Analysis Overview
SHA256
816640f101b9440dc8892bf84720ac50afe8fe11888574fa8b81af8caae19aa7
Threat Level: Known bad
The file b6495a9c6a890740db6f41bf37af8427.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
SmokeLoader
ZGRat
Smokeloader family
RedLine
RedLine payload
Downloads MZ/PE file
Deletes itself
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:43
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:43
Reported
2023-12-18 21:46
Platform
win7-20231215-en
Max time kernel
29s
Max time network
68s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7214.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E7.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1068 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7214.exe |
| PID 1068 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7214.exe |
| PID 1068 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7214.exe |
| PID 1068 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7214.exe |
| PID 1068 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E7.exe |
| PID 1068 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E7.exe |
| PID 1068 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E7.exe |
| PID 1068 wrote to memory of 2688 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\7214.exe
C:\Users\Admin\AppData\Local\Temp\7214.exe
C:\Users\Admin\AppData\Local\Temp\82E7.exe
C:\Users\Admin\AppData\Local\Temp\82E7.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp" /SL5="$30192,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231218214423.log C:\Windows\Logs\CBS\CbsPersist_20231218214423.cab
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.77:80 | api.ipify.org | tcp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/1732-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1068-1-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
memory/1732-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7214.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2740-14-0x0000000000200000-0x0000000000252000-memory.dmp
memory/2740-19-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2740-20-0x0000000004EC0000-0x0000000004F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82E7.exe
| MD5 | b7adb2d9dd7d210ab9e095d0bea22afa |
| SHA1 | b8424ce4817117bd2030f3d6fe6b6365821447da |
| SHA256 | 2188db29d9de04f5184f24329080cd6a2a06c1179fb2e5921b20ec237fb51b64 |
| SHA512 | 4172e3dae37b1bf3d791efef6e53633daca838c4344f74227a996241dd404d4cd2b8f26c4e4fee0d77c82b5dd29cc15abbb2a2fded5fbc4b518b13d170d179cf |
C:\Users\Admin\AppData\Local\Temp\82E7.exe
| MD5 | b7cb717d4c784906f0e4474da06bd22c |
| SHA1 | c364e88016b395e0619672494ba31c8031be1302 |
| SHA256 | 5d3c518aee5598b752004a729671a1b052129f80570d4d8268767fa32018e9ee |
| SHA512 | 8746fb1359b745fc82ae7fef1b5c47704cad698a0ed89caba53f0620523a16414df751042b3a4e3e30243a43cb2e680b1a92ad07b0b2a022073e3e2cfe7447a5 |
memory/2688-27-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2688-28-0x0000000000B00000-0x00000000018F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 75af3a3b1cfaae063b7f32d4639b2b3f |
| SHA1 | 5874cf182aa1143a238e0301c86929f9c398c714 |
| SHA256 | 6758a5fa5ea739cc64fb38c583aa2d1b0e034061fb94bc4a09460c22bbb90ad6 |
| SHA512 | 99b9474fe4309f510e99cb67c4ddbb553cfdc7ec858d3d9e8b20697f794fb541248bb5b730d125a335ceda888afdf3a8335b9153c451074d2fd27f0138269d15 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
\Users\Admin\AppData\Local\Temp\nsy840F.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 924e868f1abb2b14cb69c26700782a41 |
| SHA1 | d4a4cb00d4260635a758a9a33d1cd5d6c18d25da |
| SHA256 | f1aaef54cc87829bce1139097d8507aa11943c5f0ad8f158d9e633fcc4be16f7 |
| SHA512 | 26e7cc196f9e5fc809757d4b1af7776d661b3d12a915ff921d6a134f2f804355b0259f26e7ed1bdc4624908b01c08a81019f781a00c6eca9ba31433f45b535a1 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | bdc1657a837ea51e5c0d61f002806b19 |
| SHA1 | f62395f543e541dfb6624c22802fd69401b969a6 |
| SHA256 | f44a9b30cad3dbad881d92a77674001c3b26fa53e54fdcc0342dd3bce57bdaff |
| SHA512 | f8e231c9c9f8764a0d106088cf7fc91c6696d175cc9ec8c9315ac8dcafda3c31cd98a64fe279ea46c76a327497af10ecd98c8162dcd51c699e9fae73e4de3e78 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 17cf5014cce2072440efc10994bfb5a0 |
| SHA1 | 30781a829aa089dbee1bec24a17d1944d5fb32d0 |
| SHA256 | 99d87b64a9c0ae6e0e365200545157deac69c6e5cbc699afa6b4e690d6ce3cb2 |
| SHA512 | 8951941a0fb0b6b8e8322b4839b6090b48d6f16a9f952078b248a2281152f3f21ac3a06e05160a65acc241f8cfb24ad38cbff92816258711721f9127c4853af7 |
memory/2880-61-0x0000000002600000-0x00000000029F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | aa954867d3496af19454c6dff3ec264c |
| SHA1 | 22af3c1b56141a08e4be16908df46c41c875ae01 |
| SHA256 | 124f44e6c2ff0fe9170e867712ee2f199c0cdef08299f0d4762f2d9cf2a52995 |
| SHA512 | 5e448b9306910bffec05d99721dc45713debe2bb6d91569b39271d534124478710397752feac1af2d30bacf0451b689ee95abfd4d3d559587785e44a774cf780 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 883c896896a318945411d14639d42f67 |
| SHA1 | 1668fa1bb3f57aaf9997550d347e98b8e2488837 |
| SHA256 | fc23ddc27029813b25b8ed5cb27629870737e347ac0735dcf99008b1448c8393 |
| SHA512 | a2f8d119a7693994e389aba4956d0592757d083d851bfba7cac7d7b916d48143d7ef0024675191844f3501d4dacd3d4aaac9a478a19fafc97b5d9c8eb6b19721 |
\Users\Admin\AppData\Local\Temp\nsy840F.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 8fd8220395e46fdc821f50dd580edd62 |
| SHA1 | 23999287941e9911c01b11c4586d2a78d3aaedb5 |
| SHA256 | 73d1480f6c6738cffddcbb906357dd8630a198508f9a54b19e03a60414127194 |
| SHA512 | d9e325f1dc963bf6bef796d9f7f3f31984f01638e2ff74a5fdb47a5988dc5b7145d7d5108f4155eb861d1b9ee8a4e5473da9e2f697ef4b2e52b027c872e5b8f4 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4cc67d701332f4073eef6b14e10aca34 |
| SHA1 | 09142752bab88528c78041835d5b3abb9d187f02 |
| SHA256 | 6cb6be78220ea7ebe0941fb8e3b746e908562a97d0b2a9db8af5281cc7e80fe9 |
| SHA512 | dd53b3d8efcf929bbd6d5b6e068ae3fd9d9aebe3ec175620347f6bd2fe20c29cedc8c93c04555b9fabdb1c603fef82a8f37e018787060f18c2bde33adb58adf2 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | de41391fdc8881b555ea47c1d45c6967 |
| SHA1 | 8852d9e04d70369a68814cf0d32ceb84989bae49 |
| SHA256 | 8a439286edd10f413fa6e2aded42e41a26f4c90567bb7506fe5749464ec7a487 |
| SHA512 | 54d2217fb08dba08b9edc6a0e8e751283ad94b68b8a556764e494e6823b8d0056f178c5db23a8fb284af95a38b3d9246c1e2752de9e5aed28e55b1019c9c43bc |
memory/2880-76-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/3036-79-0x00000000003A0000-0x00000000003A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 2c88363923fcbcc8bd0b769cd8d51310 |
| SHA1 | ca232fc3af1c03a908cf9cc63b092f9bca2122bf |
| SHA256 | 05dd63b27edbf347f9a0b2a50742fc0bda38d2df94d56aaa4782841619a15ccc |
| SHA512 | 627972a348ed7870b52dfac62c41c2f16c409fd1656873ce23c57a2c7c8a881b0a7a4b7185750c6b094b26299f638188ee2a375e8fa84c0c6c0224c59bfcd8f2 |
memory/2688-91-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1636-92-0x0000000000400000-0x0000000000409000-memory.dmp
memory/856-89-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 6945c5c2f8ee59e2f4bf2b31431867f0 |
| SHA1 | 8e6cdac42aa6fffc3f22cc9f74b0fe04db8c5605 |
| SHA256 | 0e5046291d31af1020e62cd61ebf6a7dbb52c890d733c11c54b5eef6f5271ea9 |
| SHA512 | 0a2c8477e33b2a95908b23b0f3b1e59ce18405693c76e0c96996160b0af7b84a943314c286b961268303f1355da4e9f3d422b0e426a69d609ac7fc0ebaed8311 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 06e776038e63406e82f42668326b6862 |
| SHA1 | c480d27594660803050933d6944297e65c5bab03 |
| SHA256 | dd323f84e9ca41accce2ba41dbcc686d2996367839d0dfa07bedee09e85b1b07 |
| SHA512 | e30153a0b8866ea53dbdc977fad4c1487e3297c4abd9349cc971fced977f2f1a93c158289a187c7f160fb408a737e06b138932a5c342b4e5802a2f624cea17ad |
memory/2880-95-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp
| MD5 | 81d00652e9352de3509e297d8d709550 |
| SHA1 | a47414777cd62c8b8e55e66812130602261e1538 |
| SHA256 | fbf1fcf95ad72dfbebd18fdaae127bed7cdf198da97066de44bdde67d136f6f7 |
| SHA512 | 4fd08212a0f29b56302f80bffcf9c3bd4a45c6edc7272b0c149019460f713574194d2c60179bce2512d3ce62343ecf43a04b8e1589e46ae96c6ad0ed817cc6b3 |
\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-I350R.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/1912-104-0x0000000000240000-0x0000000000241000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-4c4dc.tmp\tuc3.tmp
| MD5 | 52dd9ae16a082b91a87c49b0d11f6b23 |
| SHA1 | 98aec1ef3c24afe9ce3860df658715db50ed3c1a |
| SHA256 | 14a4aba613a33bf7867634d807d4aeaf7b6e956f6f44ec9ad0b94b4060456118 |
| SHA512 | be4158513da779850855202356e4c6fef986c854549a0527671d58e1ab290d16a17644693f58a28b1753696611d027cf2de6ed92fdda3dc9ee3b4905dd659a77 |
C:\Users\Admin\AppData\Local\Temp\is-4C4DC.tmp\tuc3.tmp
| MD5 | 50dda1eee45a83bdfabda3819fa92dc9 |
| SHA1 | 0afb18b5162f1aa60fe73479910362268d1a38e9 |
| SHA256 | 688c28718a637c28f9283a62c32b96cb94377f9cdcf2ef294cbe1388f5a64806 |
| SHA512 | b32c4f6d5246a89abf40e05e4d44debb124750f076bc2a96696766c99b86b45a92744354286a1f7253841ab76c8e736162c2d583422a7ebe8ad61618d67cb969 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 558e3a9e5fe2b7b30c722095672292b9 |
| SHA1 | e8ed08278fb40de985ee6b0cbbed606d0a1f6b38 |
| SHA256 | 97964cb442a8450825d046232b89c59fac71fc8765f0fd314e79fcd8bd087810 |
| SHA512 | 6ef9f9ffc62a4d6a6a4430a485a96792deb2b47f74a8fe04f11074497f065802c5ae91cb82ed3e671433d46c6b649c0a351201bfd3086c2384ac3362f71c58b5 |
memory/2880-80-0x0000000002A00000-0x00000000032EB000-memory.dmp
memory/1636-84-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | b98b6b8a9f883ff433f6d6e21f0fad52 |
| SHA1 | 48040db14e2403d7a0a80c52dfbf5ce98f7aab6c |
| SHA256 | ad7fa0062d5f8b057714e505ac06bf31348545bae8a5d06fdb78e16e86cb42ee |
| SHA512 | d892d893284524125767b732fe5bd8e8d17bb862fad0f01a8585a5376641f8698ff1b606eaef4bb45825bb319ece9d4c20000f62a9a6017b5a001cfbcfe35038 |
memory/1636-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3036-77-0x0000000000230000-0x0000000000330000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:43
Reported
2023-12-18 21:46
Platform
win10v2004-20231215-en
Max time kernel
46s
Max time network
85s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50CB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63E6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9008.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3520 wrote to memory of 404 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50CB.exe |
| PID 3520 wrote to memory of 404 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50CB.exe |
| PID 3520 wrote to memory of 404 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50CB.exe |
| PID 3520 wrote to memory of 1596 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63E6.exe |
| PID 3520 wrote to memory of 1596 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63E6.exe |
| PID 3520 wrote to memory of 1596 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63E6.exe |
| PID 3520 wrote to memory of 3912 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9008.exe |
| PID 3520 wrote to memory of 3912 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9008.exe |
| PID 3520 wrote to memory of 3912 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9008.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe
"C:\Users\Admin\AppData\Local\Temp\b6495a9c6a890740db6f41bf37af8427.exe"
C:\Users\Admin\AppData\Local\Temp\50CB.exe
C:\Users\Admin\AppData\Local\Temp\50CB.exe
C:\Users\Admin\AppData\Local\Temp\63E6.exe
C:\Users\Admin\AppData\Local\Temp\63E6.exe
C:\Users\Admin\AppData\Local\Temp\9008.exe
C:\Users\Admin\AppData\Local\Temp\9008.exe
C:\Users\Admin\AppData\Local\Temp\98D3.exe
C:\Users\Admin\AppData\Local\Temp\98D3.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.29.234:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.29.5.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
memory/388-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/388-3-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3520-1-0x0000000002E10000-0x0000000002E26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50CB.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/404-12-0x0000000000FE0000-0x0000000001032000-memory.dmp
memory/404-17-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/404-18-0x0000000005C10000-0x00000000061B4000-memory.dmp
memory/404-19-0x0000000005700000-0x0000000005792000-memory.dmp
memory/404-20-0x0000000005990000-0x00000000059A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\63E6.exe
| MD5 | b778158238cdb356a7c824beed2664cd |
| SHA1 | 9ad751830075e8a3ac5e853ef44ca93c109c4c42 |
| SHA256 | a23553baba26deb2aee37c3ec599b22909e798c0a410bc9f0f98542e6fad969c |
| SHA512 | 6727fc0837f20b5c601dd51e8470d857bc76589d2f772fc38819b243a641631baf93442f06b28c426079afd457921c709f82ecca5d3dfa2cbbd175a64fa7aab3 |
C:\Users\Admin\AppData\Local\Temp\63E6.exe
| MD5 | 184a2aec7d833f38cf5cb84db4cc8e9c |
| SHA1 | bba50c0fe181fa4cea697e22c9e2353c028711b0 |
| SHA256 | 0867c2792002d0a1e9eb0632ba53c9492f38433db7e8842ce59eba10e76ec57d |
| SHA512 | 15c85bcc733f88b2806bcd70129d951b8bc45c00c3866138d7385538d6d8e91fd914c1402b68eff90a9c53b9fa8cc5b437e706bd0dc1cb42d2900763f0825349 |
memory/1596-25-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/404-26-0x0000000005890000-0x000000000589A000-memory.dmp
memory/1596-27-0x0000000000210000-0x00000000006AE000-memory.dmp
memory/1596-28-0x0000000005160000-0x00000000051FC000-memory.dmp
memory/404-29-0x0000000006CE0000-0x00000000072F8000-memory.dmp
memory/1596-30-0x0000000005330000-0x0000000005340000-memory.dmp
memory/404-31-0x0000000008560000-0x000000000866A000-memory.dmp
memory/404-32-0x0000000006B10000-0x0000000006B22000-memory.dmp
memory/404-33-0x0000000006B70000-0x0000000006BAC000-memory.dmp
memory/404-34-0x0000000006BC0000-0x0000000006C0C000-memory.dmp
memory/404-36-0x00000000091A0000-0x0000000009206000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9008.exe
| MD5 | ca21455eb583d8d3a099950b679083b8 |
| SHA1 | a5e0c9847660ca038dcac9b999dc3183ee3b8a62 |
| SHA256 | 9cb36dc35b07b07b322f31eeb73de0c6d47ebca50313582c2314df3a187f2cbe |
| SHA512 | 8f39dba121c02aea8cf10abb41b62fa7f9fc7b44436d783c820681ad44fe32e60714c952c2e72927a8d815ee7b9e5f05fbb6ed9cdbb7ad796eb12bf620e585d9 |
C:\Users\Admin\AppData\Local\Temp\9008.exe
| MD5 | c2aede0ca02d53b357a44e36c88cff41 |
| SHA1 | 3d85c162138dc37685a8fabd9775631463a876e2 |
| SHA256 | ff1b9dc4127ca36f675fbcdc5ddef34aca9741cf83cbfe510b2606ef20e9ab2c |
| SHA512 | 45dc994f430ecf1364b6aaba94d1a24b8b341618d6279d9c1259fb1a3c532d1a3dd3557ae69553817fdc0077a7910290b1c8cb4d05b8192d6634afa3328238a5 |
memory/3912-41-0x00000000747A0000-0x0000000074F50000-memory.dmp
memory/1596-42-0x0000000005BC0000-0x0000000005D88000-memory.dmp
memory/3912-43-0x0000000000130000-0x0000000000F22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98D3.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
memory/404-51-0x0000000005990000-0x00000000059A0000-memory.dmp
memory/1596-50-0x0000000006D90000-0x0000000006F22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 40692d84079c65f1a27f012dccdb8072 |
| SHA1 | 4b91929b58bb592a93ad13aded5a463543a0966e |
| SHA256 | 9d09bb8ad9e4be89a80cc6460c03671a2cb1f716cea6e632b50d5dcd4338af94 |
| SHA512 | bb673a97450c2598ad78edb6cd371b38cb11487984a81636b3f82c85491ecc046ce984a370a581c70148792c21e85946c45a3a96adb86309d9a9fb355da18a5f |