Malware Analysis Report

2025-01-03 05:02

Sample ID 240107-tgh1jsbbf5
Target 496d5fc129c98a075ea39863bd8938a2
SHA256 a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
Tags
bitrat zgrat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09

Threat Level: Known bad

The file 496d5fc129c98a075ea39863bd8938a2 was found to be: Known bad.

Malicious Activity Summary

bitrat zgrat rat trojan

BitRAT

Detect ZGRat V1

ZGRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 16:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 16:01

Reported

2024-01-07 16:04

Platform

win7-20231129-en

Max time kernel

140s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sys.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 880 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 880 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 880 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 880 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 880 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 880 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 880 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2096 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2856 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif

Processes

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"

C:\Users\Admin\AppData\Local\Temp\Sys.pif

C:\Users\Admin\AppData\Local\Temp\Sys.pif

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 firewall.publicvm.com udp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp
SG 139.99.66.103:25874 firewall.publicvm.com tcp

Files

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 76555816c73f34e86608807c7737a593
SHA1 3c38473581f2c602a25707ee9000634f4b4d033a
SHA256 64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d
SHA512 a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 1ec86b222049775e000447ea76a64f67
SHA1 418edc66312d10c96c3fdc06366e652379d4ac9b
SHA256 26bc06ac1fd5d1b8e8612bc9682dcc6b51aa05498dba30650eef95eb24660642
SHA512 36285bc84a4e05650478bce9ca55bcdf8384ce3f8e39fc86bc268214a77de77d81be419e6d461c3da687a91fb74dd2d8211b73d0f8a1da747c57b0664ee14e11

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 ab33035218b4fbf9e6bbcefc4fe905c1
SHA1 a22fd374409fe88f8977fede3068f0b0506eb08b
SHA256 4c56525f5fadef31176166b4c97d58175eac92c27f5abad273daa2afb3694dee
SHA512 1a41310519348a28db00a8a1583b6e1790371d395e1dce8713fb7376b73b84b77c67b41a9cc4db339e898876417f5779f9541b734778e12b1662333709c07e80

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 b4bfbbd8c27fb4cbd0e1b8c63eea43e6
SHA1 347869e110d2733e8f22b935a064fafb5fbed0fb
SHA256 751a1d639c59080f009597d45d09f5be3d02b3324341486dea8a0ebf9d16974c
SHA512 668b43933075807b439e7aa2a77dc642a7040605a536d7b82dca09b540c5db95e4269728d3401aeb2e9aa4e646d38815fec39ef5dda109fdd0359cec83e2b88c

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 c2a78b5610d2abd529688c420bde478e
SHA1 7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a
SHA256 36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c
SHA512 b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

memory/2696-38-0x000000013F060000-0x000000013F0C6000-memory.dmp

memory/2096-37-0x0000000000C10000-0x0000000000E54000-memory.dmp

memory/2096-39-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2696-40-0x0000000000870000-0x0000000000888000-memory.dmp

memory/2696-45-0x000000001AB50000-0x000000001ABCC000-memory.dmp

memory/2696-50-0x000000001ABD0000-0x000000001AC0C000-memory.dmp

memory/2696-48-0x0000000002360000-0x00000000023A8000-memory.dmp

memory/2696-46-0x0000000000890000-0x000000000089A000-memory.dmp

memory/2696-44-0x000000001BB30000-0x000000001BBB0000-memory.dmp

memory/2096-43-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/2696-41-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

memory/2468-56-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2468-55-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2468-54-0x0000000070000000-0x00000000705AB000-memory.dmp

memory/2468-53-0x0000000070000000-0x00000000705AB000-memory.dmp

memory/2468-57-0x0000000070000000-0x00000000705AB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bbed485d156f6f87220f1757c61f58bf
SHA1 3a1d97a8ae3e5796d8feced351fae790aef0767a
SHA256 39738b5451ee94507597768b7b85279991ddb9d49d781e68f41e9678c0efcc59
SHA512 6a0f4352969d7627fe4686a99347d653387dce0a67cde021b89f6a9b6fe8ad514a5c42331dfe6f166d1c2a5781356809e1f6e7e55fb24be7e09970646f14d757

memory/1124-64-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/2096-63-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/1124-68-0x0000000002A20000-0x0000000002A60000-memory.dmp

memory/2696-69-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

memory/1124-67-0x0000000002A20000-0x0000000002A60000-memory.dmp

memory/1124-66-0x0000000002A20000-0x0000000002A60000-memory.dmp

memory/1124-65-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/2096-70-0x0000000004A40000-0x0000000004A80000-memory.dmp

memory/2696-71-0x000000001BB30000-0x000000001BBB0000-memory.dmp

memory/2096-72-0x0000000008060000-0x0000000008274000-memory.dmp

memory/2096-73-0x0000000002260000-0x00000000022E0000-memory.dmp

memory/2096-137-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-135-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-133-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-131-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-129-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-127-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-125-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-123-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-121-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-119-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-117-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-115-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-113-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-111-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-109-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-107-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-105-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-103-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-101-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-99-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-97-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-95-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-93-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-91-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-89-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-87-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-85-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-83-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-81-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-79-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-77-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-75-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/2096-74-0x0000000002260000-0x00000000022DA000-memory.dmp

memory/1064-2591-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/1064-2593-0x0000000002B50000-0x0000000002B90000-memory.dmp

memory/1064-2595-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/1064-2597-0x0000000002B50000-0x0000000002B90000-memory.dmp

memory/1064-2598-0x0000000002B50000-0x0000000002B90000-memory.dmp

memory/1124-2611-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/2096-2610-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/1064-2609-0x000000006FD50000-0x00000000702FB000-memory.dmp

memory/1432-2608-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/1432-2620-0x0000000000400000-0x00000000007CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 16:01

Reported

2024-01-07 16:04

Platform

win10v2004-20231215-en

Max time kernel

164s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 1044 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 1044 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 1044 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 1044 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 4296 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4296 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 76555816c73f34e86608807c7737a593
SHA1 3c38473581f2c602a25707ee9000634f4b4d033a
SHA256 64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d
SHA512 a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 c2a78b5610d2abd529688c420bde478e
SHA1 7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a
SHA256 36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c
SHA512 b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

memory/2752-30-0x00000190CE4A0000-0x00000190CE506000-memory.dmp

memory/2752-31-0x00000190CE8B0000-0x00000190CE8C8000-memory.dmp

memory/2752-32-0x00007FFD8D380000-0x00007FFD8DE41000-memory.dmp

memory/2752-33-0x00000190D0370000-0x00000190D0380000-memory.dmp

memory/4296-34-0x0000000074B60000-0x0000000075310000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

MD5 19f8591a6baa83af46de41f20224b6f1
SHA1 c736799e1936cec37acbf66fdf1df96f4679562f
SHA256 a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79
SHA512 db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e

memory/2752-36-0x00000190D02B0000-0x00000190D032C000-memory.dmp

memory/2752-37-0x00000190CE8E0000-0x00000190CE8EA000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

MD5 6fabeaa1c8ea15e787f2e3b487ab434d
SHA1 c2091f69192903676ed6b181bbf8346b819c43a2
SHA256 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909
SHA512 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

memory/2752-39-0x00000190D0120000-0x00000190D0168000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

MD5 d30f6fb490a820dcdd9c7da971036393
SHA1 177b1b912fb09efacce8bae24fca35ea514f131b
SHA256 be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b
SHA512 332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

memory/2752-41-0x00000190D0330000-0x00000190D036C000-memory.dmp

memory/4296-42-0x0000000000050000-0x0000000000294000-memory.dmp

memory/4296-43-0x0000000005260000-0x0000000005804000-memory.dmp

memory/2752-44-0x00007FFD8D380000-0x00007FFD8DE41000-memory.dmp

memory/4296-45-0x0000000004CB0000-0x0000000004D42000-memory.dmp

memory/2752-46-0x00000190D0370000-0x00000190D0380000-memory.dmp

memory/4296-47-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4296-48-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/4296-49-0x0000000005110000-0x000000000511A000-memory.dmp

memory/4296-50-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

memory/3908-51-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3908-52-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/3908-53-0x00000000025A0000-0x00000000025D6000-memory.dmp

memory/3908-54-0x0000000005120000-0x0000000005748000-memory.dmp

memory/3908-55-0x0000000004E40000-0x0000000004E62000-memory.dmp

memory/3908-56-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/3908-57-0x00000000058C0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcbj4mlk.3ee.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3908-67-0x0000000005A30000-0x0000000005D84000-memory.dmp

memory/4548-68-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4548-69-0x0000000004850000-0x0000000004860000-memory.dmp

memory/3908-80-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

memory/4548-79-0x0000000004AF0000-0x0000000004B0E000-memory.dmp

memory/3908-81-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

memory/3908-82-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4296-83-0x0000000006210000-0x0000000006424000-memory.dmp

memory/3908-84-0x0000000002590000-0x00000000025A0000-memory.dmp

memory/4296-85-0x0000000006170000-0x00000000061F0000-memory.dmp

memory/4296-86-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-87-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-89-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-91-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-93-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-95-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-97-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-99-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-101-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-103-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-105-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-107-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-109-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-111-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-113-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-115-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-117-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-119-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-121-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-123-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-125-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-127-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-129-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-131-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-133-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-135-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-137-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-139-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-141-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-143-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-145-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-147-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/4296-149-0x0000000006170000-0x00000000061EA000-memory.dmp

memory/3908-353-0x0000000002590000-0x00000000025A0000-memory.dmp