Analysis Overview
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Threat Level: Known bad
The file 4363463463464363463463463.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
RedLine
RedLine payload
ZGRat
Downloads MZ/PE file
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-30 00:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 00:45
Reported
2024-01-30 00:46
Platform
win7-20231129-en
Max time kernel
3s
Max time network
28s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fsdfsfsfs.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UseWatch.vbe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | d1.udashi.com | udp |
| CN | 221.204.166.213:80 | d1.udashi.com | tcp |
| DE | 20.79.30.95:33223 | tcp | |
| CN | 42.177.83.78:80 | d1.udashi.com | tcp |
Files
memory/2848-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2848-0-0x0000000000BD0000-0x0000000000BD8000-memory.dmp
memory/2848-2-0x00000000044C0000-0x0000000004500000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 20b54bae356d4d6f0f0ff7dc6e25fcb1 |
| SHA1 | 89c8c3452d04abcc39e306978d7274192457534e |
| SHA256 | d4375899a8cd6141cdb34e455a54dc73e15ad4061c2dddd554d2858316c117b6 |
| SHA512 | 7e21b2c7c2e527133d218aad6de4610e1ab898b4f5437ad94915e6434b678668f6adf5cea20c7bda7efbbfb747b79708c3aad9402ab999181e2b45af87926571 |
C:\Users\Admin\AppData\Local\Temp\Tar17CA.tmp
| MD5 | cae17bc9c5d74e0e1142b20a7889efdb |
| SHA1 | cfea5f7d29a7dad0a1a25daf18a0cd4cb79cac86 |
| SHA256 | 4d74c7d252b593f92d04a5538ff5688a4ec720ab664ac723512fbcfa3f5ab691 |
| SHA512 | 42ba66aa767f8a15ce38f9e72990fe41e4fb2d7266e4334be0bcb7db7ac7eb38e7f3b424bb4fc5583197257e9fefc11ab19285f0881a054f338463fefb483dfd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1ee6981cbfefb6e3511b472284854110 |
| SHA1 | eb5b9e33234fab1200c07de31ad23474d8c5264d |
| SHA256 | cfd6f266b1a310199ba8be7c98463f673e3768bf39baa3b15de2f1f5c6c1fc7c |
| SHA512 | eca9ae1a0ce461b38aecebc582cefc6cdbbe5929ce76b271d92a9ee12900396f4333ede424962dbc26b20d04e011418672333268d64b1968080c0ed224c41b5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Temp\Files\fsdfsfsfs.exe
| MD5 | 3dad63e176eff6b6f6534764b59ecae2 |
| SHA1 | 95f72d820c7e8fa9dcbe3fd40a572e2321a04498 |
| SHA256 | e4ef9e1798341c84addd2f947b02ce0b9a49b2f94dcdf702910cc91f313d5673 |
| SHA512 | ca2cd57ee5628ba758ccb86c4105ba1b9b4eef5820e7661afa5926c2b03713d56378bdf99139a028cba00399d58d36ee32efcb6487636e80fb61d1c08857a4fc |
memory/2536-73-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2536-74-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2536-72-0x0000000000FB0000-0x0000000001032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\fsdfsfsfs.exe
| MD5 | bf9d8b3e5b9349d1c8bf8f859ad35347 |
| SHA1 | 32fd350929f629b6b28850510623844204c30b10 |
| SHA256 | 3597bdf2d157c110d8bba36aea0be27e6497eb3cfa659f473eb8a2248e0522ba |
| SHA512 | 614caceec90d75981e03ba36568578a92e3f09301e8ecde0c5cb418daa6f87099b2a222d5f31a1e7650a5b7a538e3d3e90318855186a13a8308d8d423d415be1 |
\Users\Admin\AppData\Local\Temp\Files\fsdfsfsfs.exe
| MD5 | 1540bad91ce29e5abb587435b41d5d41 |
| SHA1 | e0c8ffa7529cf25f150a276b710133f6ba8fb0b9 |
| SHA256 | 88c32a938a4a336c204874bd147659b9d8a53ea40013bdc0cc462d3b835efdf3 |
| SHA512 | 1f7b11173536066253a8ab44d6429def9511ab6c28a1de6b8b7e4cb083086f4b350e73e4f1ebd504ee36b6847797da5ab262d1f7ffde4a93f4096d9827a5327a |
memory/2536-77-0x0000000002440000-0x0000000004440000-memory.dmp
memory/2868-78-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-80-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2868-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-86-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-89-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2868-91-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2536-92-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2848-93-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/2848-94-0x00000000044C0000-0x0000000004500000-memory.dmp