Analysis
-
max time kernel
287s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/01/2024, 04:51
Behavioral task
behavioral1
Sample
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
Resource
win7-20231215-en
General
-
Target
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe
-
Size
4.7MB
-
MD5
8b16468a9d56af5f2b7d80234a3240de
-
SHA1
93f2fe7568a87af505205988617a842d220fdbd3
-
SHA256
528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5
-
SHA512
6444134c9fb71c77597ef591d2cade88b84f836281c34ed5b61a96665061024a12e1eeeabcc97b348de06095445a60dc14783c32e79ada037f5906baa7b424fd
-
SSDEEP
98304:h3DFrOOW+rsAZcMId6Jx3wwyRLFjverf1Wd:ZiGgweBk6
Malware Config
Extracted
lumma
https://goddirtybrilliancece.fun/api
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/4300-0-0x0000000000920000-0x0000000000DDA000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/4300-0-0x0000000000920000-0x0000000000DDA000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
pid Process 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4300 set thread context of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 4484 516 WerFault.exe 74 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74 PID 4300 wrote to memory of 516 4300 528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"C:\Users\Admin\AppData\Local\Temp\528c1d3b8a54484062c610ed5ccc132caced657d241487c87c18c41ae872fed5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 8843⤵
- Program crash
PID:4484
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD56bce173ee95a79c81ddbb5623d3a8fcd
SHA1e66f2bcb3ec729c6a52ee9b6fd81ceeda7227909
SHA2564eb6b13c5807d394028831da5aa7cb5145705a1f33cc4d1feb95ee4fda1a7b42
SHA512ebc362ff46bb903c0750635e967b8183cb66033e38438c0f58d779516467843c8e074258256a16606998aa21e2c326a7dad005a9d23044a06310647f6f2c73d7