Analysis Overview
SHA256
41a8b4bbde769dd1d866ea6bfb8912d092234cc6f80c37893b3797e2b7f4f612
Threat Level: Known bad
The file er5thygfd.zip was found to be: Known bad.
Malicious Activity Summary
PureLog Stealer
PureLog Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
ZGRat
Stops running service(s)
Drops file in Drivers directory
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-18 15:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 15:12
Reported
2024-03-18 15:18
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
Network
Files
memory/2256-0-0x0000000000BF0000-0x0000000001338000-memory.dmp
memory/2256-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/2256-2-0x000000001B400000-0x000000001B480000-memory.dmp
memory/2256-3-0x000000001B940000-0x000000001C080000-memory.dmp
memory/2256-4-0x000000001C080000-0x000000001C7C0000-memory.dmp
memory/2256-5-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-6-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-8-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-10-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-12-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-14-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-16-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-18-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-20-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-22-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-24-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-26-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-28-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-30-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-32-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-34-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-36-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-38-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-40-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-42-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-44-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-46-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-48-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-50-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-52-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-54-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-56-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-58-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-60-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-62-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-64-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-66-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-68-0x000000001C080000-0x000000001C7BB000-memory.dmp
memory/2256-909-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/2256-938-0x000000001B400000-0x000000001B480000-memory.dmp
memory/2256-939-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2256-940-0x000000001CDC0000-0x000000001D498000-memory.dmp
memory/2256-941-0x0000000000540000-0x000000000058C000-memory.dmp
memory/2256-1002-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 15:12
Reported
2024-03-18 15:18
Platform
win10-20240221-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2104 created 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 2104 created 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 2104 created 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
ZGRat
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
Stops running service(s)
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3452 set thread context of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe |
| PID 2104 set thread context of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\System32\svchost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
memory/3452-0-0x0000027805E80000-0x00000278065C8000-memory.dmp
memory/3452-1-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp
memory/3452-2-0x0000027806940000-0x0000027806950000-memory.dmp
memory/3452-3-0x0000027820B80000-0x00000278212C0000-memory.dmp
memory/3452-4-0x00000278212C0000-0x0000027821A00000-memory.dmp
memory/3452-5-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-6-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-8-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-10-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-12-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-14-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-16-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-18-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-20-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-22-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-24-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-26-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-28-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-30-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-32-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-34-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-36-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-38-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-40-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-42-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-44-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-46-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-48-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-50-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-52-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-54-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-56-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-58-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-60-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-62-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-64-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-66-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-68-0x00000278212C0000-0x00000278219FB000-memory.dmp
memory/3452-937-0x0000027806960000-0x0000027806961000-memory.dmp
memory/3452-938-0x0000027821A00000-0x00000278220D8000-memory.dmp
memory/3452-939-0x0000027806A20000-0x0000027806A6C000-memory.dmp
memory/3452-944-0x00007FFB50710000-0x00007FFB510FC000-memory.dmp
memory/2104-945-0x0000000140000000-0x0000000140985000-memory.dmp
memory/2104-950-0x0000000140000000-0x0000000140985000-memory.dmp
memory/2332-953-0x0000028D2C610000-0x0000028D2C630000-memory.dmp
memory/2332-958-0x0000028D2C630000-0x0000028D2C650000-memory.dmp
memory/2332-961-0x0000028D2C630000-0x0000028D2C650000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-18 15:12
Reported
2024-03-18 15:18
Platform
win10v2004-20240226-en
Max time kernel
315s
Max time network
319s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1636 created 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 1636 created 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 1636 created 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
ZGRat
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
Stops running service(s)
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5032 set thread context of 1636 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe |
| PID 1636 set thread context of 3972 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\System32\svchost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/5032-0-0x000001AE3A550000-0x000001AE3AC98000-memory.dmp
memory/5032-1-0x000001AE55110000-0x000001AE55850000-memory.dmp
memory/5032-2-0x00007FF96FD50000-0x00007FF970811000-memory.dmp
memory/5032-3-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp
memory/5032-4-0x000001AE55850000-0x000001AE55F90000-memory.dmp
memory/5032-5-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-6-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-8-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-10-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-12-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-14-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-16-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-18-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-20-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-22-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-24-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-26-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-28-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-30-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-32-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-34-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-36-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-38-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-40-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-42-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-44-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-46-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-48-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-50-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-52-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-54-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-56-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-58-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-60-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-62-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-64-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-66-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-68-0x000001AE55850000-0x000001AE55F8B000-memory.dmp
memory/5032-844-0x00007FF96FD50000-0x00007FF970811000-memory.dmp
memory/5032-938-0x000001AE3B050000-0x000001AE3B051000-memory.dmp
memory/5032-939-0x000001AE55F90000-0x000001AE56668000-memory.dmp
memory/5032-940-0x000001AE56670000-0x000001AE566BC000-memory.dmp
memory/5032-941-0x000001AE3CA30000-0x000001AE3CA40000-memory.dmp
memory/5032-945-0x00007FF96FD50000-0x00007FF970811000-memory.dmp
memory/1636-947-0x0000000140000000-0x0000000140985000-memory.dmp
memory/1636-952-0x0000000140000000-0x0000000140985000-memory.dmp
memory/3972-953-0x000001C237650000-0x000001C237670000-memory.dmp
memory/3972-958-0x000001C2376C0000-0x000001C2376E0000-memory.dmp
memory/3972-961-0x000001C2376C0000-0x000001C2376E0000-memory.dmp
memory/3972-981-0x000001C2376C0000-0x000001C2376E0000-memory.dmp
memory/3972-982-0x000001C2376E0000-0x000001C237700000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-18 15:12
Reported
2024-03-18 15:18
Platform
win11-20240221-en
Max time kernel
300s
Max time network
292s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureLog Stealer
PureLog Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5100 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 5100 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
| PID 5100 created 3356 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\Explorer.EXE |
ZGRat
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
Stops running service(s)
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1448 set thread context of 5100 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe |
| PID 5100 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | C:\Windows\System32\svchost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
memory/1448-0-0x00000163D70C0000-0x00000163D7808000-memory.dmp
memory/1448-1-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp
memory/1448-2-0x00000163D9600000-0x00000163D9610000-memory.dmp
memory/1448-3-0x00000163F1CF0000-0x00000163F2430000-memory.dmp
memory/1448-4-0x00000163F2430000-0x00000163F2B70000-memory.dmp
memory/1448-5-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-6-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-8-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-10-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-12-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-14-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-16-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-18-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-20-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-22-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-24-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-26-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-28-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-30-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-32-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-34-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-36-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-38-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-40-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-42-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-44-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-46-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-48-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-50-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-52-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-54-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-56-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-58-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-60-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-62-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-64-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-66-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-68-0x00000163F2430000-0x00000163F2B6B000-memory.dmp
memory/1448-937-0x00000163D7C20000-0x00000163D7C21000-memory.dmp
memory/1448-938-0x00000163F2B70000-0x00000163F3248000-memory.dmp
memory/1448-939-0x00000163D95B0000-0x00000163D95FC000-memory.dmp
memory/1448-944-0x00007FFD5A960000-0x00007FFD5B422000-memory.dmp
memory/5100-945-0x0000000140000000-0x0000000140985000-memory.dmp
memory/5100-950-0x0000000140000000-0x0000000140985000-memory.dmp
memory/2212-951-0x000002100E4C0000-0x000002100E4E0000-memory.dmp
memory/2212-955-0x0000021000040000-0x0000021000060000-memory.dmp
memory/2212-958-0x0000021000040000-0x0000021000060000-memory.dmp
memory/2212-975-0x0000021000040000-0x0000021000060000-memory.dmp
memory/2212-976-0x0000021000060000-0x0000021000080000-memory.dmp
memory/2212-979-0x0000021000040000-0x0000021000060000-memory.dmp
memory/2212-980-0x0000021000060000-0x0000021000080000-memory.dmp