Analysis
-
max time kernel
124s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-12-2023 23:37
Static task
static1
Behavioral task
behavioral1
Sample
0727ab0b9ded99f5dedfd6203f574111.exe
Resource
win7-20231129-en
General
-
Target
0727ab0b9ded99f5dedfd6203f574111.exe
-
Size
2.1MB
-
MD5
0727ab0b9ded99f5dedfd6203f574111
-
SHA1
58eb40d2c4ca79af5e5b6df1f1c441843f8c5b8c
-
SHA256
4592c4585d662c266a84016c91bd6cea368c51d467a985a22cb14f71f3f5d5c7
-
SHA512
e38e963246d0ff0842ae9c0a13454699bfb094e57681a3d1de543d279dd0b61f933aa6caf44eff57a20bf8dd8a0afe7ee38da53c074db076329c99b2fd01451d
-
SSDEEP
49152:A2sffjuMZX0CoAMSe3JTimD/Ymv+gdCrmbBI05ik4G3nvHBFtST:A2szuUF/e3JTVzN+gkKbik4OTs
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2332-7-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-45-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-69-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-67-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-65-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-63-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-61-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-59-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-57-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-55-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-53-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-51-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-49-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-47-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-43-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-41-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-39-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-37-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-35-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-33-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-31-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-29-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-27-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-25-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-23-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-21-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-19-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-17-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-15-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-13-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-11-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-9-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-6-0x0000000000940000-0x00000000009B6000-memory.dmp family_zgrat_v1 behavioral1/memory/2332-5-0x0000000000940000-0x00000000009BC000-memory.dmp family_zgrat_v1 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 0727ab0b9ded99f5dedfd6203f574111.exe 2332 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe 2208 0727ab0b9ded99f5dedfd6203f574111.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2332 0727ab0b9ded99f5dedfd6203f574111.exe Token: SeDebugPrivilege 2208 0727ab0b9ded99f5dedfd6203f574111.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2332 wrote to memory of 2208 2332 0727ab0b9ded99f5dedfd6203f574111.exe 28 PID 2208 wrote to memory of 1604 2208 0727ab0b9ded99f5dedfd6203f574111.exe 32 PID 2208 wrote to memory of 1604 2208 0727ab0b9ded99f5dedfd6203f574111.exe 32 PID 2208 wrote to memory of 1604 2208 0727ab0b9ded99f5dedfd6203f574111.exe 32 PID 2208 wrote to memory of 1604 2208 0727ab0b9ded99f5dedfd6203f574111.exe 32 PID 1604 wrote to memory of 2068 1604 cmd.exe 34 PID 1604 wrote to memory of 2068 1604 cmd.exe 34 PID 1604 wrote to memory of 2068 1604 cmd.exe 34 PID 1604 wrote to memory of 2068 1604 cmd.exe 34 PID 2208 wrote to memory of 1836 2208 0727ab0b9ded99f5dedfd6203f574111.exe 35 PID 2208 wrote to memory of 1836 2208 0727ab0b9ded99f5dedfd6203f574111.exe 35 PID 2208 wrote to memory of 1836 2208 0727ab0b9ded99f5dedfd6203f574111.exe 35 PID 2208 wrote to memory of 1836 2208 0727ab0b9ded99f5dedfd6203f574111.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe"C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exeC:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\wscript.exeWScript "C:\ProgramData\LKBNMTFJgl\r.vbs"4⤵
- Drops startup file
PID:2068
-
-
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"3⤵PID:1836
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
652B
MD519b2d791962e01151e4b6a40a90e8cd8
SHA1a1ee500267dd1d457b3f840f8a00ba808bb46eb3
SHA25667824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664
SHA5124d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe
-
Filesize
69B
MD5e03e6937ba1878ace3d849b233adecfe
SHA1affbb4f8b53af6cf35660b775a0a8f70fb95f8b5
SHA2569846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d
SHA51299ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9