Malware Analysis Report

2024-11-30 20:04

Sample ID 240509-l2zj2aca8v
Target 0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0
SHA256 0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0
Tags
stealc zgrat discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0

Threat Level: Known bad

The file 0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0 was found to be: Known bad.

Malicious Activity Summary

stealc zgrat discovery rat spyware stealer

Stealc

Detect ZGRat V1

ZGRat

Downloads MZ/PE file

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Enumerates physical storage devices

Program crash

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 10:02

Reported

2024-05-09 10:05

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uto.1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uto.1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uto.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uto.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uto.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.0.exe
PID 1068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.0.exe
PID 1068 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.0.exe
PID 1068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.1.exe
PID 1068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.1.exe
PID 1068 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\uto.1.exe
PID 4192 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\uto.0.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1708 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1708 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4376 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\uto.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4376 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\uto.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe

"C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe"

C:\Users\Admin\AppData\Local\Temp\uto.0.exe

"C:\Users\Admin\AppData\Local\Temp\uto.0.exe"

C:\Users\Admin\AppData\Local\Temp\uto.1.exe

"C:\Users\Admin\AppData\Local\Temp\uto.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1600

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\uto.0.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4192 -ip 4192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1316

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 download.iolo.net udp
US 8.8.8.8:53 150.128.172.185.in-addr.arpa udp
FR 143.244.56.49:443 download.iolo.net tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1068-1-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/1068-2-0x00000000047E0000-0x000000000484C000-memory.dmp

memory/1068-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uto.0.exe

MD5 a5a396650cc1831759ee447062d4593a
SHA1 37bd8f9b348b16378ea9023489243b8725addf82
SHA256 a1f50375231c83613bd18aee62fdeccb52c06445d1eebf5fc7293246746f24a5
SHA512 a3063b2168164df6fd19cec76c7f07f30c4dae3fa5c00b7efb9c3005edbf564705701adbba575280373c916cf31e6450b246d6046de5ca384897d2751ffc2d4c

memory/1068-16-0x0000000000400000-0x0000000002B1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uto.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/1068-33-0x00000000047E0000-0x000000000484C000-memory.dmp

memory/1068-34-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1068-32-0x0000000000400000-0x0000000002B1D000-memory.dmp

memory/4192-39-0x0000000000400000-0x0000000002AF9000-memory.dmp

memory/4192-55-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4192-67-0x0000000000400000-0x0000000002AF9000-memory.dmp

memory/4376-68-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4376-80-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1080-81-0x0000026042EB0000-0x00000260466E4000-memory.dmp

memory/1080-82-0x0000026061D10000-0x0000026061E1A000-memory.dmp

memory/1080-84-0x0000026048390000-0x000002604839C000-memory.dmp

memory/1080-85-0x0000026048380000-0x0000026048394000-memory.dmp

memory/1080-86-0x00000260483A0000-0x00000260483C4000-memory.dmp

memory/1080-83-0x0000026048360000-0x0000026048370000-memory.dmp

memory/1080-87-0x0000026061FA0000-0x0000026061FAA000-memory.dmp

memory/1080-90-0x0000026062100000-0x0000026062150000-memory.dmp

memory/1080-89-0x0000026062000000-0x00000260620B2000-memory.dmp

memory/1080-91-0x0000026062150000-0x0000026062172000-memory.dmp

memory/1080-88-0x0000026061FC0000-0x0000026061FEA000-memory.dmp

memory/1080-96-0x0000026062180000-0x0000026062480000-memory.dmp

memory/1080-92-0x0000026061FB0000-0x0000026061FBA000-memory.dmp

memory/1080-98-0x0000026066BA0000-0x0000026066BA8000-memory.dmp

memory/1080-101-0x00000260664D0000-0x00000260664D8000-memory.dmp

memory/1080-100-0x00000260664B0000-0x00000260664BE000-memory.dmp

memory/1080-99-0x00000260664E0000-0x0000026066518000-memory.dmp

memory/1080-104-0x00000260676D0000-0x00000260676F2000-memory.dmp

memory/1080-103-0x0000026067670000-0x00000260676D2000-memory.dmp

memory/1080-102-0x0000026067650000-0x000002606765A000-memory.dmp

memory/1080-105-0x0000026067C20000-0x0000026068148000-memory.dmp

memory/1080-108-0x00000260673D0000-0x00000260673DC000-memory.dmp

memory/1080-109-0x00000260674B0000-0x0000026067526000-memory.dmp

memory/1080-110-0x0000026067410000-0x000002606742E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 10:02

Reported

2024-05-09 10:04

Platform

win11-20240426-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
PID 5000 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
PID 5000 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
PID 5000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
PID 5000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
PID 5000 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
PID 4436 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4436 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3348 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4688 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4688 wrote to memory of 3800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe

"C:\Users\Admin\AppData\Local\Temp\0cb6c3f4dccf234573e435d852369ed1eafb10099aac83e3ca4f91cc6c9952b0.exe"

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1160

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3348 -ip 3348

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1556

Network

Country Destination Domain Proto
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 20.157.87.45:80 svc.iolo.com tcp
FR 143.244.56.49:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 185.172.128.150 tcp
DE 185.172.128.150:80 185.172.128.150 tcp

Files

memory/5000-1-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

memory/5000-2-0x0000000004850000-0x00000000048BC000-memory.dmp

memory/5000-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

MD5 a5a396650cc1831759ee447062d4593a
SHA1 37bd8f9b348b16378ea9023489243b8725addf82
SHA256 a1f50375231c83613bd18aee62fdeccb52c06445d1eebf5fc7293246746f24a5
SHA512 a3063b2168164df6fd19cec76c7f07f30c4dae3fa5c00b7efb9c3005edbf564705701adbba575280373c916cf31e6450b246d6046de5ca384897d2751ffc2d4c

memory/5000-5-0x0000000000400000-0x0000000002B1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/5000-33-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5000-32-0x0000000004850000-0x00000000048BC000-memory.dmp

memory/5000-31-0x0000000000400000-0x0000000002B1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 8b38d8c22ea3fe2d5292bfb01ccc7686
SHA1 67bc8b5222c5b230c6f4040222204e7b740a2521
SHA256 fa7ef8cb1491f65a85f4cf9fdfdf467cd3e70b2b8c5ab849dd408b42d9106bc8
SHA512 847edb0c6df8ae4193497b9231d087a53757b9fbae4aa152079c3751eba6b9ab761aade2fe6d066c0c339bd9dad1ec71d771942fce903a94fafea88a0e4a7440

memory/4436-53-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 5a746a3eb659e858ab300bc18ef3c966
SHA1 4331350d1209200124c0692bf2fb8e09b71da6ef
SHA256 b949d5969694957cb4e8c44530fe15da8e246cd6af2f95f815057d9c5b2ccec0
SHA512 8d6e0f0788df996ae48fbda925d32c23f76e13cbd92b8b39c5c88c897baf49433cb8aac0d67b40f4cbd3961dfb1270cfb03102b50f0cbf27b21e1696d1150ad2

memory/4436-65-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3104-66-0x00000271E8CD0000-0x00000271EC504000-memory.dmp

memory/3104-67-0x00000271EEE00000-0x00000271EEF0A000-memory.dmp

memory/3104-69-0x00000271EE340000-0x00000271EE34C000-memory.dmp

memory/3104-68-0x00000271EC970000-0x00000271EC980000-memory.dmp

memory/3104-70-0x00000271EE330000-0x00000271EE344000-memory.dmp

memory/3104-71-0x00000271EE3A0000-0x00000271EE3C4000-memory.dmp

memory/3104-72-0x00000271EE3D0000-0x00000271EE3DA000-memory.dmp

memory/3104-73-0x00000271EEBC0000-0x00000271EEBEA000-memory.dmp

memory/3104-74-0x00000271EF060000-0x00000271EF112000-memory.dmp

memory/3104-75-0x00000271EED90000-0x00000271EEDE0000-memory.dmp

memory/3104-76-0x00000271EEC20000-0x00000271EEC42000-memory.dmp

memory/3104-77-0x00000271ECA30000-0x00000271ECA3A000-memory.dmp

memory/3104-81-0x00000271EF110000-0x00000271EF410000-memory.dmp

memory/3104-83-0x00000271EEDE0000-0x00000271EEDE8000-memory.dmp

memory/3104-84-0x00000271F34A0000-0x00000271F34D8000-memory.dmp

memory/3104-85-0x00000271F2DA0000-0x00000271F2DAE000-memory.dmp

memory/3104-86-0x00000271F3470000-0x00000271F3478000-memory.dmp

memory/3104-89-0x00000271F3B70000-0x00000271F3B92000-memory.dmp

memory/3104-87-0x00000271F3520000-0x00000271F352A000-memory.dmp

memory/3104-88-0x00000271F3E00000-0x00000271F3E62000-memory.dmp

memory/3104-90-0x00000271F4390000-0x00000271F48B8000-memory.dmp

memory/3104-93-0x00000271F3B90000-0x00000271F3B9C000-memory.dmp

memory/3104-94-0x00000271F3C70000-0x00000271F3CE6000-memory.dmp

memory/3348-95-0x0000000000400000-0x0000000002AF9000-memory.dmp

memory/3104-96-0x00000271F3BD0000-0x00000271F3BEE000-memory.dmp

memory/3348-98-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3348-110-0x0000000000400000-0x0000000002AF9000-memory.dmp