Analysis Overview
SHA256
531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696
Threat Level: Known bad
The file 531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ModiLoader, DBatLoader
ZGRat
ModiLoader Second Stage
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-26 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-26 01:18
Reported
2024-03-26 01:21
Platform
win7-20240221-en
Max time kernel
140s
Max time network
125s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1908 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1908 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1908 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1908 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe
"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 816
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
Files
memory/1908-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1908-1-0x00000000032D0000-0x00000000042D0000-memory.dmp
memory/1908-2-0x00000000032D0000-0x00000000042D0000-memory.dmp
memory/1908-4-0x0000000000400000-0x000000000050F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-26 01:18
Reported
2024-03-26 01:21
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ModiLoader, DBatLoader
ZGRat
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\8695336.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sdxmkajA.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\8695336.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ajakmxds = "C:\\Users\\Public\\Ajakmxds.url" | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 116 set thread context of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe | C:\Users\Public\Libraries\sdxmkajA.pif |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sdxmkajA.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sdxmkajA.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\sdxmkajA.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Libraries\sdxmkajA.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe
"C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\8695336.exe"
C:\Windows \System32\8695336.exe
"C:\Windows \System32\8695336.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
C:\Windows\system32\cmd.exe
cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\531f41f23a4d59dc025170f0b2cf0713ac8672a45f20cfeb02ecb34692032696.exe C:\\Users\\Public\\Libraries\\Ajakmxds.PIF
C:\Users\Public\Libraries\sdxmkajA.pif
C:\Users\Public\Libraries\sdxmkajA.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | c0ulvw.db.files.1drv.com | udp |
| US | 13.107.42.12:443 | c0ulvw.db.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eu-west-1.sftpcloud.io | udp |
| GB | 159.65.94.38:21 | eu-west-1.sftpcloud.io | tcp |
| GB | 159.65.94.38:50010 | eu-west-1.sftpcloud.io | tcp |
| US | 8.8.8.8:53 | 38.94.65.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/116-0-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/116-1-0x0000000003F60000-0x0000000004F60000-memory.dmp
memory/116-2-0x0000000003F60000-0x0000000004F60000-memory.dmp
memory/116-4-0x0000000000400000-0x000000000050F000-memory.dmp
C:\Windows \System32\8695336.exe
| MD5 | 231ce1e1d7d98b44371ffff407d68b59 |
| SHA1 | 25510d0f6353dbf0c9f72fc880de7585e34b28ff |
| SHA256 | 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96 |
| SHA512 | 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612 |
C:\Windows \System32\netutils.dll
| MD5 | fa7aa88417d0c48807144a1a48fe3fbc |
| SHA1 | 6f5ec990b12d4a6075050a94e0d68d03781fa46d |
| SHA256 | 2019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098 |
| SHA512 | 99b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff |
memory/544-15-0x00000000613C0000-0x00000000613E3000-memory.dmp
memory/5104-21-0x00000234CE660000-0x00000234CE682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihuviuri.0ei.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5104-26-0x00007FFD6A600000-0x00007FFD6B0C1000-memory.dmp
memory/5104-27-0x00000234CE6F0000-0x00000234CE700000-memory.dmp
memory/5104-28-0x00000234CE6F0000-0x00000234CE700000-memory.dmp
memory/5104-31-0x00007FFD6A600000-0x00007FFD6B0C1000-memory.dmp
memory/3248-43-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Public\Libraries\sdxmkajA.pif
| MD5 | c116d3604ceafe7057d77ff27552c215 |
| SHA1 | 452b14432fb5758b46f2897aeccd89f7c82a727d |
| SHA256 | 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301 |
| SHA512 | 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6 |
memory/3248-40-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3248-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3248-46-0x000000004C1B0000-0x000000004C20A000-memory.dmp
memory/3248-47-0x000000004C2C0000-0x000000004C864000-memory.dmp
memory/3248-48-0x000000004C870000-0x000000004C8C8000-memory.dmp
memory/3248-49-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-50-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-52-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-54-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-56-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-58-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-60-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-62-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-64-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-67-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3248-66-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-69-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-71-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-73-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-75-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-77-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-79-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-81-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-83-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-86-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-87-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-85-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-90-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-89-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-92-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-94-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-96-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-98-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-100-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-102-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-103-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/3248-105-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-107-0x000000004C870000-0x000000004C8C3000-memory.dmp
memory/3248-1106-0x000000004CA00000-0x000000004CA66000-memory.dmp
memory/3248-1107-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-1108-0x000000004D2D0000-0x000000004D320000-memory.dmp
memory/3248-1109-0x000000004D320000-0x000000004D3BC000-memory.dmp
memory/3248-1110-0x000000004DB00000-0x000000004DB92000-memory.dmp
memory/3248-1111-0x000000004DD20000-0x000000004DD2A000-memory.dmp
memory/3248-1114-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-1115-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-1116-0x000000004C2B0000-0x000000004C2C0000-memory.dmp
memory/3248-1117-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/3248-1118-0x000000004C2B0000-0x000000004C2C0000-memory.dmp