Analysis

  • max time kernel
    300s
  • max time network
    292s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-03-2024 15:12

General

  • Target

    EdUpdMachine.exe

  • Size

    131.6MB

  • MD5

    0aabf386604e94f11fdbd56778bb8234

  • SHA1

    54b3f0ff8d93b42da1c353d64fc71509e9b26255

  • SHA256

    d373492b42a14e6b91b4a64c89086e19d2a166710fa237bbda80b6d0c1a7ad8a

  • SHA512

    d0d227af2d41c02e03ef25bd980b2347188bcb054b1e8f77685fc87ef5ece0f56c60115ea15dec9d5e66f8bf16f314b3cad4d23f8baf8d343e750937fa5e82c6

  • SSDEEP

    196608:AYic7JWa0zYsJuY5nqAgX3qs8QoSUcEGnUlFk/nlewwMQ/i:AE9P0H8YgoSUwCFile3MQ

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
        "C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops file in Drivers directory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5100
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2616
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:3196
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:3396
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:4608
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:3060
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:480
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:628
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2112
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3628
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1448-0-0x00000163D70C0000-0x00000163D7808000-memory.dmp

      Filesize

      7.3MB

    • memory/1448-1-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp

      Filesize

      10.8MB

    • memory/1448-2-0x00000163D9600000-0x00000163D9610000-memory.dmp

      Filesize

      64KB

    • memory/1448-3-0x00000163F1CF0000-0x00000163F2430000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-4-0x00000163F2430000-0x00000163F2B70000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-5-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-6-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-8-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-10-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-12-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-14-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-16-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-18-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-20-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-22-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-24-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-26-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-28-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-30-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-32-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-34-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-36-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-38-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-40-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-42-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-44-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-46-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-48-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-50-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-52-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-54-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-56-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-58-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-60-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-62-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-64-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-66-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-68-0x00000163F2430000-0x00000163F2B6B000-memory.dmp

      Filesize

      7.2MB

    • memory/1448-937-0x00000163D7C20000-0x00000163D7C21000-memory.dmp

      Filesize

      4KB

    • memory/1448-938-0x00000163F2B70000-0x00000163F3248000-memory.dmp

      Filesize

      6.8MB

    • memory/1448-939-0x00000163D95B0000-0x00000163D95FC000-memory.dmp

      Filesize

      304KB

    • memory/1448-944-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp

      Filesize

      10.8MB

    • memory/2212-951-0x000002100E4C0000-0x000002100E4E0000-memory.dmp

      Filesize

      128KB

    • memory/2212-955-0x0000021000040000-0x0000021000060000-memory.dmp

      Filesize

      128KB

    • memory/2212-958-0x0000021000040000-0x0000021000060000-memory.dmp

      Filesize

      128KB

    • memory/2212-975-0x0000021000040000-0x0000021000060000-memory.dmp

      Filesize

      128KB

    • memory/2212-976-0x0000021000060000-0x0000021000080000-memory.dmp

      Filesize

      128KB

    • memory/2212-979-0x0000021000040000-0x0000021000060000-memory.dmp

      Filesize

      128KB

    • memory/2212-980-0x0000021000060000-0x0000021000080000-memory.dmp

      Filesize

      128KB

    • memory/5100-945-0x0000000140000000-0x0000000140985000-memory.dmp

      Filesize

      9.5MB

    • memory/5100-950-0x0000000140000000-0x0000000140985000-memory.dmp

      Filesize

      9.5MB