Overview

overview

10

Static

static

3

fd3f7db725...83.exe

windows7-x64

10

fd3f7db725...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd3f7db725c6d215bf5e5599363f6c1aad5cf5204a4bee691e00db4fe95bf083.exe

  • Size

    415KB

  • MD5

    2c418334727e8fc2b5cfbd75f5d279ec

  • SHA1

    554e3b34a4d09d61da5bb35fb50638cb74c4dc32

  • SHA256

    fd3f7db725c6d215bf5e5599363f6c1aad5cf5204a4bee691e00db4fe95bf083

  • SHA512

    c21dd93e0b032d5daa1615f19e429adfc056b2a90b3358c36b0f614a1dd8dfa7e09d722c49bffa71227d3f4ce5b9802212bc41db219e90176087ef573d285af6

  • SSDEEP

    6144:P50SXOdGHuDgJrhcqwNlpOE7oXLp3FkOfU49bCs7LrkA1:qSXOdvDIXY7O9X13FknszkA1

Score
10/10
stealczgratdiscoveryratstealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects encrypted or obfuscated .NET executables 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd3f7db725c6d215bf5e5599363f6c1aad5cf5204a4bee691e00db4fe95bf083.exe
    "C:\Users\Admin\AppData\Local\Temp\fd3f7db725c6d215bf5e5599363f6c1aad5cf5204a4bee691e00db4fe95bf083.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\u1to.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1to.0.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3004
    • C:\Users\Admin\AppData\Local\Temp\u1to.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1to.1.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\446b222b0a5b4aee9d1faa69d891f999.tmp
    Filesize

    1KB

    MD5

    4423f022cc01e44bd75e45a85715b293

    SHA1

    3d968fdc72980ee67719ba4edeaa5caf2a26baf8

    SHA256

    ef6fff7ef622733606f41afc16fd926a47ddc19d6e441959cbd61cd9783f8f32

    SHA512

    1453061164e399ebe2dd2ce03a5f8bb908bfe3d5c6aa530f3a235e95a6061219ef45c00ba087a5a77b6d03c88922ee10106fdd4b4da1538a4c0cf2d9334b0632

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
    Filesize

    3KB

    MD5

    c204db41b6a83a4ba241206ad36f87b2

    SHA1

    4c4477dc8bbbb0fc67f9c5426bf5886ef967845b

    SHA256

    2c48b3a5d1719ddb6cd6914ecda1694c0ed78f3f299224b68442c34c9414d676

    SHA512

    5a91b36bf987b705e76290e0900dec2497548697bb0b4fee3ef21cac0e35e413a2a3b1b7ad16e9d126ee2fb159710ebe35f2a83072558fa868fac5b8d837a6fb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\u1to.0.exe
    Filesize

    225KB

    MD5

    defa7c78ede3a0e93381126de0234328

    SHA1

    90fbdb299db7e54ed706f20821846622a124e6ff

    SHA256

    1eb49064f0f461813a0e86abb774d7664272f295a21ca0b5847dcfcf91926a24

    SHA512

    dfd2ca5e8f403ca0668c7c3e8d34367dec0247a77442906ca265acfa7c08496b81d911a7c9c280b5baab05c7b79d3566dd26912501026f9da26a73354a4a9fc8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\u1to.1.exe
    Filesize

    4.6MB

    MD5

    397926927bca55be4a77839b1c44de6e

    SHA1

    e10f3434ef3021c399dbba047832f02b3c898dbd

    SHA256

    4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

    SHA512

    cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

    Download Submit

  • memory/1632-78-0x0000000000950000-0x0000000000974000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1632-82-0x000000001EA80000-0x000000001EB32000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1632-101-0x00000000059A0000-0x00000000059AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-96-0x000000001E410000-0x000000001E41C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1632-93-0x000000001E3F0000-0x000000001E412000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1632-92-0x000000001E880000-0x000000001E8E2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1632-91-0x000000001DFD0000-0x000000001DFDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-73-0x0000000000970000-0x00000000041A4000-memory.dmp

    Filesize

    56.2MB

    Download

  • memory/1632-74-0x000000001EF70000-0x000000001F07A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1632-75-0x00000000003E0000-0x00000000003F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1632-76-0x0000000000410000-0x000000000041C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1632-77-0x00000000003F0000-0x0000000000404000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1632-89-0x00000000059A0000-0x00000000059AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-80-0x00000000005D0000-0x00000000005DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-81-0x0000000005AE0000-0x0000000005B0A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1632-90-0x00000000059A0000-0x00000000059AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-83-0x0000000005770000-0x000000000577A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1632-87-0x000000001FC40000-0x000000001FF40000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2364-36-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/2364-3-0x0000000000400000-0x000000000046F000-memory.dmp

    Filesize

    444KB

    Download

  • memory/2364-1-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2364-34-0x0000000000400000-0x0000000001A32000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/2364-35-0x0000000001BF0000-0x0000000001CF0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2364-2-0x0000000000230000-0x000000000029C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2708-72-0x0000000000400000-0x00000000008AD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3004-69-0x0000000000400000-0x0000000001A03000-memory.dmp

    Filesize

    22.0MB

    Download

  • memory/3004-114-0x0000000000400000-0x0000000001A03000-memory.dmp

    Filesize

    22.0MB

    Download

  • memory/3004-123-0x0000000000400000-0x0000000001A03000-memory.dmp

    Filesize

    22.0MB

    Download

  • memory/3004-132-0x0000000000400000-0x0000000001A03000-memory.dmp

    Filesize

    22.0MB

    Download