Analysis

  • max time kernel
    293s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/01/2024, 04:48

General

  • Target

    1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe

  • Size

    5.6MB

  • MD5

    47e19c527210dfdce1dfa2962eaa73de

  • SHA1

    80741dd2a77d77097f7638e61095017ff9d534ae

  • SHA256

    1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f

  • SHA512

    52fd9f3245fe2e7f56d47d855ccbd91e4931330ca5f8a00181531e59e7a508e7f93d6ea270cbd3fcc6d3ad54e68027960c305d2ef81b28108731aed88b3e461c

  • SSDEEP

    98304:+e3e4ejPxblyoseZRIPpAogYKeTzOzqc7u9:Le4ejJ5ceZEvgnDzx7W

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • Detects Arechclient2 RAT 1 IoCs

    Arechclient2.

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe
    "C:\Users\Admin\AppData\Local\Temp\1989c9b8ecb487c23d6de52e5860c4bb9ed9b9ee5b22265267761a686eba7c2f.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5068

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpF157.tmp

          Filesize

          5KB

          MD5

          f315177aec6837695aee27159dd37670

          SHA1

          ac0a434cad40715cb5382555eb5ee0cf28543196

          SHA256

          0a0206a8be439430546babbca6c7790927ef1b63b388eb072d67eed266002ba7

          SHA512

          5d3b6a0c5bf0aa761dd394fbb176a2d783add7203fe7f4e9b75f091561612be556c7d465b16036574c90a149413ae130a59977645eba5dae2e8543758558d563

        • \Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

          Filesize

          21KB

          MD5

          67fe1a8534edd1220c838cb9a18a2752

          SHA1

          b617f6eadd2d95b54a4c6eae4529fb642ee4b7f8

          SHA256

          d5eea0e906a4c071a7132c732a59493c0c92c8b96b35d87004c59718cce9e5da

          SHA512

          2bf3fa27420cc4e6ef72e7d0f6b7c03a24407223dc928cb9ae4b687945db275899ad64ecc0c4325a00f92a617eb59c9685d9924dccb40d7e430f047be63fee20

        • memory/4344-41-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-6-0x0000000007050000-0x00000000071E2000-memory.dmp

          Filesize

          1.6MB

        • memory/4344-4-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-5-0x0000000006D60000-0x000000000704E000-memory.dmp

          Filesize

          2.9MB

        • memory/4344-0-0x0000000073CC0000-0x00000000743AE000-memory.dmp

          Filesize

          6.9MB

        • memory/4344-16-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-17-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-47-0x0000000073CC0000-0x00000000743AE000-memory.dmp

          Filesize

          6.9MB

        • memory/4344-18-0x00000000075E0000-0x00000000076E0000-memory.dmp

          Filesize

          1024KB

        • memory/4344-3-0x0000000073CC0000-0x00000000743AE000-memory.dmp

          Filesize

          6.9MB

        • memory/4344-12-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-2-0x00000000057E0000-0x000000000587C000-memory.dmp

          Filesize

          624KB

        • memory/4344-13-0x00000000052E0000-0x00000000052F0000-memory.dmp

          Filesize

          64KB

        • memory/4344-14-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/4344-1-0x0000000000A60000-0x0000000000FF0000-memory.dmp

          Filesize

          5.6MB

        • memory/4344-20-0x00000000075E0000-0x00000000076E0000-memory.dmp

          Filesize

          1024KB

        • memory/4344-19-0x00000000075E0000-0x00000000076E0000-memory.dmp

          Filesize

          1024KB

        • memory/4344-15-0x00000000058F0000-0x0000000005900000-memory.dmp

          Filesize

          64KB

        • memory/5068-22-0x0000000005430000-0x00000000054C2000-memory.dmp

          Filesize

          584KB

        • memory/5068-30-0x0000000005C00000-0x0000000005C1E000-memory.dmp

          Filesize

          120KB

        • memory/5068-29-0x0000000006900000-0x0000000006E2C000-memory.dmp

          Filesize

          5.2MB

        • memory/5068-28-0x00000000056B0000-0x0000000005726000-memory.dmp

          Filesize

          472KB

        • memory/5068-31-0x0000000005CE0000-0x0000000005D46000-memory.dmp

          Filesize

          408KB

        • memory/5068-24-0x0000000005620000-0x0000000005630000-memory.dmp

          Filesize

          64KB

        • memory/5068-27-0x00000000054D0000-0x0000000005520000-memory.dmp

          Filesize

          320KB

        • memory/5068-26-0x0000000005ED0000-0x00000000063CE000-memory.dmp

          Filesize

          5.0MB

        • memory/5068-25-0x0000000005800000-0x00000000059C2000-memory.dmp

          Filesize

          1.8MB

        • memory/5068-23-0x0000000073CC0000-0x00000000743AE000-memory.dmp

          Filesize

          6.9MB

        • memory/5068-21-0x0000000000400000-0x00000000004D4000-memory.dmp

          Filesize

          848KB

        • memory/5068-48-0x0000000073CC0000-0x00000000743AE000-memory.dmp

          Filesize

          6.9MB

        • memory/5068-49-0x0000000005620000-0x0000000005630000-memory.dmp

          Filesize

          64KB