Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25-02-2024 08:14
Behavioral task
behavioral1
Sample
d6c5410b2d9e45c08deaabe2c3e09c65.exe
Resource
win7-20240221-en
General
-
Target
d6c5410b2d9e45c08deaabe2c3e09c65.exe
-
Size
5.7MB
-
MD5
d6c5410b2d9e45c08deaabe2c3e09c65
-
SHA1
e7fd29cf3488283bb7b43a31f965b9849c2d55cf
-
SHA256
f9e3c1a6284370cd7b6f8cb5a54d4d5f639a6fe0eb6c9a293d350e6505a3df75
-
SHA512
3f4a0ba92a7509a2d84aac0fc4d2c8d80144ccc090c664276acb85db487585419f268bb3b27652cdb88010d72ef5bdf66bf56fbfbdf6f4b4a2b2569cb2c3f325
-
SSDEEP
98304:rdl0LfzHWvOWzAWG6JgBhbwvU4yBSlT+5fge0RMpxkp:rAzHWvNAWG6k4U4yBWq5fWMpI
Malware Config
Extracted
lumma
https://scandalbasketballoe.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1428-1-0x0000000000610000-0x0000000000BBA000-memory.dmp family_zgrat_v1 -
Loads dropped DLL 1 IoCs
Processes:
d6c5410b2d9e45c08deaabe2c3e09c65.exepid process 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d6c5410b2d9e45c08deaabe2c3e09c65.exedescription pid process target process PID 1428 set thread context of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d6c5410b2d9e45c08deaabe2c3e09c65.exedescription pid process target process PID 1428 wrote to memory of 1004 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 1004 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 1004 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe PID 1428 wrote to memory of 4976 1428 d6c5410b2d9e45c08deaabe2c3e09c65.exe MsBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6c5410b2d9e45c08deaabe2c3e09c65.exe"C:\Users\Admin\AppData\Local\Temp\d6c5410b2d9e45c08deaabe2c3e09c65.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:1004
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4976
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719