Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-05-2024 09:29
General
-
Target
1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe
-
Size
372KB
-
MD5
08c74ce76561550261137454935bfafe
-
SHA1
77d3e1a72eb918e95dceb6134be6e5d56364afc7
-
SHA256
1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076
-
SHA512
25ab864b2d16913632893a7e8775877860dd864e122f3fa46a64344f6016bfa8cbdb22259bb9fcc0fbf0310a30ed9c9e60812e8c24422ecbeb1f98481bb5e190
-
SSDEEP
6144:CKnC1VEKPHySHREDpdksUZBg7C6vZb/TwZ7LylNK6nhByUSXyYTkJft1:CKnCgaSSxELksMUvlLwZ7LKjJ8kJl1
Malware Config
Extracted
stealc
http://185.172.128.150
-
url_path
/c698e1bc8a2f5e6d.php
Signatures
-
Detect ZGRat V1 3 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe"C:\Users\Admin\AppData\Local\Temp\1aa2463e6b3373a1769dd41d2ed055fa045cd481100a5f06b8e241e6e3241076.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u18c.0.exe"C:\Users\Admin\AppData\Local\Temp\u18c.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 23603⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\u18c.1.exe"C:\Users\Admin\AppData\Local\Temp\u18c.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 11402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1596 -ip 15961⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4188 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:31⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2120 -ip 21201⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
2KB
MD58c495c795c53d741fe959895322be606
SHA145a67386853ba30e37ac1ad62cf7e894f6016ac0
SHA256dedd1144f3fcf89ecd5200790879f72f3a1f32672fff0e415cfe343a7e64d710
SHA5123c65504ce99bfd7aacb19dbfeae532b700987d1afbc93a71dc3b5fe651ab7d53fea5cb8c55ebcb37b4b928030f855af73de07c34e8ee52e095a4a8f2f9b599f5
-
Filesize
3KB
MD5467ee0a0fa395f6400fa0fa13a6ad487
SHA1ba838f6a895ae57a25c03de98e9ceac185ae0caf
SHA25622d550b67d89efe4fe79741252f4bd5c22a985bf17bedead6ae5460dbb839b6a
SHA51299f732824a2f2796760329853f6449363d4a63df7792944ac7d04aa785aa8b5a05d719f88007d337a9323ddf83fe0460763a0691c0b0d8aec420e2fec1ed0510
-
Filesize
230KB
MD5cb0f143b280b0c05a99a0f3e8738b677
SHA11bccf20abd6596cd529764d64de49246478423a5
SHA256d8a59077be36b67679feb9e8f1df536378f2caf9be5e0d8abad95453d8589c79
SHA512a57a0313ecd220540153fad20b96fb8ae61f62cb34fa9c35b4a93df693bf9fc8f55c7e50342603e86ece4ceae68ac86f1cadb61754bd787cf3b32aa085cd867b
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
33.6MB
-
Filesize
33.6MB
-
Filesize
432KB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
33.6MB
-
Filesize
444KB
-
Filesize
432KB
-
Filesize
33.5MB
-
Filesize
33.5MB
-
Filesize
972KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
168KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
392KB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
48KB
-
Filesize
712KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
80KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
120KB
-
Filesize
56.2MB