData\Local\Temp\2bac4a1eFilesize
5.9MB
MD5dcc26dd014bad9eafa9066d3781b615d
SHA1b0cb8621ca58a196ac73bed4e525deacfaf2d836
SHA25669502ffc7e2b8946d420e682cd1421f58a17f489590f761c580ce2a4feb74ae3
SHA5125a7804fdebe09aada86e327899fa7ce6830c26c426d398dd72ef68121c33e59c2572709a725f43d6f1d31c52e7b4ea10b2128d00d530a00ef9db9a8efef204e3
-
C:\Users\Admin\AppData\Local\Temp\2ecaf842Filesize
1.4MB
MD5e4aa4a1d5a14055c50d79dffee8ed3a8
SHA1e749aed3df2e6493e1fc8fd7dcf424ba24941bb9
SHA25632964dfcfb6ef25051a4ae51dbfa0265e8238caeeaf73bec93f16fcab8038bf7
SHA512641bf4938b88499f4681d7a72b98d7cb29c368d7e9812b5cac8b61101ae68623df7f19615727ddcd7efa8c4ad9cde1f58a9db9692c1570d3024edf88be868fd9
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dllFilesize
1.6MB
MD58f75e17a8bf3de6e22e77b5586f8a869
SHA1e0bf196cfc19a8772e003b9058bdc211b419b261
SHA2565f10a9fdcac32e93b1cebc365868ee3266f80c2734524b4aa7b6ea54e123f985
SHA5125a1e78613ad90cb0dc855d8a935b136722749889b66d4d8fc0f52438f0a4f4c8c31fbb981e9c6a13ffb2cc2b77fe0747204b63a91c6fff4646eed915387c8d7d
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exeFilesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\somebody.rtfFilesize
24KB
MD5ff36ebcf134c8846aea77446867e5bc6
SHA153fdf2c0bec711e377edb4f97cd147728fb568f6
SHA256e1c256e5a7f17cb64740223084009f37bddccc49b05e881133412057689b04e9
SHA512b07d5065dd39843c8c7bdfccdd8d39f44b1ce9fe100a2fcf7210549ea1d46bcac54080cf91eff0a05360b26233c542daabdbd5d3f096a5bf0e366583ddb29ec1
-
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\spawn.xmlFilesize
1.3MB
MD52d8de35aa00138b2bfc4fb0fc3d0f58b
SHA128c2d84e01815702c230da456aaa17c7d2519186
SHA25619340e9202db71d8010563c8b8d325cbef5d8448a8df2ad730e74a5a46e36dac
SHA512378116bc71de9f968aaef6ca27944e341a9a825a92831f5834c396160581f5e3656d3b6d1c2a304a65a74c0dd9ca0c50fb0e0016b6174d1fab68909ea1c95128
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
2KB
MD5fd2fb8c4f7da5ddacd0d180b10192cc4
SHA1b6b02249c59bea539c62463b56b43aaecfd05f6b
SHA2563679751f32f4c1e883de4c820bbf84704ba367d8dfcd1bfd66774e8036a86fe1
SHA512fff8c2d6e4509fcb056fe9d72e0617fc4d3676b55c5d3a11b4727263d087b212285dc03709f43bf11754ddfcea13341c18a99220df05581392e02eff688ebebd
-
C:\Users\Admin\AppData\Local\Temp\tmpB444.tmpFilesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
\Users\Admin\AppData\Local\Temp\Qg_Appv5.exeFilesize
14.7MB
MD56955715b6ff15bdc153a2431cc395cca
SHA1272e1eec66a1871b300484b2200b507a4abe5420
SHA256a6d40169be9c151e9e6c86fe53d2bac3b4c2ddb41c0b650d961f8328939b4761
SHA512cf82d27d7010be69ab1c288fef9d820905407c8018e2a91f3c39a0eda5e9378e0ff04d077520d556d46d7a9cb0a3a640d15a10ad4090e482be3c83930836019d
-
\Users\Admin\AppData\Local\Temp\Zqicom_beta\relay.dllFilesize
1.5MB
MD57d2f87123e63950159fb2c724e55bdab
SHA1360f304a6311080e1fead8591cb4659a8d135f2d
SHA256b3483bb771948ed8d3f76faaa3606c8ef72e3d2d355eaa652877e21e0651aa9a
SHA5126cb8d27ebcfdf9e472c0a6fff86e6f4ec604b8f0f21c197ba6d5b76b703296c10c8d7c4fb6b082c7e77f5c35d364bcffd76ae54137e2c8944c1ea7bb9e2e5f08
-
\Users\Admin\AppData\Local\Temp\u24g.0.exeFilesize
269KB
MD592d44b8b53f0bbf0dce9874e88999f14
SHA144d6f23b68539534515ae5c6ee72700047646366
SHA256b8ef044056578e19009b28db82a37f543fa78ef3f08f6e814278231d42086371
SHA51226c3eed0459f0e48b4ac372d92b2f3151d233ff92da2d911c24fe631dc357e445f5f147ee5aa520cbbcd74e8b8e80c1df52147fa2109e167608a4164be8145ea
-
\Users\Admin\AppData\Local\Temp\u24g.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
memory/772-125-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/772-75-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/772-145-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/772-160-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1156-220-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-165-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-184-0x0000000077B90000-0x0000000077D39000-memory.dmpFilesize
1.7MB
-
memory/1156-185-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-186-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-221-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-222-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1156-225-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1524-163-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1524-149-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1524-147-0x0000000077B90000-0x0000000077D39000-memory.dmpFilesize
1.7MB
-
memory/1524-146-0x0000000074640000-0x00000000747B4000-memory.dmpFilesize
1.5MB
-
memory/1708-80-0x000007FEF6A60000-0x000007FEF6BB8000-memory.dmpFilesize
1.3MB
-
memory/1708-77-0x000007FEF6A60000-0x000007FEF6BB8000-memory.dmpFilesize
1.3MB
-
memory/1708-44-0x0000000000400000-0x00000000012DD000-memory.dmpFilesize
14.9MB
-
memory/1708-134-0x000007FEF6A60000-0x000007FEF6BB8000-memory.dmpFilesize
1.3MB
-
memory/1708-91-0x000007FEF6A60000-0x000007FEF6BB8000-memory.dmpFilesize
1.3MB
-
memory/1708-70-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1708-79-0x000007FEF6A60000-0x000007FEF6BB8000-memory.dmpFilesize
1.3MB
-
memory/2340-226-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2340-232-0x0000000074930000-0x000000007501E000-memory.dmpFilesize
6.9MB
-
memory/2340-246-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/2340-245-0x0000000074930000-0x000000007501E000-memory.dmpFilesize
6.9MB
-
memory/2340-224-0x00000000731C0000-0x0000000074222000-memory.dmpFilesize
16.4MB
-
memory/2340-227-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2340-231-0x0000000000400000-0x00000000004C6000-memory.dmpFilesize
792KB
-
memory/2340-235-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/2480-126-0x0000000077B90000-0x0000000077D39000-memory.dmpFilesize
1.7MB
-
memory/2480-124-0x0000000074680000-0x00000000747F4000-memory.dmpFilesize
1.5MB
-
memory/2752-32-0x0000000000400000-0x0000000002C49000-memory.dmpFilesize
40.3MB
-
memory/2752-3-0x0000000000400000-0x0000000002C49000-memory.dmpFilesize
40.3MB
-
memory/2752-2-0x0000000000320000-0x000000000038D000-memory.dmpFilesize
436KB
-
memory/2752-1-0x0000000002D20000-0x0000000002E20000-memory.dmpFilesize
1024KB
-
memory/2752-56-0x0000000000400000-0x0000000002C49000-memory.dmpFilesize
40.3MB
-
memory/2752-20-0x0000000000400000-0x0000000002C49000-memory.dmpFilesize
40.3MB
-
memory/2752-27-0x0000000000320000-0x000000000038D000-memory.dmpFilesize
436KB
-
memory/2752-26-0x0000000002D20000-0x0000000002E20000-memory.dmpFilesize
1024KB
-
memory/2876-24-0x0000000000400000-0x0000000002C26000-memory.dmpFilesize
40.1MB
-
memory/2876-21-0x0000000002CB0000-0x0000000002DB0000-memory.dmpFilesize
1024KB
-
memory/2876-22-0x00000000002B0000-0x00000000002D7000-memory.dmpFilesize
156KB
-
memory/2876-23-0x0000000000400000-0x0000000002C26000-memory.dmpFilesize
40.1MB
-
memory/3008-168-0x000000001F100000-0x000000001F210000-memory.dmpFilesize
1.1MB
-
memory/3008-182-0x000000001F890000-0x000000001FB90000-memory.dmpFilesize
3.0MB
-
memory/3008-201-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/3008-203-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmpFilesize
9.9MB
-
memory/3008-204-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-205-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-206-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-207-0x0000000000C70000-0x0000000000C7A000-memory.dmpFilesize
40KB
-
memory/3008-208-0x000000001E360000-0x000000001E382000-memory.dmpFilesize
136KB
-
memory/3008-212-0x0000000000C80000-0x0000000000C8C000-memory.dmpFilesize
48KB
-
memory/3008-211-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-215-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/3008-214-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/3008-216-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-217-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-200-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/3008-178-0x00000000005F0000-0x00000000005FA000-memory.dmpFilesize
40KB
-
memory/3008-177-0x0000000000E30000-0x0000000000E92000-memory.dmpFilesize
392KB
-
memory/3008-176-0x0000000000570000-0x00000000005EA000-memory.dmpFilesize
488KB
-
memory/3008-175-0x000000001F210000-0x000000001F2C2000-memory.dmpFilesize
712KB
-
memory/3008-174-0x000000001E2F0000-0x000000001E31A000-memory.dmpFilesize
168KB
-
memory/3008-173-0x0000000000EA0000-0x0000000000EAA000-memory.dmpFilesize
40KB
-
memory/3008-172-0x000000001E100000-0x000000001E124000-memory.dmpFilesize
144KB
-
memory/3008-171-0x0000000000C90000-0x0000000000CA4000-memory.dmpFilesize
80KB
-
memory/3008-170-0x0000000000E90000-0x0000000000E9C000-memory.dmpFilesize
48KB
-
memory/3008-169-0x00000000003E0000-0x00000000003F0000-memory.dmpFilesize
64KB
-
memory/3008-167-0x000000001ED80000-0x000000001EE00000-memory.dmpFilesize
512KB
-
memory/3008-162-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmpFilesize
9.9MB
-
memory/3008-161-0x0000000000FB0000-0x00000000048A8000-memory.dmpFilesize
57.0MB