Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

65cb316887...7b.exe

windows7-x64

10

65cb316887...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/05/2024, 22:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe

  • Size

    445KB

  • MD5

    a8985bb70c650992e207ddd25c5e6a3e

  • SHA1

    0329a58e279c966e17c667774d6f0c649475bffa

  • SHA256

    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b

  • SHA512

    4c7c0c5a4a66ee91fcb7da3bcd45f9600f5d1c1f601b96cda283671c77342183d9156e1333b7cbadd1366d9f805b25b2e32e9b30b9e108bd61a6f22d81b61035

  • SSDEEP

    12288:f9zyluCg7RvcQ7tZRsuPE16N0N9k9ptHMx:PCg7RvcKKnitHMx

Score
10/10
stealczgratdiscoveryratspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects encrypted or obfuscated .NET executables 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    "C:\Users\Admin\AppData\Local\Temp\65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Users\Admin\AppData\Local\Temp\u1l4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1l4.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2540
    • C:\Users\Admin\AppData\Local\Temp\u1l4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1l4.1.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640

Network

  • flag-de
    GET
    http://185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    Remote address:
    185.172.128.90:80
    Request
    GET /cpa/ping.php?substr=0&s=ab&sub=0 HTTP/1.1
    Host: 185.172.128.90
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:54 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 1
    Content-Type: text/html; charset=UTF-8
  • flag-de
    GET
    http://185.172.128.228/ping.php?substr=0
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    Remote address:
    185.172.128.228:80
    Request
    GET /ping.php?substr=0 HTTP/1.1
    Host: 185.172.128.228
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:55 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 0
    Content-Type: text/html; charset=UTF-8
  • flag-de
    GET
    http://185.172.128.59/syncUpd.exe
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    Remote address:
    185.172.128.59:80
    Request
    GET /syncUpd.exe HTTP/1.1
    Host: 185.172.128.59
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:55 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Thu, 02 May 2024 22:45:01 GMT
    ETag: "48c00-617805a769954"
    Accept-Ranges: bytes
    Content-Length: 297984
    Content-Type: application/x-msdos-program
  • flag-de
    GET
    http://185.172.128.228/BroomSetup.exe
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    Remote address:
    185.172.128.228:80
    Request
    GET /BroomSetup.exe HTTP/1.1
    Host: 185.172.128.228
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:56 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT
    ETag: "4a4030-613b1bf118700"
    Accept-Ranges: bytes
    Content-Length: 4866096
    Content-Type: application/x-msdos-program
  • flag-de
    POST
    http://185.172.128.150/c698e1bc8a2f5e6d.php
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    POST /c698e1bc8a2f5e6d.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----HIIIECAAKECFHIECBKJD
    Host: 185.172.128.150
    Content-Length: 217
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:56 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 156
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.150/c698e1bc8a2f5e6d.php
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    POST /c698e1bc8a2f5e6d.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CFBAKEHIEBKJJJJJKKKE
    Host: 185.172.128.150
    Content-Length: 268
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:56 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 1520
    Keep-Alive: timeout=5, max=99
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.150/c698e1bc8a2f5e6d.php
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    POST /c698e1bc8a2f5e6d.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDH
    Host: 185.172.128.150
    Content-Length: 267
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:57 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Vary: Accept-Encoding
    Content-Length: 5416
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    POST
    http://185.172.128.150/c698e1bc8a2f5e6d.php
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    POST /c698e1bc8a2f5e6d.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----GHDBKJKJKKJDGDGDGIDG
    Host: 185.172.128.150
    Content-Length: 4911
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:57 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Content-Length: 0
    Keep-Alive: timeout=5, max=97
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-de
    GET
    http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1
    Host: 185.172.128.150
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:45:57 GMT
    Server: Apache/2.4.52 (Ubuntu)
    Last-Modified: Mon, 05 Sep 2022 14:30:30 GMT
    ETag: "10e436-5e7eeebed8d80"
    Accept-Ranges: bytes
    Content-Length: 1106998
    Content-Type: application/x-msdos-program
  • flag-de
    POST
    http://185.172.128.150/c698e1bc8a2f5e6d.php
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    POST /c698e1bc8a2f5e6d.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJK
    Host: 185.172.128.150
    Content-Length: 359
    Connection: Keep-Alive
    Cache-Control: no-cache
  • flag-de
    GET
    http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1
    Host: 185.172.128.150
    Cache-Control: no-cache
  • flag-de
    GET
    http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
    u1l4.0.exe
    Remote address:
    185.172.128.150:80
    Request
    GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1
    Host: 185.172.128.150
    Cache-Control: no-cache
  • flag-us
    DNS
    svc.iolo.com
    u1l4.1.exe
    Remote address:
    8.8.8.8:53
    Request
    svc.iolo.com
    IN A
    Response
    svc.iolo.com
    IN A
    20.157.87.45
  • flag-us
    POST
    http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
    u1l4.1.exe
    Remote address:
    20.157.87.45:80
    Request
    POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
    Connection: keep-alive
    Content-Length: 280
    Host: svc.iolo.com
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
  • flag-us
    DNS
    download.iolo.net
    Remote address:
    8.8.8.8:53
    Request
    download.iolo.net
    IN A
    Response
    download.iolo.net
    IN CNAME
    iolo0.b-cdn.net
    iolo0.b-cdn.net
    IN A
    143.244.56.50
  • flag-fr
    HEAD
    http://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
    Remote address:
    143.244.56.50:80
    Request
    HEAD /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    User-Agent: Microsoft BITS/7.5
    Host: download.iolo.net
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:46:02 GMT
    Content-Type: application/octet-stream
    Content-Length: 59721128
    Connection: keep-alive
    Server: BunnyCDN-FR1-1073
    CDN-PullZone: 1654350
    CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
    CDN-RequestCountryCode: GB
    Cache-Control: public, max-age=259200
    Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
    CDN-StorageServer: DE-680
    CDN-FileServer: 757
    CDN-ProxyVer: 1.04
    CDN-RequestPullSuccess: True
    CDN-RequestPullCode: 206
    CDN-CachedAt: 05/01/2024 17:21:57
    CDN-EdgeStorageId: 1072
    CDN-Status: 200
    CDN-RequestId: 800bec9496448565ceb2a5f16e288d16
    CDN-Cache: HIT
    Accept-Ranges: bytes
  • flag-fr
    GET
    http://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
    Remote address:
    143.244.56.50:80
    Request
    GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: identity
    If-Unmodified-Since: Tue, 19 Mar 2024 23:10:11 GMT
    User-Agent: Microsoft BITS/7.5
    Host: download.iolo.net
    Response
    HTTP/1.1 200 OK
    Date: Thu, 02 May 2024 22:46:02 GMT
    Content-Type: application/octet-stream
    Content-Length: 59721128
    Connection: keep-alive
    Server: BunnyCDN-FR1-1073
    CDN-PullZone: 1654350
    CDN-Uid: 5b8ea5d8-68d6-4057-a57d-a5f315142028
    CDN-RequestCountryCode: GB
    Cache-Control: public, max-age=259200
    Last-Modified: Tue, 19 Mar 2024 23:10:11 GMT
    CDN-StorageServer: DE-680
    CDN-FileServer: 757
    CDN-ProxyVer: 1.04
    CDN-RequestPullSuccess: True
    CDN-RequestPullCode: 206
    CDN-CachedAt: 05/01/2024 17:21:57
    CDN-EdgeStorageId: 1072
    CDN-Status: 200
    CDN-RequestId: 3a91162be16ed292c77ab92aa74978bb
    CDN-Cache: HIT
    Accept-Ranges: bytes
  • flag-us
    POST
    http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
    u1l4.1.exe
    Remote address:
    20.157.87.45:80
    Request
    POST /__svc/sbv/DownloadManager.ashx HTTP/1.0
    Connection: keep-alive
    Content-Length: 280
    Host: svc.iolo.com
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: identity
    User-Agent: Mozilla/3.0 (compatible; Indy Library)
    Response
    HTTP/1.1 200 OK
    cache-control: private
    content-length: 192
    content-type: text/html; charset=utf-8
    x-whom: Ioloweb7
    date: Thu, 02 May 2024 22:46:07 GMT
    set-cookie: SERVERID=svc7; path=/
    connection: close
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
    Response
    westus2-2.in.applicationinsights.azure.com
    IN CNAME
    westus2-2.in.ai.monitor.azure.com
    westus2-2.in.ai.monitor.azure.com
    IN CNAME
    westus2-2.in.ai.privatelink.monitor.azure.com
    westus2-2.in.ai.privatelink.monitor.azure.com
    IN CNAME
    gig-ai-prod-westus2-0.trafficmanager.net
    gig-ai-prod-westus2-0.trafficmanager.net
    IN CNAME
    gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com
    gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com
    IN A
    20.9.155.150
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
    Response
    westus2-2.in.applicationinsights.azure.com
    IN CNAME
    westus2-2.in.ai.monitor.azure.com
    westus2-2.in.ai.monitor.azure.com
    IN CNAME
    westus2-2.in.ai.privatelink.monitor.azure.com
    westus2-2.in.ai.privatelink.monitor.azure.com
    IN CNAME
    gig-ai-prod-westus2-0.trafficmanager.net
    gig-ai-prod-westus2-0.trafficmanager.net
    IN CNAME
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    IN A
    20.9.155.148
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
    Response
    westus2-2.in.applicationinsights.azure.com
    IN CNAME
    westus2-2.in.ai.monitor.azure.com
    westus2-2.in.ai.monitor.azure.com
    IN CNAME
    westus2-2.in.ai.privatelink.monitor.azure.com
    westus2-2.in.ai.privatelink.monitor.azure.com
    IN CNAME
    gig-ai-prod-westus2-0.trafficmanager.net
    gig-ai-prod-westus2-0.trafficmanager.net
    IN CNAME
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    IN A
    20.9.155.148
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
    Response
    westus2-2.in.applicationinsights.azure.com
    IN CNAME
    westus2-2.in.ai.monitor.azure.com
    westus2-2.in.ai.monitor.azure.com
    IN CNAME
    westus2-2.in.ai.privatelink.monitor.azure.com
    westus2-2.in.ai.privatelink.monitor.azure.com
    IN CNAME
    gig-ai-prod-westus2-0.trafficmanager.net
    gig-ai-prod-westus2-0.trafficmanager.net
    IN CNAME
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com
    IN A
    20.9.155.148
  • flag-us
    DNS
    westus2-2.in.applicationinsights.azure.com
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    Remote address:
    8.8.8.8:53
    Request
    westus2-2.in.applicationinsights.azure.com
    IN A
    Response
    westus2-2.in.applicationinsights.azure.com
    IN CNAME
    westus2-2.in.ai.monitor.azure.com
    westus2-2.in.ai.monitor.azure.com
    IN CNAME
    westus2-2.in.ai.privatelink.monitor.azure.com
    westus2-2.in.ai.privatelink.monitor.azure.com
    IN CNAME
    gig-ai-prod-westus2-0.trafficmanager.net
    gig-ai-prod-westus2-0.trafficmanager.net
    IN CNAME
    gig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.com
    gig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.com
    IN A
    20.9.155.145
  • 185.172.128.90:80
    http://185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0
    http
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    386 B
     280 B
     4
    3

    HTTP Request

    GET http://185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0

    HTTP Response

    200
  • 185.172.128.228:80
    http://185.172.128.228/ping.php?substr=0
    http
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    372 B
     279 B
     4
    3

    HTTP Request

    GET http://185.172.128.228/ping.php?substr=0

    HTTP Response

    200
  • 185.172.128.59:80
    http://185.172.128.59/syncUpd.exe
    http
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    5.7kB
     307.6kB
     119
    233

    HTTP Request

    GET http://185.172.128.59/syncUpd.exe

    HTTP Response

    200
  • 185.172.128.228:80
    http://185.172.128.228/BroomSetup.exe
    http
    65cb316887cf8c4f1c5bbdfa226fa957f0a91cd5f858bb5f5f244d64da58077b.exe
    106.0kB
     4.6MB
     2104
    3447

    HTTP Request

    GET http://185.172.128.228/BroomSetup.exe

    HTTP Response

    200
  • 185.172.128.150:80
    http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
    http
    u1l4.0.exe
    985.7kB
     3.2MB
     2274
    2727

    HTTP Request

    POST http://185.172.128.150/c698e1bc8a2f5e6d.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.150/c698e1bc8a2f5e6d.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.150/c698e1bc8a2f5e6d.php

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.150/c698e1bc8a2f5e6d.php

    HTTP Response

    200

    HTTP Request

    GET http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll

    HTTP Response

    200

    HTTP Request

    POST http://185.172.128.150/c698e1bc8a2f5e6d.php

    HTTP Request

    GET http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll

    HTTP Request

    GET http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
  • 20.157.87.45:80
    http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
    http
    u1l4.1.exe
    724 B
     132 B
     4
    3

    HTTP Request

    POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
  • 143.244.56.50:80
    http://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
    http
    996.6kB
     24.4MB
     16114
    17471

    HTTP Request

    HEAD http://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe

    HTTP Response

    200

    HTTP Request

    GET http://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe

    HTTP Response

    200
  • 20.157.87.45:80
    http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
    http
    u1l4.1.exe
    816 B
     657 B
     6
    6

    HTTP Request

    POST http://svc.iolo.com/__svc/sbv/DownloadManager.ashx

    HTTP Response

    200
  • 20.9.155.150:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.150:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.148:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.145:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 20.9.155.145:443
    westus2-2.in.applicationinsights.azure.com
    tls
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    284 B
     92 B
     3
    2
  • 8.8.8.8:53
    svc.iolo.com
    dns
    u1l4.1.exe
    58 B
     74 B
     1
    1

    DNS Request

    svc.iolo.com

    DNS Response

    20.157.87.45

  • 8.8.8.8:53
    download.iolo.net
    dns
    63 B
     105 B
     1
    1

    DNS Request

    download.iolo.net

    DNS Response

    143.244.56.50

  • 8.8.8.8:53
    westus2-2.in.applicationinsights.azure.com
    dns
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    176 B
     300 B
     2
    1

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Response

    20.9.155.150

  • 8.8.8.8:53
    westus2-2.in.applicationinsights.azure.com
    dns
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    88 B
     300 B
     1
    1

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Response

    20.9.155.148

  • 8.8.8.8:53
    westus2-2.in.applicationinsights.azure.com
    dns
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    88 B
     300 B
     1
    1

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Response

    20.9.155.148

  • 8.8.8.8:53
    westus2-2.in.applicationinsights.azure.com
    dns
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    88 B
     300 B
     1
    1

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Response

    20.9.155.148

  • 8.8.8.8:53
    westus2-2.in.applicationinsights.azure.com
    dns
    SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    88 B
     299 B
     1
    1

    DNS Request

    westus2-2.in.applicationinsights.azure.com

    DNS Response

    20.9.155.145

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\46f644179b8f4e139748fe27fe7cc0b8.tmp
    Filesize

    1KB

    MD5

    3f17c11b8fb54286c0f45e4d80420a32

    SHA1

    a52c51e44bcceba5c0adedb8388eaf58cbfd19e5

    SHA256

    8695854571f2938c940d8c0bb3f7fdfed82169a281c7e94639f1e0b5ea6c573f

    SHA512

    d44061be636edab9727a97d3dcd27d97d313b9d576924becddfe58b4e1ea36b2b00b24e76a0387849ea8ed12009faf7b26e073d339414ef3ffe0bc082dd48aee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
    Filesize

    3KB

    MD5

    ea698d941b40756c9b989a1c8bfeb1d7

    SHA1

    5eb7e9b25c13cbd74265ea9d0fc65edce5eef45e

    SHA256

    93a0301a1a1c562b3c6942eacf613f3a979c7cf828d0c7d51797ffe6602ab024

    SHA512

    71c86ade049f453d0d12f2c9d1a1e7c44d145a76e872052fde058850c5bca95647038f6d7109c8e17b68da442bf485137368f97cf543a4f49d692294ce1fb78f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
    Filesize

    2KB

    MD5

    89fc7fce062c3f61f7440fcae97dd56e

    SHA1

    998b159129d4d3eb646341058e72856bdaf063e4

    SHA256

    f886b729d8a5786c0827469381735c6e2be31ede4b70c1812f2c1dff21ae7cb8

    SHA512

    682372afbf3679f491a3757972a129105914576a3d7e5ab0dddcbdbb12a8bf9c4b45e1d5592f32155468dfae19947289fac0b3a7ffd0a59cee04fc60ca5608c5

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • \Users\Admin\AppData\Local\Temp\u1l4.0.exe
    Filesize

    291KB

    MD5

    612893f3af1d76a58eddb1399cb8a75e

    SHA1

    170080d0a93308ee7eabc2949a8f3342b809228c

    SHA256

    e71a371b4619a44df81513dd372ea02741ebf9d6438624503ff432c45329a256

    SHA512

    5c0a47a2a9a17dad4546601048d2b91447434f11eedce9629909c672c5e40edfa6c4ae101961c196fdccaa96bab5b428bd282bb9a6e5a96011e1c9a63c3541f7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\u1l4.1.exe
    Filesize

    4.6MB

    MD5

    397926927bca55be4a77839b1c44de6e

    SHA1

    e10f3434ef3021c399dbba047832f02b3c898dbd

    SHA256

    4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

    SHA512

    cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

    Download Submit

  • memory/1640-134-0x000000001F030000-0x000000001F140000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1640-144-0x0000000000500000-0x000000000050A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-160-0x0000000000520000-0x000000000052A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-159-0x0000000000520000-0x000000000052A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-155-0x000000001E0F0000-0x000000001E0FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1640-151-0x000000001E0C0000-0x000000001E0CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-152-0x000000001E0D0000-0x000000001E0F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1640-150-0x0000000000520000-0x000000000052A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-133-0x0000000000DE0000-0x00000000046D8000-memory.dmp

    Filesize

    57.0MB

    Download

  • memory/1640-148-0x000000001FC40000-0x000000001FF40000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1640-135-0x00000000001E0000-0x00000000001F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1640-136-0x0000000000570000-0x000000000057C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1640-137-0x0000000000550000-0x0000000000564000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1640-138-0x0000000005BE0000-0x0000000005C04000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1640-141-0x000000001ED60000-0x000000001EE12000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1640-140-0x000000001ED30000-0x000000001ED5A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1640-139-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-143-0x0000000000D70000-0x0000000000DD2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1640-142-0x000000001F510000-0x000000001F58A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2056-3-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2056-1-0x0000000000680000-0x0000000000780000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2056-36-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/2056-37-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2056-2-0x0000000000230000-0x000000000029C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2540-42-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2540-129-0x0000000000400000-0x0000000002B06000-memory.dmp

    Filesize

    39.0MB

    Download

  • memory/2540-119-0x0000000000400000-0x0000000002B06000-memory.dmp

    Filesize

    39.0MB

    Download

  • memory/2712-132-0x0000000000400000-0x00000000008AD000-memory.dmp

    Filesize

    4.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.