Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad11f5e7b6814512829785896c370416c0f7ce733674c2491cb7ac0dd4dce5cb.exe

  • Size

    382KB

  • MD5

    d53e181c12299c4011d0073b9af8cee2

  • SHA1

    b6e03d6b6a2955e25cd61730820b88c57628bcf7

  • SHA256

    ad11f5e7b6814512829785896c370416c0f7ce733674c2491cb7ac0dd4dce5cb

  • SHA512

    62cfe628434da28ca09c53b829200b6d37ed57279efefd34a6e28614466c159d608326a1635d403c65fd3ae0e6ee69a378f429e115e63c6625aa52462097a4b1

  • SSDEEP

    6144:L0NTKE3CDWHhQgoFZHaJtrzQr792AiXQvdUodm7iKMceJK2o:L0NGMCaXoFdAFzQrJviXq3w7IJK2o

Score
10/10
stealczgratdiscoveryratspywarestealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad11f5e7b6814512829785896c370416c0f7ce733674c2491cb7ac0dd4dce5cb.exe
    "C:\Users\Admin\AppData\Local\Temp\ad11f5e7b6814512829785896c370416c0f7ce733674c2491cb7ac0dd4dce5cb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u26o.0.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\u26o.0.exe" & del "C:\ProgramData\*.dll"" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:2084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1420
        3⤵
        • Program crash
        PID:3128
    • C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u26o.1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4584
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1220
      2⤵
      • Program crash
      PID:4424
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2832 -ip 2832
    1⤵
      PID:4008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4788 -ip 4788
      1⤵
        PID:3200

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
        Filesize

        3KB

        MD5

        a1d6c5deaa9d2a181abb819bf3f2581c

        SHA1

        12e1b2a7642660a19da15194d0ce7d1e3bcfccec

        SHA256

        c614598f33337db386e220aa02ce580ee054844a556bb1f3034f83e6cfe91f18

        SHA512

        00c91ecb1cc2307d0d1ca2e4eece4c2b22c3ad30f3c8e9931748486b775271e4c6df2e9b9393e96bdd72a2a15999911400db1d3f45a52221259a04a62cd76500

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
        Filesize

        240KB

        MD5

        a5a396650cc1831759ee447062d4593a

        SHA1

        37bd8f9b348b16378ea9023489243b8725addf82

        SHA256

        a1f50375231c83613bd18aee62fdeccb52c06445d1eebf5fc7293246746f24a5

        SHA512

        a3063b2168164df6fd19cec76c7f07f30c4dae3fa5c00b7efb9c3005edbf564705701adbba575280373c916cf31e6450b246d6046de5ca384897d2751ffc2d4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
        Filesize

        4.6MB

        MD5

        397926927bca55be4a77839b1c44de6e

        SHA1

        e10f3434ef3021c399dbba047832f02b3c898dbd

        SHA256

        4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

        SHA512

        cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

        Download Submit

      • memory/2556-52-0x0000000000400000-0x00000000008AD000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2556-78-0x0000000000400000-0x00000000008AD000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2832-2-0x0000000004740000-0x00000000047AC000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2832-1-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2832-16-0x0000000000400000-0x0000000002B1D000-memory.dmp

        Filesize

        39.1MB

        Download

      • memory/2832-32-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/2832-31-0x0000000000400000-0x0000000002B1D000-memory.dmp

        Filesize

        39.1MB

        Download

      • memory/2832-3-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/4584-96-0x0000018A3F180000-0x0000018A3F188000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4584-89-0x0000018A3A760000-0x0000018A3A782000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4584-108-0x0000018A3FA10000-0x0000018A3FA2E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4584-79-0x0000018A1B490000-0x0000018A1ECC4000-memory.dmp

        Filesize

        56.2MB

        Download

      • memory/4584-80-0x0000018A3A440000-0x0000018A3A54A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4584-83-0x0000018A39140000-0x0000018A39154000-memory.dmp

        Filesize

        80KB

        Download

      • memory/4584-82-0x0000018A39150000-0x0000018A3915C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4584-81-0x0000018A39130000-0x0000018A39140000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4584-84-0x0000018A3A020000-0x0000018A3A044000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4584-85-0x0000018A39110000-0x0000018A3911A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4584-87-0x0000018A3A690000-0x0000018A3A6BA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/4584-86-0x0000018A3A280000-0x0000018A3A332000-memory.dmp

        Filesize

        712KB

        Download

      • memory/4584-88-0x0000018A3A710000-0x0000018A3A760000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4584-107-0x0000018A3FAB0000-0x0000018A3FB26000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4584-90-0x0000018A39120000-0x0000018A3912A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4584-94-0x0000018A3A790000-0x0000018A3AA90000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4584-106-0x0000018A3F9D0000-0x0000018A3F9DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4584-97-0x0000018A3EAC0000-0x0000018A3EAF8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/4584-98-0x0000018A3EA90000-0x0000018A3EA9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4584-99-0x0000018A3EAB0000-0x0000018A3EAB8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4584-100-0x0000018A3FC30000-0x0000018A3FC3A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4584-101-0x0000018A3FC50000-0x0000018A3FCB2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/4584-102-0x0000018A3F9B0000-0x0000018A3F9D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4584-103-0x0000018A401E0000-0x0000018A40708000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4788-53-0x0000000000400000-0x0000000002AF9000-memory.dmp

        Filesize

        39.0MB

        Download

      • memory/4788-75-0x0000000000400000-0x0000000002AF9000-memory.dmp

        Filesize

        39.0MB

        Download

      • memory/4788-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

        Download