Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/yagacrypt.exe
-
Size
56KB
-
MD5
0abd42634db4f4fb3bbbcaa066413d68
-
SHA1
074f62ae3b24d775f09e98e81e857e6f1be05f3b
-
SHA256
a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
-
SHA512
578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2
-
SSDEEP
1536:rytceGvzLlLa2kSrZRPV1mcKAgSfTl3Blpgr1dv:rytceGv3lLa2LRPVBvfR3TpgBdv
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral26/memory/4044-4-0x0000000005880000-0x00000000059AA000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-5-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-6-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-8-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-10-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-12-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-18-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-20-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-24-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-26-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-22-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-16-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-14-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-28-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-30-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-32-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-34-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-36-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-38-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-42-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-46-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-50-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-52-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-56-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-60-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-62-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-64-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-58-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-66-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-54-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-48-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-44-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-40-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/4044-68-0x0000000005880000-0x00000000059A3000-memory.dmp family_zgrat_v1 behavioral26/memory/208-948-0x00000000056D0000-0x00000000057B8000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 3 IoCs
Processes:
LegalBlockSizes.exeLegalBlockSizes.exeLegalBlockSizes.exepid process 3740 LegalBlockSizes.exe 4088 LegalBlockSizes.exe 5080 LegalBlockSizes.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yagacrypt.exeLegalBlockSizes.exeLegalBlockSizes.exedescription pid process target process PID 4044 set thread context of 208 4044 yagacrypt.exe yagacrypt.exe PID 3740 set thread context of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 5080 set thread context of 4404 5080 LegalBlockSizes.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeLegalBlockSizes.exeLegalBlockSizes.exepowershell.exepid process 2308 powershell.exe 2308 powershell.exe 3740 LegalBlockSizes.exe 3740 LegalBlockSizes.exe 5080 LegalBlockSizes.exe 5080 LegalBlockSizes.exe 1468 powershell.exe 1468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
yagacrypt.exeyagacrypt.exepowershell.exeLegalBlockSizes.exeLegalBlockSizes.exeMSBuild.exepowershell.exedescription pid process Token: SeDebugPrivilege 4044 yagacrypt.exe Token: SeDebugPrivilege 208 yagacrypt.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 3740 LegalBlockSizes.exe Token: SeDebugPrivilege 5080 LegalBlockSizes.exe Token: SeDebugPrivilege 4404 MSBuild.exe Token: SeDebugPrivilege 1468 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
yagacrypt.exeLegalBlockSizes.exeLegalBlockSizes.exedescription pid process target process PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 4044 wrote to memory of 208 4044 yagacrypt.exe yagacrypt.exe PID 3740 wrote to memory of 4088 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 4088 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 4088 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 3740 wrote to memory of 5080 3740 LegalBlockSizes.exe LegalBlockSizes.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe PID 5080 wrote to memory of 4404 5080 LegalBlockSizes.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe2⤵
- Executes dropped EXE
PID:4088 -
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exeC:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD50abd42634db4f4fb3bbbcaa066413d68
SHA1074f62ae3b24d775f09e98e81e857e6f1be05f3b
SHA256a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4
SHA512578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82