Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:51
Behavioral task
behavioral1
Sample
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
Resource
win7-20231215-en
General
-
Target
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
-
Size
4.7MB
-
MD5
8b16468a9d56af5f2b7d80234a3240de
-
SHA1
93f2fe7568a87af505205988617a842d220fdbd3
-
SHA256
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5
-
SHA512
6444134c9fb71c77597ef591d2cade88b84f836281c34ed5b61a96665061024a12e1eeeabcc97b348de06095445a60dc14783c32e79ada037f5906baa7b424fd
-
SSDEEP
98304:h3DFrOOW+rsAZcMId6Jx3wwyRLFjverf1Wd:ZiGgweBk6
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2124-0-0x0000000000F70000-0x000000000142A000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2124-0-0x0000000000F70000-0x000000000142A000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
pid Process 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2124 set thread context of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 572 2592 WerFault.exe 30 -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2124 wrote to memory of 2592 2124 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 30 PID 2592 wrote to memory of 572 2592 InstallUtil.exe 31 PID 2592 wrote to memory of 572 2592 InstallUtil.exe 31 PID 2592 wrote to memory of 572 2592 InstallUtil.exe 31 PID 2592 wrote to memory of 572 2592 InstallUtil.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 883⤵
- Program crash
PID:572
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719