Analysis Overview
SHA256
901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879
Threat Level: Known bad
The file 901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Zgrat family
ZGRat
Lumma Stealer
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-29 05:35
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 05:35
Reported
2024-02-29 05:47
Platform
win7-20240221-en
Max time kernel
156s
Max time network
169s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 568 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 568 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 568 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 568 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe
"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 564
Network
Files
memory/568-0-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/568-1-0x0000000001200000-0x00000000018B6000-memory.dmp
memory/568-2-0x0000000005090000-0x00000000050D0000-memory.dmp
memory/568-3-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/568-4-0x0000000005090000-0x00000000050D0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 05:35
Reported
2024-02-29 05:42
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
175s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
ZGRat
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3564 set thread context of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe
"C:\Users\Admin\AppData\Local\Temp\901610c36cdd51920d427192db07c9eb8f0d2476b5e0c537fbb452492008e879.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | woodfeetumhblefepoj.shop | udp |
| US | 172.67.152.144:443 | woodfeetumhblefepoj.shop | tcp |
| US | 8.8.8.8:53 | 144.152.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
Files
memory/3564-0-0x0000000075180000-0x0000000075930000-memory.dmp
memory/3564-1-0x00000000002F0000-0x00000000009A6000-memory.dmp
memory/3564-2-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-3-0x00000000053A0000-0x000000000543C000-memory.dmp
memory/3564-4-0x0000000075180000-0x0000000075930000-memory.dmp
memory/3564-5-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-6-0x0000000005C50000-0x000000000617C000-memory.dmp
memory/3564-7-0x00000000067A0000-0x0000000006DB8000-memory.dmp
memory/3564-8-0x0000000006180000-0x0000000006472000-memory.dmp
memory/3564-9-0x0000000006470000-0x0000000006602000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3564-15-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-18-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/3564-17-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-16-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-19-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-22-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-21-0x00000000054A0000-0x00000000054B0000-memory.dmp
memory/3564-20-0x0000000007FC0000-0x00000000080C0000-memory.dmp
memory/3564-23-0x0000000007FC0000-0x00000000080C0000-memory.dmp
memory/4760-24-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4760-27-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3564-28-0x0000000075180000-0x0000000075930000-memory.dmp
memory/4760-29-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4760-30-0x0000000002C30000-0x0000000002C31000-memory.dmp
memory/4760-31-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-32-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-34-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-33-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-35-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4760-36-0x0000000002C30000-0x0000000002C31000-memory.dmp
memory/4760-37-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-39-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/4760-38-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-40-0x0000000002C30000-0x0000000002C62000-memory.dmp
memory/4760-41-0x0000000002C30000-0x0000000002C62000-memory.dmp