Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2024, 22:20

General

  • Target

    528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe

  • Size

    4.7MB

  • MD5

    8b16468a9d56af5f2b7d80234a3240de

  • SHA1

    93f2fe7568a87af505205988617a842d220fdbd3

  • SHA256

    528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5

  • SHA512

    6444134c9fb71c77597ef591d2cade88b84f836281c34ed5b61a96665061024a12e1eeeabcc97b348de06095445a60dc14783c32e79ada037f5906baa7b424fd

  • SSDEEP

    98304:h3DFrOOW+rsAZcMId6Jx3wwyRLFjverf1Wd:ZiGgweBk6

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
    "C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:2800

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

            Filesize

            506KB

            MD5

            48d0bd442e82467d89364d4d50b98ce4

            SHA1

            54b3b0baa01e962d179f9cbcdfdf0cec80126db1

            SHA256

            95f06df29d905ae027de20968f24c5c3c56fdf8a9f3c12465100d458533f7b8f

            SHA512

            9a3f7188b30c1ab46a007a6a4e93a87e45f0e59b60bb466815bda35f53132f726616d5e2284580575ae89d09642f4e21fe50e0e46ba6ca93bf0d0012740643d5

          • memory/1748-20-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-18-0x0000000007E90000-0x0000000007F90000-memory.dmp

            Filesize

            1024KB

          • memory/1748-3-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-4-0x0000000006800000-0x0000000006AB0000-memory.dmp

            Filesize

            2.7MB

          • memory/1748-5-0x0000000007D00000-0x0000000007E92000-memory.dmp

            Filesize

            1.6MB

          • memory/1748-0-0x0000000000AC0000-0x0000000000F7A000-memory.dmp

            Filesize

            4.7MB

          • memory/1748-14-0x0000000000280000-0x0000000000290000-memory.dmp

            Filesize

            64KB

          • memory/1748-13-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-12-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-11-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-17-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-37-0x0000000074830000-0x0000000074F1E000-memory.dmp

            Filesize

            6.9MB

          • memory/1748-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

            Filesize

            6.9MB

          • memory/1748-15-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-16-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-10-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/1748-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

            Filesize

            6.9MB

          • memory/1748-19-0x0000000005180000-0x00000000051C0000-memory.dmp

            Filesize

            256KB

          • memory/2800-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2800-29-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-36-0x0000000000401000-0x000000000045B000-memory.dmp

            Filesize

            360KB

          • memory/2800-27-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-21-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-35-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-33-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-23-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB

          • memory/2800-25-0x0000000000400000-0x0000000000493000-memory.dmp

            Filesize

            588KB