Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26-01-2024 09:22
General
-
Target
76fad3569cffe8e8d91bf06b545ec346.exe
-
Size
1.5MB
-
MD5
76fad3569cffe8e8d91bf06b545ec346
-
SHA1
1b5bf0f630c9c354d80caccf3e4a18342450197a
-
SHA256
b5943edb5bc6de1fdcee0d555aafb3fcc2e6cdaaec8a5415caaada2328501e83
-
SHA512
75ab8c69cb6a5b55656341cce8eaf654fd3a37b6b2e2ea48f1cafe4a8baf6efbca51c9bebc310564f60393cb56efa5f3a9176b1a6a1f6a1b0634e371b639424d
-
SSDEEP
24576:Fo8k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRD:Fo8kQTA5Qw7CSikJo54clgLH+tkWJ0N7
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
-
Detects Echelon Stealer payload 1 IoCs
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5969676a2b1fcb6fc71cc226d820f3bcb
SHA179b2dcdb6c12dcc862b981c214f033ab2e5039b4
SHA2562a7a63d09cfe29832780456975ca3b92356315c225297ee36a5fcffb63e98815
SHA512a241110352831b54d9a5d893f4befd1c600b0b47025a0fc3e1e3663598793c189155913c850b1965f81415601b9eedbfb4b79c4515120c7836c3961593902fad
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
Filesize
490KB
MD5c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
Filesize
1.5MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
472KB
-
Filesize
9.9MB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
256KB
-
Filesize
616KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
6.9MB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
256KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
256KB
-
Filesize
624KB
-
Filesize
472KB
-
Filesize
6.9MB