Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 09:22
Behavioral task
behavioral1
Sample
76fad3569cffe8e8d91bf06b545ec346.exe
Resource
win7-20231215-en
General
-
Target
76fad3569cffe8e8d91bf06b545ec346.exe
-
Size
1.5MB
-
MD5
76fad3569cffe8e8d91bf06b545ec346
-
SHA1
1b5bf0f630c9c354d80caccf3e4a18342450197a
-
SHA256
b5943edb5bc6de1fdcee0d555aafb3fcc2e6cdaaec8a5415caaada2328501e83
-
SHA512
75ab8c69cb6a5b55656341cce8eaf654fd3a37b6b2e2ea48f1cafe4a8baf6efbca51c9bebc310564f60393cb56efa5f3a9176b1a6a1f6a1b0634e371b639424d
-
SSDEEP
24576:Fo8k70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRD:Fo8kQTA5Qw7CSikJo54clgLH+tkWJ0N7
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
resource yara_rule behavioral1/memory/2772-16-0x0000000004880000-0x000000000491C000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-20-0x0000000002110000-0x00000000021AA000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-21-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-22-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-24-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-26-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-28-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-30-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-32-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-34-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-36-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-38-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-40-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-42-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-44-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-48-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-46-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-50-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-54-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-52-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-56-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-58-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-60-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-62-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-64-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-68-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-66-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-70-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-72-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-74-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-76-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-78-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-80-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-82-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 behavioral1/memory/2772-84-0x0000000002110000-0x00000000021A4000-memory.dmp family_zgrat_v1 -
Detects Echelon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/2204-0-0x0000000000B50000-0x0000000000CD4000-memory.dmp family_echelon -
Executes dropped EXE 1 IoCs
pid Process 2772 Decoder.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org 7 freegeoip.app 8 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Decoder.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Decoder.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2592 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2772 Decoder.exe 2772 Decoder.exe 2772 Decoder.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2204 76fad3569cffe8e8d91bf06b545ec346.exe Token: SeDebugPrivilege 2772 Decoder.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2772 2204 76fad3569cffe8e8d91bf06b545ec346.exe 29 PID 2204 wrote to memory of 2772 2204 76fad3569cffe8e8d91bf06b545ec346.exe 29 PID 2204 wrote to memory of 2772 2204 76fad3569cffe8e8d91bf06b545ec346.exe 29 PID 2204 wrote to memory of 2772 2204 76fad3569cffe8e8d91bf06b545ec346.exe 29 PID 2204 wrote to memory of 2780 2204 76fad3569cffe8e8d91bf06b545ec346.exe 30 PID 2204 wrote to memory of 2780 2204 76fad3569cffe8e8d91bf06b545ec346.exe 30 PID 2204 wrote to memory of 2780 2204 76fad3569cffe8e8d91bf06b545ec346.exe 30 PID 2780 wrote to memory of 2592 2780 cmd.exe 32 PID 2780 wrote to memory of 2592 2780 cmd.exe 32 PID 2780 wrote to memory of 2592 2780 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"C:\Users\Admin\AppData\Local\Temp\76fad3569cffe8e8d91bf06b545ec346.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:2592
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5969676a2b1fcb6fc71cc226d820f3bcb
SHA179b2dcdb6c12dcc862b981c214f033ab2e5039b4
SHA2562a7a63d09cfe29832780456975ca3b92356315c225297ee36a5fcffb63e98815
SHA512a241110352831b54d9a5d893f4befd1c600b0b47025a0fc3e1e3663598793c189155913c850b1965f81415601b9eedbfb4b79c4515120c7836c3961593902fad
-
Filesize
28B
MD5217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
Filesize
490KB
MD5c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426