Analysis
-
max time kernel
217s -
max time network
203s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 23:47
Static task
static1
Behavioral task
behavioral1
Sample
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe
Resource
win7-20240508-en
General
-
Target
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe
-
Size
416KB
-
MD5
7b2875cb05e2096cdff530aa2b6fc6fc
-
SHA1
3db46544f57870426eaee8aa07bdd1e605c54b29
-
SHA256
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7
-
SHA512
0e0208f81195b6e5c3c01e2bed1cf38fb9221b0c86190da4e77763880da21d1b5f81c142dfcf27ee6ba8d7ff3383d1417d466a28c5bdc2f13a0dd498f4928441
-
SSDEEP
6144:xNDSLZK+bH6tSYLDidexnCihNJnrWXy1JFIHbP3ShohW90F:LSLZKK/dCCibRz4PiLaF
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2152-73-0x00000000011B0000-0x00000000049E4000-memory.dmp family_zgrat_v1 behavioral1/memory/2152-74-0x000000001ED50000-0x000000001EE5A000-memory.dmp family_zgrat_v1 behavioral1/memory/2152-78-0x000000001E1E0000-0x000000001E204000-memory.dmp family_zgrat_v1 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
u1gw.0.exeu1gw.1.exepid Process 2604 u1gw.0.exe 2620 u1gw.1.exe -
Loads dropped DLL 8 IoCs
Processes:
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exepid Process 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u1gw.1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1gw.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1gw.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u1gw.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
u1gw.0.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u1gw.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u1gw.0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeu1gw.0.exepid Process 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 2604 u1gw.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exedescription pid Process Token: SeDebugPrivilege 2152 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
u1gw.1.exepid Process 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
u1gw.1.exepid Process 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe 2620 u1gw.1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exeu1gw.1.exedescription pid Process procid_target PID 1904 wrote to memory of 2604 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 28 PID 1904 wrote to memory of 2604 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 28 PID 1904 wrote to memory of 2604 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 28 PID 1904 wrote to memory of 2604 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 28 PID 1904 wrote to memory of 2620 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 30 PID 1904 wrote to memory of 2620 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 30 PID 1904 wrote to memory of 2620 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 30 PID 1904 wrote to memory of 2620 1904 b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe 30 PID 2620 wrote to memory of 2152 2620 u1gw.1.exe 31 PID 2620 wrote to memory of 2152 2620 u1gw.1.exe 31 PID 2620 wrote to memory of 2152 2620 u1gw.1.exe 31 PID 2620 wrote to memory of 2152 2620 u1gw.1.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe"C:\Users\Admin\AppData\Local\Temp\b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\u1gw.0.exe"C:\Users\Admin\AppData\Local\Temp\u1gw.0.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\u1gw.1.exe"C:\Users\Admin\AppData\Local\Temp\u1gw.1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\e6ffddf3200b65799721748e7bb893fcf6bbd5f96862174d6d4619981bbc3f50\f61c360446f24080a9d99afb87700b7c.tmp
Filesize1KB
MD5545094925a49be995bd774bf91362c28
SHA1a496033d43ff8def549d87d78e6ef140f404ab19
SHA256617b92c18b4701a65b857da07fcc540638ecf023d54b645a5650e423002fe14f
SHA512c76f40f01f7e35f5aa4ac145a36d3852966e0b040f5b5bdf6fe288bd646aa53a46451f7acb3ab7e05f53c92a012b94efca53d4dec7cd5ea0c373fa483c887eb8
-
Filesize
2KB
MD55954347627905aa4eeb32309214053f7
SHA14eb51650ac723509bb9db612385e2c4348e483b9
SHA256cc3a287741e3292bc1550131b99a1fd70625fb7c1308a92cbd38259799e2aaee
SHA5127b4d8d88e8517c1d81356bf79e8ad385d8ad610c8f07c59c97eb8f6c44e5dcd9b54bf0745dc9917d6f280d304d742c4d1f2c73a582fbeada2810b2311e7a5d1d
-
Filesize
223KB
MD5ac3b1a30e96b6d89ce98a21bb5b2093a
SHA14270104678195b8cad3520a704c556155a0a65b5
SHA256803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463
SHA51265e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954