Analysis

  • max time kernel
    300s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-03-2024 15:12

General

  • Target

    EdUpdMachine.exe

  • Size

    131.6MB

  • MD5

    0aabf386604e94f11fdbd56778bb8234

  • SHA1

    54b3f0ff8d93b42da1c353d64fc71509e9b26255

  • SHA256

    d373492b42a14e6b91b4a64c89086e19d2a166710fa237bbda80b6d0c1a7ad8a

  • SHA512

    d0d227af2d41c02e03ef25bd980b2347188bcb054b1e8f77685fc87ef5ece0f56c60115ea15dec9d5e66f8bf16f314b3cad4d23f8baf8d343e750937fa5e82c6

  • SSDEEP

    196608:AYic7JWa0zYsJuY5nqAgX3qs8QoSUcEGnUlFk/nlewwMQ/i:AE9P0H8YgoSUwCFile3MQ

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3300
      • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
        "C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3452
        • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops file in Drivers directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2104
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2408
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2484
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:3720
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:864
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:1864
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4648
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4044
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2908
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2104-945-0x0000000140000000-0x0000000140985000-memory.dmp

      Filesize

      9.5MB

    • memory/2104-950-0x0000000140000000-0x0000000140985000-memory.dmp

      Filesize

      9.5MB

    • memory/2332-961-0x0000028D2C630000-0x0000028D2C650000-memory.dmp

      Filesize

      128KB

    • memory/2332-958-0x0000028D2C630000-0x0000028D2C650000-memory.dmp

      Filesize

      128KB

    • memory/2332-953-0x0000028D2C610000-0x0000028D2C630000-memory.dmp

      Filesize

      128KB

    • memory/3452-38-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-46-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-8-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-10-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-12-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-14-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-16-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-18-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-20-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-22-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-24-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-26-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-28-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-30-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-32-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-34-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-36-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-0-0x0000027805E80000-0x00000278065C8000-memory.dmp

      Filesize

      7.3MB

    • memory/3452-40-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-42-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-44-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-6-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-48-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-50-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-52-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-54-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-56-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-58-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-60-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-62-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-64-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-66-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-68-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-937-0x0000027806960000-0x0000027806961000-memory.dmp

      Filesize

      4KB

    • memory/3452-938-0x0000027821A00000-0x00000278220D8000-memory.dmp

      Filesize

      6.8MB

    • memory/3452-939-0x0000027806A20000-0x0000027806A6C000-memory.dmp

      Filesize

      304KB

    • memory/3452-944-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp

      Filesize

      9.9MB

    • memory/3452-5-0x00000278212C0000-0x00000278219FB000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-4-0x00000278212C0000-0x0000027821A00000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-3-0x0000027820B80000-0x00000278212C0000-memory.dmp

      Filesize

      7.2MB

    • memory/3452-2-0x0000027806940000-0x0000027806950000-memory.dmp

      Filesize

      64KB

    • memory/3452-1-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp

      Filesize

      9.9MB