Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
5s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/RagCrypt.exe
-
Size
86KB
-
MD5
f3ed43acd7d035e8c6035c7d65ec60bf
-
SHA1
679c01b051cbd42b740a05f0cd2807b16bae5aec
-
SHA256
136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef
-
SHA512
fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5
-
SSDEEP
1536:VfVyEwOvOBB/rtSp/r3fGTTNOXrbpCEviigx2hyke70WgY:uElIUfL3p5vC2hykg
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral14/memory/352-3-0x0000000005660000-0x0000000005796000-memory.dmp family_zgrat_v1 behavioral14/memory/352-11-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-19-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-25-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-33-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-39-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-49-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-57-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-65-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-67-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-63-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-61-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-59-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-55-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-53-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-51-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-47-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-45-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-43-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-41-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-37-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-35-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-31-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-29-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-27-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-23-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-21-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-17-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-15-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-13-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-9-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-7-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-5-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 behavioral14/memory/352-4-0x0000000005660000-0x0000000005790000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RagCrypt.exedescription pid process target process PID 352 set thread context of 2524 352 RagCrypt.exe RagCrypt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RagCrypt.exepid process 352 RagCrypt.exe 352 RagCrypt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RagCrypt.exedescription pid process Token: SeDebugPrivilege 352 RagCrypt.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RagCrypt.exedescription pid process target process PID 352 wrote to memory of 4212 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 4212 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 4212 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe PID 352 wrote to memory of 2524 352 RagCrypt.exe RagCrypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe2⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe2⤵PID:4212
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
238B
MD50f5f7a38759e578c92bcf62c45d80b8a
SHA1211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA25639059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA5128130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d
-
Filesize
234B
MD5ae0f7fab163139c661e576fe0af08651
SHA17545ab94360fd93f2209021b4cecabb92592be27
SHA256832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b