Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    213s
  • max time network
    204s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 23:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b21236873589e7a87443638329edc4d16f6f56a48ddebbba3d5ccd0e9401ecbd.exe

  • Size

    365KB

  • MD5

    b1dec1297755fa5d0dd45742506cc365

  • SHA1

    8129aab6ae529b053cf2e7ef82cf25108789b0bb

  • SHA256

    b21236873589e7a87443638329edc4d16f6f56a48ddebbba3d5ccd0e9401ecbd

  • SHA512

    04bb173e13e0848433a1b638188d0c6981f570b00534836c09833528d7bf44f61d813b3132d0288f8c594402b65b0172fc8078d7eed1d39384ed35d8d9386987

  • SSDEEP

    6144:0j9PNW6k+7KXF5gUZwnAFpPLr2PXEVT1NjGzG4YqJcbbYTOO1:0j9PA6d7K4UZwQ2Xw1mt+b8OO1

Score
10/10
stealczgratdiscoveryratstealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21236873589e7a87443638329edc4d16f6f56a48ddebbba3d5ccd0e9401ecbd.exe
    "C:\Users\Admin\AppData\Local\Temp\b21236873589e7a87443638329edc4d16f6f56a48ddebbba3d5ccd0e9401ecbd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\u2b4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2b4.0.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3020
    • C:\Users\Admin\AppData\Local\Temp\u2b4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2b4.1.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\f40fa09571ae3e4604ca1ef5093c12d04345052412cd199086553bfab6d3b7c7\8825afa35f914367b5f44c3c348297fe.tmp
    Filesize

    1KB

    MD5

    ffd3cdf1d4601ede2d83fbac5febeaa7

    SHA1

    3c7de8bb1519cc735e1bf49fb7bbc8553189298f

    SHA256

    611762d8ae073fc6e04fd6afb701291e4f6a5c2f7c2ccfd55fe1fe0b238d32d7

    SHA512

    b15ee443b254e963a2077ac4bc30cbf0f61a0062caabd2858bec6920f4d46b459fcea63c97a0f170dfda662e70597a4ac1e76550b320d674e77e640be21f3bcc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\u2b4.0.exe
    Filesize

    223KB

    MD5

    ac3b1a30e96b6d89ce98a21bb5b2093a

    SHA1

    4270104678195b8cad3520a704c556155a0a65b5

    SHA256

    803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463

    SHA512

    65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\u2b4.1.exe
    Filesize

    4.6MB

    MD5

    397926927bca55be4a77839b1c44de6e

    SHA1

    e10f3434ef3021c399dbba047832f02b3c898dbd

    SHA256

    4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

    SHA512

    cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

    Download Submit

  • memory/1868-92-0x000000001F5B0000-0x000000001F612000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1868-91-0x0000000005950000-0x000000000595A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-81-0x000000001E910000-0x000000001E91A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-79-0x000000001E590000-0x000000001E5B4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1868-101-0x0000000005750000-0x000000000575A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-102-0x0000000005750000-0x000000000575A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-96-0x0000000005A50000-0x0000000005A5C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1868-75-0x000000001ECE0000-0x000000001EDEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1868-74-0x0000000000010000-0x0000000003844000-memory.dmp

    Filesize

    56.2MB

    Download

  • memory/1868-77-0x0000000005960000-0x000000000596C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1868-78-0x0000000005790000-0x00000000057A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1868-76-0x0000000005780000-0x0000000005790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1868-82-0x000000001EC50000-0x000000001EC7A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1868-83-0x000000001F500000-0x000000001F5B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1868-93-0x0000000005A30000-0x0000000005A52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1868-90-0x0000000005750000-0x000000000575A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-84-0x0000000003E20000-0x0000000003E2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-88-0x000000001FDA0000-0x00000000200A0000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2696-73-0x0000000000400000-0x00000000008AD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2696-61-0x0000000000400000-0x00000000008AD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2992-35-0x0000000001E90000-0x0000000001F90000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2992-3-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/2992-36-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/2992-1-0x0000000001E90000-0x0000000001F90000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2992-2-0x0000000000230000-0x000000000029C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2992-34-0x0000000000400000-0x0000000001A25000-memory.dmp

    Filesize

    22.1MB

    Download

  • memory/3020-60-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3020-115-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3020-142-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3020-129-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/3020-138-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download