3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86

General

Target

3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe
Size

21KB
MD5

0157176b3065b4be1d399508c4ff8420
SHA1

cba446af47101c71de0d5bea436ca0efab3edf4c
SHA256

3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86
SHA512

265f9bf2856c3a916dc570f48d8e28d1a37ee0e322a74d10ff61d8f6418aa28760b048a53f3889be2f3d787639809aab7182e4ee08d2c198fecd363ff61a0c89
SSDEEP

384:8Y54I91IeMbDvzKIthWjrKpf/KQuk9aa6p/Y7L+EHO772IjT6D4VX:nO01SDmIth0OpqFk9mpgOEHOX222De

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
948	zgtdcg.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-55-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000a0000000134f2-56.dat	upx
behavioral1/memory/948-58-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000a0000000134f2-59.dat	upx
behavioral1/memory/948-63-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1116	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
948	zgtdcg.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	zgtdcg.exe
File opened (read-only)	\??\P:	zgtdcg.exe
File opened (read-only)	\??\R:	zgtdcg.exe
File opened (read-only)	\??\U:	zgtdcg.exe
File opened (read-only)	\??\Y:	zgtdcg.exe
File opened (read-only)	\??\Z:	zgtdcg.exe
File opened (read-only)	\??\G:	zgtdcg.exe
File opened (read-only)	\??\I:	zgtdcg.exe
File opened (read-only)	\??\K:	zgtdcg.exe
File opened (read-only)	\??\N:	zgtdcg.exe
File opened (read-only)	\??\Q:	zgtdcg.exe
File opened (read-only)	\??\S:	zgtdcg.exe
File opened (read-only)	\??\H:	zgtdcg.exe
File opened (read-only)	\??\L:	zgtdcg.exe
File opened (read-only)	\??\T:	zgtdcg.exe
File opened (read-only)	\??\V:	zgtdcg.exe
File opened (read-only)	\??\J:	zgtdcg.exe
File opened (read-only)	\??\F:	zgtdcg.exe
File opened (read-only)	\??\M:	zgtdcg.exe
File opened (read-only)	\??\W:	zgtdcg.exe
File opened (read-only)	\??\X:	zgtdcg.exe
File opened (read-only)	\??\E:	zgtdcg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hra33.dll	zgtdcg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	zgtdcg.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	zgtdcg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\zgtdcg.exe	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe
File opened for modification	C:\Windows\zgtdcg.exe	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe
Token: SeIncBasePriorityPrivilege	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1116	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	29
PID 1512 wrote to memory of 1116	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	29
PID 1512 wrote to memory of 1116	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	29
PID 1512 wrote to memory of 1116	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	29
PID 1512 wrote to memory of 1920	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	31
PID 1512 wrote to memory of 1920	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	31
PID 1512 wrote to memory of 1920	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	31
PID 1512 wrote to memory of 1920	1512	3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe	31

C:\Users\Admin\AppData\Local\Temp\3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe
"C:\Users\Admin\AppData\Local\Temp\3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3376D7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3376D7~1.EXE > nul
  2⤵
  PID:1920

C:\Windows\zgtdcg.exe
C:\Windows\zgtdcg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\zgtdcg.exe

Filesize
21KB

MD5
0157176b3065b4be1d399508c4ff8420

SHA1
cba446af47101c71de0d5bea436ca0efab3edf4c

SHA256
3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86

SHA512
265f9bf2856c3a916dc570f48d8e28d1a37ee0e322a74d10ff61d8f6418aa28760b048a53f3889be2f3d787639809aab7182e4ee08d2c198fecd363ff61a0c89

Download Submit
C:\Windows\zgtdcg.exe

Filesize
21KB

MD5
0157176b3065b4be1d399508c4ff8420

SHA1
cba446af47101c71de0d5bea436ca0efab3edf4c

SHA256
3376d75dcf8564ea016149be0dbe36c639d3cbf775d07c2e3f902ff299063b86

SHA512
265f9bf2856c3a916dc570f48d8e28d1a37ee0e322a74d10ff61d8f6418aa28760b048a53f3889be2f3d787639809aab7182e4ee08d2c198fecd363ff61a0c89

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
30KB

MD5
0828816d7c500e5ab1e41d7246fbd684

SHA1
05cfd488f6346d23df2397e65cea7171a646be34

SHA256
eb54982d1b2cefef58948e8fd3686984a2332e01c770d90cb38b5f9d87d008e0

SHA512
fd9db99f460921ed858dca69c02a54e6f2d111d9e29ed1667340b58416827b1ad506faa38d00b299d61a8ca86896a6b107a95d56bca529a474738b897b6300e5

Download Submit
memory/948-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/948-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1512-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing