Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-01-2024 22:17
Behavioral task
behavioral1
Sample
14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe
Resource
win7-20231129-en
General
-
Target
14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe
-
Size
6.2MB
-
MD5
a69e9fba99f717cb811554e1985f45c2
-
SHA1
f8057be04f9e0a00a53a6b5fc66e43345592668f
-
SHA256
14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66
-
SHA512
9016deaf6dffd6e03339416a0d11437bc64d53495f952268fc4b0b9d0a39d3f8faf0d57c8cf9dd3ac95f5ff52cb4daf38d2b7a26bf278bed90efbfaf410e9103
-
SSDEEP
98304:Du8DZiccE2uEwXDiPz9G2rYIDujbOW9acwIxcGieIxcGiP:D1mEUuWbQ2VOawgpGNpGI
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2536-0-0x00000000002F0000-0x0000000000918000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2536-0-0x00000000002F0000-0x0000000000918000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
pid Process 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2536 set thread context of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2648 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28 PID 2536 wrote to memory of 2648 2536 14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe"C:\Users\Admin\AppData\Local\Temp\14b900286ac776a901ff3beb49507b83cb7902276d51c011360f837669ba7a66.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5725329683ec22f50bec0b2a7341a800a
SHA1e0bfe718197dd169773d7125f3732f72c32e40b8
SHA256c2b609ed352531ff977eefd0180d128123a1cac443dbb3ba93d47b1196315790
SHA5126e063e3a1bf388059bb97c111e87709fb775df7050f631fc0de6d91761227543d15d8448406846c72f65e76bbbb830c5d05847b07e84e19e3ab3ff0020b291bd