Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 15:07
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240508-en
6 signatures
150 seconds
General
-
Target
1.exe
-
Size
725KB
-
MD5
a52ce5b525413f39401a3416dd8e2de2
-
SHA1
148e4b6b2b2904d736fc9442ff1f6309edc40023
-
SHA256
94c8fb631f919bd52d1d4341311325510d33aee6e976a75c940a38d88a4b7757
-
SHA512
52616053550e5f26a62d1260a850e8bfbf10e9484ba776b2b808040021e0d944b23e77e64273bd7485eb9662fe057ea41a369a873e7b2f0e90b62daf1b5ac88b
-
SSDEEP
12288:O+O4diU6/GC4sVniwgco34nYN/MghT4rxj+TTM45P0coq/ZrUGv1L:O+seunM4Y9feBB9q+G
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2428-1-0x0000000000840000-0x00000000008FC000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1.exedescription pid process target process PID 2428 set thread context of 2068 2428 1.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 2428 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1.exedescription pid process Token: SeDebugPrivilege 2428 1.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1.exedescription pid process target process PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe PID 2428 wrote to memory of 2068 2428 1.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe#cmd2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2068-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2068-11-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-7-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-9-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-13-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-19-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-17-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2068-20-0x0000000000401000-0x000000000043D000-memory.dmpFilesize
240KB
-
memory/2428-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmpFilesize
4KB
-
memory/2428-1-0x0000000000840000-0x00000000008FC000-memory.dmpFilesize
752KB
-
memory/2428-4-0x0000000004160000-0x00000000041B4000-memory.dmpFilesize
336KB
-
memory/2428-3-0x0000000073EB0000-0x000000007459E000-memory.dmpFilesize
6.9MB
-
memory/2428-2-0x0000000073EB0000-0x000000007459E000-memory.dmpFilesize
6.9MB
-
memory/2428-21-0x0000000073EB0000-0x000000007459E000-memory.dmpFilesize
6.9MB