Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/01/2024, 04:56
Behavioral task
behavioral1
Sample
b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe
Resource
win7-20231215-en
General
-
Target
b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe
-
Size
3.9MB
-
MD5
4f6c85b1fe3b69d8e187779ed68f38e1
-
SHA1
51bf48b1dc262a36a48243ec422a67aa7389b042
-
SHA256
b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553
-
SHA512
4e78ae142fc65b11cef6443ff9523cb05bd65e50ddd4272d6dd0edbfddee886fd71b05157dd8361004cd0e8a65a89b8a3b7944723b965dbd75cb9045f2d24976
-
SSDEEP
98304:QeXhev9Pmf3br2A1qwd59GORXnXbA4suHSIB:3Xi9Pmf32RwXwAXchuyG
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2288-0-0x0000000000BF0000-0x0000000000FDE000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2288-0-0x0000000000BF0000-0x0000000000FDE000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
pid Process 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2288 set thread context of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 -
Program crash 1 IoCs
pid pid_target Process 2736 2732 WerFault.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2288 wrote to memory of 2732 2288 b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe 29 PID 2732 wrote to memory of 2736 2732 InstallUtil.exe 28 PID 2732 wrote to memory of 2736 2732 InstallUtil.exe 28 PID 2732 wrote to memory of 2736 2732 InstallUtil.exe 28 PID 2732 wrote to memory of 2736 2732 InstallUtil.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"C:\Users\Admin\AppData\Local\Temp\b852a910668d96c99c4871a22e8f12f83c120949e2db5a2daf4123dff6929553.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 881⤵
- Program crash
PID:2736
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5b73838ab928886005682c80089b68142
SHA1e1a15d0a0394b6c2208d9d4cdbf640a58eab6f8d
SHA2565c0c8b948221f78b8e7a5f94cf39851e1a82e5749805c01a0fb64c84bebf1c85
SHA512ee52dc4ef70a6e635c7b0fbc86d852ed47d2654468c9cbafd1f83f8101812b677953c170f2f4239ebd225a97b5c616470649956f34ed963c752d3a8cccb9484e