Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
EdUpdMachine.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
EdUpdMachine.exe
Resource
win10v2004-20240226-en
General
-
Target
EdUpdMachine.exe
-
Size
131.6MB
-
MD5
0aabf386604e94f11fdbd56778bb8234
-
SHA1
54b3f0ff8d93b42da1c353d64fc71509e9b26255
-
SHA256
d373492b42a14e6b91b4a64c89086e19d2a166710fa237bbda80b6d0c1a7ad8a
-
SHA512
d0d227af2d41c02e03ef25bd980b2347188bcb054b1e8f77685fc87ef5ece0f56c60115ea15dec9d5e66f8bf16f314b3cad4d23f8baf8d343e750937fa5e82c6
-
SSDEEP
196608:AYic7JWa0zYsJuY5nqAgX3qs8QoSUcEGnUlFk/nlewwMQ/i:AE9P0H8YgoSUwCFile3MQ
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/1456-4-0x00000210EF2C0000-0x00000210EFA00000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-5-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-6-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-8-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-10-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-12-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-14-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-16-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-18-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-20-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-22-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-24-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-26-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-28-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-30-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-32-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-34-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-36-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-38-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-40-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-42-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-44-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-48-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-50-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-46-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-52-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-54-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-56-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-58-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-60-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-62-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-64-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-66-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 behavioral2/memory/1456-68-0x00000210EF2C0000-0x00000210EF9FB000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1456-0-0x00000210D3EC0000-0x00000210D4608000-memory.dmp family_purelog_stealer -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
EdUpdMachine.exedescription pid process target process PID 4456 created 3384 4456 EdUpdMachine.exe Explorer.EXE PID 4456 created 3384 4456 EdUpdMachine.exe Explorer.EXE PID 4456 created 3384 4456 EdUpdMachine.exe Explorer.EXE -
Drops file in Drivers directory 1 IoCs
Processes:
EdUpdMachine.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts EdUpdMachine.exe -
Stops running service(s) 3 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
EdUpdMachine.exeEdUpdMachine.exedescription pid process target process PID 1456 set thread context of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 4456 set thread context of 448 4456 EdUpdMachine.exe svchost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1368 sc.exe 1992 sc.exe 1756 sc.exe 1604 sc.exe 3368 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
EdUpdMachine.exesvchost.exepid process 4456 EdUpdMachine.exe 4456 EdUpdMachine.exe 4456 EdUpdMachine.exe 4456 EdUpdMachine.exe 4456 EdUpdMachine.exe 4456 EdUpdMachine.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe 448 svchost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
EdUpdMachine.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1456 EdUpdMachine.exe Token: SeLockMemoryPrivilege 448 svchost.exe Token: SeShutdownPrivilege 4112 powercfg.exe Token: SeCreatePagefilePrivilege 4112 powercfg.exe Token: SeShutdownPrivilege 4756 powercfg.exe Token: SeCreatePagefilePrivilege 4756 powercfg.exe Token: SeLockMemoryPrivilege 448 svchost.exe Token: SeShutdownPrivilege 968 powercfg.exe Token: SeCreatePagefilePrivilege 968 powercfg.exe Token: SeShutdownPrivilege 4452 powercfg.exe Token: SeCreatePagefilePrivilege 4452 powercfg.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EdUpdMachine.execmd.exeEdUpdMachine.execmd.exedescription pid process target process PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 1456 wrote to memory of 4456 1456 EdUpdMachine.exe EdUpdMachine.exe PID 4412 wrote to memory of 1756 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1756 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1604 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1604 4412 cmd.exe sc.exe PID 4412 wrote to memory of 3368 4412 cmd.exe sc.exe PID 4412 wrote to memory of 3368 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1368 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1368 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1992 4412 cmd.exe sc.exe PID 4412 wrote to memory of 1992 4412 cmd.exe sc.exe PID 4456 wrote to memory of 448 4456 EdUpdMachine.exe svchost.exe PID 5000 wrote to memory of 4112 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 4112 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 4756 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 4756 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 968 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 968 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 4452 5000 cmd.exe powercfg.exe PID 5000 wrote to memory of 4452 5000 cmd.exe powercfg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exeC:\Users\Admin\AppData\Local\Temp\EdUpdMachine.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1756 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1604 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3368 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1368 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1992 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448