Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 03:49
Behavioral task
behavioral1
Sample
78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
Resource
win7-20231215-en
General
-
Target
78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe
-
Size
1.8MB
-
MD5
afa014338532a8f730aa8e6b5ca09874
-
SHA1
0a55224d9cf55e5ab12087a8af15612d75753d33
-
SHA256
78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce
-
SHA512
5c947b9342d83147633c0956d3af8453b7d6390c78836c810d13d60fe30528d2a74720430104503650ab1ba426cae8554ddd10e002f32d83855b220eb4ac881f
-
SSDEEP
24576:XZkERkn0rQKC/L5ZQk/Pv6mD6JtkOW4l2f1yz+dGP4hSjdirHEbxn4uYRtqMSZ8I:XZbRk0wXPvp0kNxdCgkdi4tnYnJI
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral1/memory/2572-0-0x0000000000240000-0x000000000041E000-memory.dmp family_zgrat_v1 behavioral1/files/0x0006000000016c1d-26.dat family_zgrat_v1 behavioral1/files/0x000e00000001225c-35.dat family_zgrat_v1 behavioral1/files/0x000e00000001225c-34.dat family_zgrat_v1 behavioral1/memory/2924-36-0x00000000009B0000-0x0000000000B8E000-memory.dmp family_zgrat_v1 -
Detects executables packed with unregistered version of .NET Reactor 5 IoCs
resource yara_rule behavioral1/memory/2572-0-0x0000000000240000-0x000000000041E000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor behavioral1/files/0x0006000000016c1d-26.dat INDICATOR_EXE_Packed_DotNetReactor behavioral1/files/0x000e00000001225c-35.dat INDICATOR_EXE_Packed_DotNetReactor behavioral1/files/0x000e00000001225c-34.dat INDICATOR_EXE_Packed_DotNetReactor behavioral1/memory/2924-36-0x00000000009B0000-0x0000000000B8E000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
Executes dropped EXE 1 IoCs
pid Process 2924 lsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows NT\TableTextService\lsm.exe 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe File opened for modification C:\Program Files\Windows NT\TableTextService\lsm.exe 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe File created C:\Program Files\Windows NT\TableTextService\101b941d020240 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe File created C:\Program Files\Windows Portable Devices\smss.exe 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\twain_32\winlogon.exe 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe File created C:\Windows\twain_32\cc11b995f2a76d 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 2924 lsm.exe 2924 lsm.exe 2924 lsm.exe 2924 lsm.exe 2924 lsm.exe 2924 lsm.exe 2924 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2924 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe Token: SeDebugPrivilege 2924 lsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2780 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 31 PID 2572 wrote to memory of 2780 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 31 PID 2572 wrote to memory of 2780 2572 78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe 31 PID 2780 wrote to memory of 2372 2780 cmd.exe 28 PID 2780 wrote to memory of 2372 2780 cmd.exe 28 PID 2780 wrote to memory of 2372 2780 cmd.exe 28 PID 2780 wrote to memory of 2740 2780 cmd.exe 29 PID 2780 wrote to memory of 2740 2780 cmd.exe 29 PID 2780 wrote to memory of 2740 2780 cmd.exe 29 PID 2780 wrote to memory of 2924 2780 cmd.exe 32 PID 2780 wrote to memory of 2924 2780 cmd.exe 32 PID 2780 wrote to memory of 2924 2780 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe"C:\Users\Admin\AppData\Local\Temp\78a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FmvCXXfTq7.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Program Files\Windows NT\TableTextService\lsm.exe"C:\Program Files\Windows NT\TableTextService\lsm.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
-
C:\Windows\system32\chcp.comchcp 650011⤵PID:2372
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:21⤵PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425KB
MD5849de1041f2b5be2a3e1301685bfa1c0
SHA10df509df8c3b83672c611900b3d84a1811dfd5d5
SHA256847404d00a36276c29757162b923b50929967acb16afca786a77278831cdc45c
SHA5121b0735563fff36bd34bfec0934bc1e962f9d71e316deb2d81f7f8999207036181b971a572aa0935ba6463b6bdb22beb7dc3db612d16576c6ea23cec77ee1f06d
-
Filesize
189KB
MD57cdc1932bfa3f9dac8ef4cb32a0c1d50
SHA13b45ab3c07d4553c631c48babccd64a287f4c685
SHA256540701420d61626f432d8858362c5a1cae96edac72d4b4f46d38cdb752676dad
SHA512f4395ae454cad21f0dedd188f1cc32dc8f56f39ccf3a5ec6ed968639ac91b70172aa923b299efb364c07f0e5779b69ae7105014f3c353b2b9d8916540abb778e
-
Filesize
1.8MB
MD5afa014338532a8f730aa8e6b5ca09874
SHA10a55224d9cf55e5ab12087a8af15612d75753d33
SHA25678a0343b36930749e066ca0bf9a171b338fd00e9dbe3d6e364e06eb4e78cf0ce
SHA5125c947b9342d83147633c0956d3af8453b7d6390c78836c810d13d60fe30528d2a74720430104503650ab1ba426cae8554ddd10e002f32d83855b220eb4ac881f
-
Filesize
228B
MD5481e01dd529d268579c9c80e641c3d15
SHA195458edc8e841960194a203aadb36b26404b79d3
SHA256d3fbfebd402cc22112ded5a933d957e51b8eaf63b5b630d491d7c1b184424452
SHA512c9e99b2c263f873303bd0edacd68c90a9c2d5e38aad3fdda7e02d32db03f6efec63283941e058f3df3c71c50c0de7c844ce936a1392f33671d03d032bedeef43