Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:39
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp.exe
-
Size
1.7MB
-
MD5
721fb763958ddcf207551558ff06b1a0
-
SHA1
64bd92b0a8cd71d8a795f481be30763f2139ea76
-
SHA256
8afcc55b59e124b3840bbee5afb30e70354590eee693480a43fe7d586e909a9e
-
SHA512
b61c972b232cf6d8e9929396d9970c7718dbcc295a3cd200eb1e1dae005acaffd79c4975f7d0655fafa92db8706fcc2b81a92d274c4220d588110bf18d2c3b93
-
SSDEEP
24576:SYD1kEJen92P7pK43qcF0SymoaZSftjohWPoJNXzk0Ck5sdfw9X1Xq82isbtGabx:SYDCEJ82PE4a1F40qxzk9k5hXXqjv2w
Malware Config
Signatures
-
Detect ZGRat V1 37 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-1-0x0000013F7C260000-0x0000013F7C394000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-4-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-5-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-7-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-9-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-11-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-13-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-15-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-17-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-19-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-21-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-23-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-25-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-27-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-29-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-31-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-33-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-35-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-37-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-39-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-41-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-43-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-45-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-47-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-49-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-51-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-53-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-55-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-57-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-59-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-61-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-63-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-65-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/3160-67-0x0000013F7C260000-0x0000013F7C38D000-memory.dmp family_zgrat_v1 behavioral2/memory/1248-946-0x00000242EAFA0000-0x00000242EB086000-memory.dmp family_zgrat_v1 behavioral2/memory/3308-6361-0x000002A0CD220000-0x000002A0CD35C000-memory.dmp family_zgrat_v1 behavioral2/memory/4688-7306-0x000002B3FA910000-0x000002B3FAA14000-memory.dmp family_zgrat_v1 -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
pnzjiwrqw.exepnzjiwrqw.exeCount.exeCount.exepid process 3308 pnzjiwrqw.exe 4688 pnzjiwrqw.exe 2536 Count.exe 3456 Count.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
tmp.exetmp.exeMSBuild.exepnzjiwrqw.exeCount.exeCount.exedescription pid process target process PID 3160 set thread context of 1248 3160 tmp.exe tmp.exe PID 1248 set thread context of 2032 1248 tmp.exe MSBuild.exe PID 2032 set thread context of 4476 2032 MSBuild.exe MSBuild.exe PID 3308 set thread context of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 2536 set thread context of 3456 2536 Count.exe Count.exe PID 3456 set thread context of 1492 3456 Count.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
tmp.exepnzjiwrqw.exeCount.exepid process 1248 tmp.exe 1248 tmp.exe 3308 pnzjiwrqw.exe 2536 Count.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
tmp.exetmp.exeMSBuild.exeMSBuild.exepnzjiwrqw.exepnzjiwrqw.exeCount.exeCount.exedescription pid process Token: SeDebugPrivilege 3160 tmp.exe Token: SeDebugPrivilege 1248 tmp.exe Token: SeDebugPrivilege 2032 MSBuild.exe Token: SeDebugPrivilege 4476 MSBuild.exe Token: SeDebugPrivilege 3308 pnzjiwrqw.exe Token: SeDebugPrivilege 4688 pnzjiwrqw.exe Token: SeDebugPrivilege 2536 Count.exe Token: SeDebugPrivilege 3456 Count.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
tmp.exetmp.exeMSBuild.exepnzjiwrqw.exeCount.exeCount.exedescription pid process target process PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 3160 wrote to memory of 1248 3160 tmp.exe tmp.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 1248 wrote to memory of 2032 1248 tmp.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 2032 wrote to memory of 4476 2032 MSBuild.exe MSBuild.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 3308 wrote to memory of 4688 3308 pnzjiwrqw.exe pnzjiwrqw.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 2536 wrote to memory of 3456 2536 Count.exe Count.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe PID 3456 wrote to memory of 1492 3456 Count.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Users\Admin\AppData\Local\Temp\pnzjiwrqw.exeC:\Users\Admin\AppData\Local\Temp\pnzjiwrqw.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\pnzjiwrqw.exeC:\Users\Admin\AppData\Local\Temp\pnzjiwrqw.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
C:\Users\Admin\AppData\Roaming\NextChannelSink\Count.exeC:\Users\Admin\AppData\Roaming\NextChannelSink\Count.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\NextChannelSink\Count.exeC:\Users\Admin\AppData\Roaming\NextChannelSink\Count.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe3⤵PID:1492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD59f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1de83788e2f18629555c42a3e6fada12f70457141
SHA256d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA51286cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61
-
Filesize
1.6MB
MD5e65d05a468de0d0528e6f5c034348770
SHA17e4bfa61180ba030e490b856287633cc3ac680e7
SHA256527625e2554e62c4c47546c6a3a00582e3472595545c1da067650c13bc53ce48
SHA5123933e69656415f65021a6dafcb73a78f54ce37a4b53b14f9f5ad28eab681393dbffad069d4cf411eb496f28daee7a862295343efe2e85758d68126f6961df7e8