Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07/03/2024, 17:38
General
-
Target
file.exe
-
Size
1.5MB
-
MD5
0c52d0355c15ed92930c645c340a1edb
-
SHA1
8bfdafa0aa3403c52bf115667833734c4c409581
-
SHA256
c122084a42b99f006a27e9c48d7098e192704183d3a5dfd57f924c03ae506552
-
SHA512
7889df8248c8b003b1d9d900bd15b5b215a3fca1f2d783c7f4ffedd6c09143970b7ab217dc3080de6b66c463331776283fc0c3711974eef77e02fea82aafe862
-
SSDEEP
24576:W4+ufew4vRRm5JjP++3jDSpLHnT3s++Gg0w38LzAqSSiKLWWW9GCdh:W46wV6pLnE3+8Giy5Wt3
Malware Config
Signatures
-
Detect ZGRat V1 30 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
ModiLoader Second Stage 5 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RdvbwtmdO.bat" "2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd /c extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\file.exe C:\\Users\\Public\\Libraries\\Rdvbwtmd.PIF2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exeextrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\file.exe C:\\Users\\Public\\Libraries\\Rdvbwtmd.PIF3⤵
-
-
-
C:\Users\Public\Libraries\dmtwbvdR.pifC:\Users\Public\Libraries\dmtwbvdR.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5785e8193007bcd7858b9df41c9d45f89
SHA129b206de05ab075138ca9e0b9fccdddf3c30cdfe
SHA256c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9
SHA512a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f
-
Filesize
7KB
MD50d0d24b46d4bb0e4962595d455020d48
SHA148b247c1cb2577b28aabd7dfa999e0642b5dc6de
SHA256f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea
SHA512d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
116KB
MD5ef43f3e84500f2528ff56b144c07c8a2
SHA1f56579f77ad20ebea21025a215e6ffaf7637b3b4
SHA2564e7d74a4890af9128e04c758d8e5fa9488ff22da64979725b26fcb0e8806e6f5
SHA512a6c509bb881f2098460e24d8d9db5e8ed9900b3afa9e3a84752b550c41f3f367e875578abc4cf72a4fe313c03793426837e28886b5029e8d153613d38a3f7138
-
Filesize
115KB
MD57b204fe717f1d0e74986ce551d86e0b3
SHA1f895f27eabb834ab8947a6f6f4dd3a1e38a32c54
SHA2564b186952d56dddacaf1738c1b268a62acb12cbf472fbf1a6083a49be0f9ef03d
SHA5129e9c88b0501708d501242aa4944de6e0d8481196babfb8444ad426b58326ad5bb46e43c372069b96784560db55e3fc04a264fbd701e7ec0535ac2816a65e83ec
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
16.0MB
-
Filesize
376KB
-
Filesize
368KB
-
Filesize
5.6MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
16.0MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
16.0MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16.0MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB