Analysis
-
max time kernel
25s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 23:59
Static task
static1
Behavioral task
behavioral1
Sample
07d0c0de71b135af74f710585f13aa33.exe
Resource
win7-20231215-en
General
-
Target
07d0c0de71b135af74f710585f13aa33.exe
-
Size
659KB
-
MD5
07d0c0de71b135af74f710585f13aa33
-
SHA1
33c94cc78d9c48c04bda301c6d24069ddab11c63
-
SHA256
d977d80c3735df4761faf5e37f8f4874b36d2c1d6aaa731f4e37b36c813e5754
-
SHA512
326fc2a1a015c9d45cb271d86d3d6e738c33f93ad38aa462aad9ea8d7de8a0a052fb53327fd8dd73013b51d079f1c9248930e07cdfb01b80eb3595372a6419b5
-
SSDEEP
12288:0hIG3Kl8pyP6f+SJ41gVbOmV8NXelO7eA82U:qX3M36XJ4+0wtH2U
Malware Config
Extracted
quasar
1.4.0
Office04w
societyf500.ddns.net:5490
f4264bdc-b486-4a30-a042-2bcfb907b3c7
-
encryption_key
0204DFA093E27B72F1617CCEA6076BCCE5D0A482
-
install_name
dwmq.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
dwmq
-
subdirectory
explorer
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/4976-9-0x0000000006EF0000-0x0000000006F62000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-25-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-47-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-65-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-73-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-71-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-69-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-67-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-63-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-61-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-59-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-57-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-55-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-53-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-51-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-49-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-45-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-43-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-41-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-39-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-37-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-35-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-33-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-31-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-29-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-27-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-23-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-21-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-19-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-17-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-15-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-13-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-11-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 behavioral2/memory/4976-10-0x0000000006EF0000-0x0000000006F5C000-memory.dmp family_zgrat_v1 -
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/432-2246-0x0000000000400000-0x0000000000484000-memory.dmp family_quasar -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVA = "\"C:\\Users\\Admin\\AppData\\Local\\NVA.exe\"" 07d0c0de71b135af74f710585f13aa33.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4976 07d0c0de71b135af74f710585f13aa33.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe"C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exeC:\Users\Admin\AppData\Local\Temp\07d0c0de71b135af74f710585f13aa33.exe2⤵PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\07d0c0de71b135af74f710585f13aa33.exe.log
Filesize1KB
MD5b5291f3dcf2c13784e09a057f2e43d13
SHA1fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e
SHA256ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce
SHA51211c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4