Overview
overview
3Static
static
3AForge.Imaging.dll
windows7-x64
1AForge.Imaging.dll
windows10-2004-x64
1AForge.Math.dll
windows7-x64
1AForge.Math.dll
windows10-2004-x64
1AForge.dll
windows7-x64
1AForge.dll
windows10-2004-x64
1Cloo.dll
windows7-x64
1Cloo.dll
windows10-2004-x64
1GarticBot.exe
windows7-x64
1GarticBot.exe
windows10-2004-x64
1GarticBot.exe
windows7-x64
3GarticBot.exe
windows10-2004-x64
1Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1OpenCLTemplate.dll
windows7-x64
1OpenCLTemplate.dll
windows10-2004-x64
1ref/GarticBot.exe
windows7-x64
1ref/GarticBot.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
AForge.Imaging.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
AForge.Imaging.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
AForge.Math.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
AForge.Math.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
AForge.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
AForge.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Cloo.dll
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Cloo.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
GarticBot.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
GarticBot.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
GarticBot.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
GarticBot.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
Newtonsoft.Json.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
OpenCLTemplate.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
OpenCLTemplate.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
ref/GarticBot.exe
Resource
win7-20240705-en
Behavioral task
behavioral18
Sample
ref/GarticBot.exe
Resource
win10v2004-20240709-en
General
-
Target
GarticBot.exe
-
Size
409KB
-
MD5
dd47a02229a1503ac5416052ebbb4dd8
-
SHA1
f5ca83bab956e83e7d62b274c125ddc96f77a754
-
SHA256
1835d736ddc64b06ef16006dd153984fb734bcd9562f2b2a40297c14fede1c1c
-
SHA512
8a06c4314e4932640c76aa780082a7e1da8f928c625fd88fc28920183d09d343866300d7a07c62f0711b53ea9ca51d8c9e974e745283974213eca437822affd6
-
SSDEEP
6144:1+oAJEJcy0owirZZEx1Vvu4sqWeQDkpAXtPlHLOL8CcJ20RmZQ33b:1vDwogV6qrQwpM9lHa4jwZQH
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{776A3801-4CEE-11EF-8340-72D30ED4C808} = "0" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2400 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2400 iexplore.exe 2400 iexplore.exe 2084 IEXPLORE.EXE 2084 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
GarticBot.exeiexplore.exedescription pid process target process PID 332 wrote to memory of 2400 332 GarticBot.exe iexplore.exe PID 332 wrote to memory of 2400 332 GarticBot.exe iexplore.exe PID 332 wrote to memory of 2400 332 GarticBot.exe iexplore.exe PID 2400 wrote to memory of 2084 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2084 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2084 2400 iexplore.exe IEXPLORE.EXE PID 2400 wrote to memory of 2084 2400 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\GarticBot.exe"C:\Users\Admin\AppData\Local\Temp\GarticBot.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.0-rc.1.21451.13&gui=true2⤵
- System Time Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2400 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a44e47c4237b002ff416090763875fab
SHA1b8ec3b0f50aced80b3249361bf5e33f2e509dea1
SHA2565b6a8cfd32a502d3f41d92f61fd373828b889c12bb4a0a6abfbbcb7a5878e56a
SHA51266b218620131d12b60bb3fc816e08cb89183fe834336742623aa9c5bd6c333a2af17794ba642cfac302c7cb98b2235d60c796ed22f1f8b4d0a49fe64c9470165
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e80d4382384b9a0ad3b4cb15be17412a
SHA1a58e976afc8c370689dd6a7f2e96f545ae610769
SHA256536ef753a363079f22a7af3aa93940d4b3a087e0596f23d34f9e6ffd524464eb
SHA512212b9cb159c08d6a6dbc940c923e24e3ec4b8440e47f648bec133b8e8d15c6feac754e6c78838ed925d449df519823f5a2044419be4584f675cff5b39c008e00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b3ee4fab8d6ce1e21af7090ffe81d8ff
SHA174d4d33a18b1815ab05d3cd4cc0d3c6c88cbaf0a
SHA2564c17df13c6a20e92e9b604387cc52e429990b4f1b30b7a2091311d74a20496ee
SHA512b6cd4dfaba04c7be68570f6f877b6c6026aa89f77caf3494baf18316c09ac59e3f7beb38ef010b4c0477b1251ae11240830f35a02054de74cc6cfbf6d04cfc3c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5601f7f991973b9499ed5f6329d795c4b
SHA1d7759957e5f540a5a7d9e51322791cd1cf7f111e
SHA256a075dd1ae1c6bfa2b4136492d563e2fbc2a2808526a72d5d2e8d726d7838e000
SHA5127ab3f39bf9db8e3a41f840ce007220c6c8bed7267854a9044178d055874936d270abaea404c9ed796868eb522232499dbb56d1a5436096740fec13b4fd0d5f18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD547055d32fadfeb7a8139a880b75536ff
SHA18da06d535704a63f92fdbc8ba8f0ae8a44bfe190
SHA256dddc2cb3cb81b2f098372ee00e17710817d7c97cf86155e86c4d1c0a935d29ab
SHA5129c883dfe9be98551a1e350f883faf0f3892cf55003b9a2d69c4c1575e9a7ef1fab54c7da919a071852ee58a450c3e0497bcb7ced04143163fc077c59486eeff7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a978fea6d4ae3224622958629b3045d
SHA176ceafca490b0f5df222b9e97f796f7f1d3c1727
SHA2565df4dd2a904fd5cf8b6ab2e1c71631ff629e70afaa104ec612a2fbde83221e12
SHA512dcd8db3520cec31453d4ddb2b8f87e9cd45cdfc2e8547b9e753e1b0d9c819a406339e4e8fd1e1832b3b83b29f10333fdf718f364742ade13291f8a34d6d75c48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1ba175a4ebb2e9483bc2e8f3011e6ee
SHA1d1e82e39d23112ce3c068b5bcd25f431675a3b6b
SHA25678a3e1065aa9b10a50f5e00f7d25a52ff5d297a1262962b418fd5569f228353a
SHA51274ff7f17bc6bfa19b99aa5503b2a753ab4af4e96d2eef105156a50389159c0e55d3833aafd5e41561236e2961bdfe77fd12addd743b24d65db5cf908327a8961
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fb4826fcada7b28bef392c8a19d41b9c
SHA17259bde2d520fc83df8f489a31eaab35d43f0bed
SHA2566c51edaac255230eee6809a48345f04d384686e00d140485770592eb30d890bb
SHA51291d4c279785cc6a96a323261f14058e7abc86c6046ac22a66c9a93c1d26ee3ec49a2fcde06fed246e4668a10be656d7ec2816617cbf4411789dab88ff6284066
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b