Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 13:00
General
-
Target
c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0.exe
-
Size
382KB
-
MD5
278218d2ac13d2d7134e6e9a0828e4d5
-
SHA1
05066b895c41396d0321bc3a032f2f7c2e1811e3
-
SHA256
c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0
-
SHA512
f1e41a457c01a6ad0ac00e3a004023429d644b1a9bb193afd277f333f1bd4bd00059e37c6df2565b9c7e8bda3cbe3f713b2d39d04ca0c5ad169788efdb230b7d
-
SSDEEP
6144:1jNHmrGVx/2m1f+eo864r+m4fSw3Axa3Uet46nBeJKts:1jNGexJo8raXfS8Axa35t46nUJKts
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Detect ZGRat V1 3 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0.exe"C:\Users\Admin\AppData\Local\Temp\c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uic.0.exe"C:\Users\Admin\AppData\Local\Temp\uic.0.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\uic.1.exe"C:\Users\Admin\AppData\Local\Temp\uic.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 11522⤵
- Program crash
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1280,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 660 -ip 6601⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52b85afc26624a5872fb92ec370db76c6
SHA1865c38761276c01268299800d6aeb265162b6338
SHA2562cb28246ab7021a51820b324ee0e6a89f7db885e380c13d70c9d3cc92161f876
SHA512862f07dba6ed0d8202200b5e36c3b5167e0fc437a93c8feecc8d695dfa1e145df0e48add286914236bc724556e20282700b56dbb5c94c7c2f165a5991a9c0faf
-
Filesize
218KB
MD55246be38e251c182f838adf4ef42ad40
SHA1fe09ba5ee40d4c4897c8f8e3fa819c13b0e324d9
SHA2567dbf762b2ef2b651a4e8c7b7d9b8996a1de0cfa44119452f1d3f29bfe03dfd86
SHA512a3f7c75a2355935d19c733d67aeff3e08f382ae60c1ba45364974ff91ca779ac5e49c40475fe35b8923a130e8670de0311fdf3c03de935312869e9a9a8b21b14
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
444KB
-
Filesize
39.1MB
-
Filesize
432KB
-
Filesize
39.1MB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
432KB
-
Filesize
38.9MB
-
Filesize
38.9MB
-
Filesize
38.9MB
-
Filesize
38.9MB
-
Filesize
38.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
40KB
-
Filesize
224KB
-
Filesize
144KB
-
Filesize
48KB
-
Filesize
168KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
392KB
-
Filesize
136KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
56.2MB