Analysis
-
max time kernel
9s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31-12-2023 22:10
General
-
Target
3b2fd6cfa20b53ed6d5d55c97ba3884f.exe
-
Size
1.5MB
-
MD5
3b2fd6cfa20b53ed6d5d55c97ba3884f
-
SHA1
a19518b371bc708790bab3f3769d9472559a7de5
-
SHA256
9258fb579d6597ae1cb061dc2dfcd3fdbc6d689f4844bae159bb3f75b9c1b8f6
-
SHA512
339b9da108e46690d2c3363c8bedd1bb1f05b6e538b4befc49a44955a3a7f337a4f3e8605b42a15ac1ab36834318e7a82de191d759c05c6291d0551591551f73
-
SSDEEP
24576:ox1k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqD8kgbS:ox1kQTA5Qw7CSikJo54clgLH+tkWJ0Zb
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 13 IoCs
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe"C:\Users\Admin\AppData\Local\Temp\3b2fd6cfa20b53ed6d5d55c97ba3884f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1704-0-0x00000000001B0000-0x0000000000334000-memory.dmpFilesize
1.5MB
-
memory/1704-1-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmpFilesize
9.9MB
-
memory/1704-2-0x0000000000660000-0x00000000006E0000-memory.dmpFilesize
512KB
-
memory/1704-3-0x000000001A990000-0x000000001AA06000-memory.dmpFilesize
472KB
-
memory/1704-15-0x000007FEF5500000-0x000007FEF5EEC000-memory.dmpFilesize
9.9MB
-
memory/2920-18-0x0000000004830000-0x00000000048CC000-memory.dmpFilesize
624KB
-
memory/2920-20-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-19-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-17-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-16-0x0000000074350000-0x0000000074A3E000-memory.dmpFilesize
6.9MB
-
memory/2920-21-0x0000000004790000-0x000000000482A000-memory.dmpFilesize
616KB
-
memory/2920-22-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-27-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-35-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-47-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-57-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-67-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-75-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-83-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-85-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-81-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-79-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-77-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-73-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-71-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-69-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-65-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-63-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-61-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-59-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-55-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-53-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-51-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-49-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-45-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-43-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-41-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-39-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-37-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-33-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-31-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-29-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-25-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-23-0x0000000004790000-0x0000000004824000-memory.dmpFilesize
592KB
-
memory/2920-471-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-470-0x0000000074350000-0x0000000074A3E000-memory.dmpFilesize
6.9MB
-
memory/2920-522-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-525-0x0000000004E20000-0x0000000004E96000-memory.dmpFilesize
472KB
-
memory/2920-541-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-542-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-543-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/2920-545-0x0000000074350000-0x0000000074A3E000-memory.dmpFilesize
6.9MB