Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
14/01/2024, 22:20
Behavioral task
behavioral1
Sample
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
Resource
win7-20231215-en
General
-
Target
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
-
Size
4.7MB
-
MD5
8b16468a9d56af5f2b7d80234a3240de
-
SHA1
93f2fe7568a87af505205988617a842d220fdbd3
-
SHA256
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5
-
SHA512
6444134c9fb71c77597ef591d2cade88b84f836281c34ed5b61a96665061024a12e1eeeabcc97b348de06095445a60dc14783c32e79ada037f5906baa7b424fd
-
SSDEEP
98304:h3DFrOOW+rsAZcMId6Jx3wwyRLFjverf1Wd:ZiGgweBk6
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1748-0-0x0000000000AC0000-0x0000000000F7A000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/1748-0-0x0000000000AC0000-0x0000000000F7A000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
pid Process 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1748 set thread context of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28 PID 1748 wrote to memory of 2800 1748 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:2800
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD548d0bd442e82467d89364d4d50b98ce4
SHA154b3b0baa01e962d179f9cbcdfdf0cec80126db1
SHA25695f06df29d905ae027de20968f24c5c3c56fdf8a9f3c12465100d458533f7b8f
SHA5129a3f7188b30c1ab46a007a6a4e93a87e45f0e59b60bb466815bda35f53132f726616d5e2284580575ae89d09642f4e21fe50e0e46ba6ca93bf0d0012740643d5