Overview

overview

10

Static

static

3

native.exe

windows7-x64

10

native.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    native.exe

  • Size

    2.1MB

  • MD5

    1a917a85dcbb1d3df5f4dd02e3a62873

  • SHA1

    567f528fec8e7a4787f8c253446d8f1b620dc9d6

  • SHA256

    217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

  • SHA512

    341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

  • SSDEEP

    49152:/WlrvpDXJLRxe123BMGwxB19y0IEjaV/EC5O7pD:/apzJy1kMxt2R/ET

Score
10/10
rhadamanthyszgratratstealer

Malware Config

Signatures

  • Detect ZGRat V1 36 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2528
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3484
    • C:\Users\Admin\AppData\Local\Temp\native.exe
      "C:\Users\Admin\AppData\Local\Temp\native.exe"
      1⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
        "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
          C:\Users\Admin\AppData\Local\Temp\BBLb.exe
          3⤵
          • Executes dropped EXE
          PID:1940
        • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
          C:\Users\Admin\AppData\Local\Temp\BBLb.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2616
      • C:\Users\Admin\AppData\Local\Temp\native.exe
        C:\Users\Admin\AppData\Local\Temp\native.exe
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 448
          3⤵
          • Program crash
          PID:4572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 444
          3⤵
          • Program crash
          PID:3172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2052 -ip 2052
      1⤵
        PID:1560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2052 -ip 2052
        1⤵
          PID:3808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:548
        • C:\Users\Admin\AppData\Local\TypeId\muqnkbmby\AttributeString.exe
          C:\Users\Admin\AppData\Local\TypeId\muqnkbmby\AttributeString.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:468
          • C:\Users\Admin\AppData\Local\TypeId\muqnkbmby\AttributeString.exe
            C:\Users\Admin\AppData\Local\TypeId\muqnkbmby\AttributeString.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              3⤵
                PID:3280
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                3⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2936
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  4⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3864

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log
            Filesize

            927B

            MD5

            4a911455784f74e368a4c2c7876d76f4

            SHA1

            a1700a0849ffb4f26671eb76da2489946b821c34

            SHA256

            264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

            SHA512

            4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            77d622bb1a5b250869a3238b9bc1402b

            SHA1

            d47f4003c2554b9dfc4c16f22460b331886b191b

            SHA256

            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

            SHA512

            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BBLb.exe
            Filesize

            1.2MB

            MD5

            71eb1bc6e6da380c1cb552d78b391b2a

            SHA1

            df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

            SHA256

            cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

            SHA512

            d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxc5g45h.v2q.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/212-44-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-0-0x00000000009E0000-0x0000000000C08000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/212-10-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-50-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-14-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-16-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-18-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-20-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-22-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-24-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-26-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-28-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-30-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-32-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-34-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-36-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-38-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-54-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-42-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-6-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-46-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-48-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-12-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-8-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-40-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-56-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-58-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-60-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-62-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-64-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-66-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-935-0x0000000005740000-0x0000000005750000-memory.dmp

            Filesize

            64KB

            Download

          • memory/212-936-0x0000000001670000-0x0000000001671000-memory.dmp

            Filesize

            4KB

            Download

          • memory/212-937-0x0000000005960000-0x0000000005B00000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/212-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/212-4-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-3-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-951-0x0000000007CF0000-0x0000000008294000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/212-2-0x0000000005750000-0x0000000005958000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-1-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/212-52-0x0000000005750000-0x0000000005953000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/212-961-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/468-4146-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/468-5079-0x0000000005300000-0x0000000005301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/468-5086-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/548-4138-0x00000226F1BA0000-0x00000226F1BB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/548-4143-0x00007FF872E50000-0x00007FF873911000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/548-4139-0x00000226F1BA0000-0x00000226F1BB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/548-4140-0x00000226F15F0000-0x00000226F1612000-memory.dmp

            Filesize

            136KB

            Download

          • memory/548-4137-0x00007FF872E50000-0x00007FF873911000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1392-8228-0x00000000058B0000-0x00000000058C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1392-10447-0x00000000058B0000-0x00000000058C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1392-10446-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1392-8227-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1552-1912-0x00000000053A0000-0x0000000005460000-memory.dmp

            Filesize

            768KB

            Download

          • memory/1552-950-0x0000000000530000-0x0000000000670000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1552-952-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1552-1919-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1552-956-0x0000000005020000-0x000000000514A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1552-955-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1552-1911-0x0000000004E50000-0x0000000004E51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1552-954-0x0000000004E80000-0x0000000004FA8000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1740-5084-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1740-5085-0x0000000005650000-0x0000000005660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-7290-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2052-1274-0x0000000003A90000-0x0000000003E90000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2052-963-0x0000000000400000-0x0000000000488000-memory.dmp

            Filesize

            544KB

            Download

          • memory/2052-1279-0x0000000003A90000-0x0000000003E90000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2052-1322-0x0000000003A90000-0x0000000003E90000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2616-1921-0x0000000004F20000-0x0000000005008000-memory.dmp

            Filesize

            928KB

            Download

          • memory/2616-1920-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2616-4125-0x0000000005720000-0x0000000005774000-memory.dmp

            Filesize

            336KB

            Download

          • memory/2616-4124-0x0000000005300000-0x0000000005366000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2616-4123-0x00000000050A0000-0x00000000050F6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2616-1922-0x0000000005020000-0x0000000005030000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2616-4127-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2616-1918-0x0000000000400000-0x000000000049C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/2936-7288-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2936-7289-0x00000000053E0000-0x00000000053F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2936-8223-0x0000000005550000-0x0000000005551000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2936-8229-0x0000000075130000-0x00000000758E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3484-1297-0x0000000001F90000-0x0000000002390000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3484-1317-0x0000000001F90000-0x0000000002390000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3484-1293-0x0000000001F90000-0x0000000002390000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3864-8566-0x000002567B620000-0x000002567B630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3864-8567-0x000002567B620000-0x000002567B630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3864-8565-0x00007FF872E50000-0x00007FF873911000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3864-10155-0x00007FF872E50000-0x00007FF873911000-memory.dmp

            Filesize

            10.8MB

            Download