Analysis

  • max time kernel
    315s
  • max time network
    319s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 15:12

General

  • Target

    EdUpdMachine.exe

  • Size

    131.6MB

  • MD5

    0aabf386604e94f11fdbd56778bb8234

  • SHA1

    54b3f0ff8d93b42da1c353d64fc71509e9b26255

  • SHA256

    d373492b42a14e6b91b4a64c89086e19d2a166710fa237bbda80b6d0c1a7ad8a

  • SHA512

    d0d227af2d41c02e03ef25bd980b2347188bcb054b1e8f77685fc87ef5ece0f56c60115ea15dec9d5e66f8bf16f314b3cad4d23f8baf8d343e750937fa5e82c6

  • SSDEEP

    196608:AYic7JWa0zYsJuY5nqAgX3qs8QoSUcEGnUlFk/nlewwMQ/i:AE9P0H8YgoSUwCFile3MQ

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3512
      • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
        "C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops file in Drivers directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1636
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3252
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2068
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:3664
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:3476
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:3228
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4320
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1000
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4820
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3972
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4128

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1636-947-0x0000000140000000-0x0000000140985000-memory.dmp

        Filesize

        9.5MB

      • memory/1636-952-0x0000000140000000-0x0000000140985000-memory.dmp

        Filesize

        9.5MB

      • memory/3972-953-0x000001C237650000-0x000001C237670000-memory.dmp

        Filesize

        128KB

      • memory/3972-958-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

        Filesize

        128KB

      • memory/3972-961-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

        Filesize

        128KB

      • memory/3972-982-0x000001C2376E0000-0x000001C237700000-memory.dmp

        Filesize

        128KB

      • memory/3972-981-0x000001C2376C0000-0x000001C2376E0000-memory.dmp

        Filesize

        128KB

      • memory/5032-32-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-40-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-4-0x000001AE55850000-0x000001AE55F90000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-5-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-6-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-8-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-10-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-12-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-14-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-16-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-18-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-20-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-22-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-24-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-26-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-28-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-30-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-2-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

        Filesize

        10.8MB

      • memory/5032-34-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-36-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-38-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-3-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp

        Filesize

        64KB

      • memory/5032-42-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-44-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-46-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-48-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-50-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-52-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-54-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-56-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-58-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-60-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-62-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-64-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-66-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-68-0x000001AE55850000-0x000001AE55F8B000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-844-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

        Filesize

        10.8MB

      • memory/5032-1-0x000001AE55110000-0x000001AE55850000-memory.dmp

        Filesize

        7.2MB

      • memory/5032-0-0x000001AE3A550000-0x000001AE3AC98000-memory.dmp

        Filesize

        7.3MB

      • memory/5032-938-0x000001AE3B050000-0x000001AE3B051000-memory.dmp

        Filesize

        4KB

      • memory/5032-939-0x000001AE55F90000-0x000001AE56668000-memory.dmp

        Filesize

        6.8MB

      • memory/5032-940-0x000001AE56670000-0x000001AE566BC000-memory.dmp

        Filesize

        304KB

      • memory/5032-941-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp

        Filesize

        64KB

      • memory/5032-945-0x00007FF96FD50000-0x00007FF970811000-memory.dmp

        Filesize

        10.8MB