Analysis Overview
SHA256
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb
Threat Level: Known bad
The file instrumentMAIN.exe was found to be: Known bad.
Malicious Activity Summary
Zgrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect ZGRat V1
Rhadamanthys
ZGRat
.NET Reactor proctector
Loads dropped DLL
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-27 19:56
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-27 19:56
Reported
2024-03-27 20:11
Platform
win10-20240221-en
Max time kernel
316s
Max time network
392s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4576 created 2588 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | c:\windows\system32\sihost.exe |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3708 set thread context of 4576 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe
"C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 480
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
Files
memory/3708-1-0x0000000000BD0000-0x000000000104C000-memory.dmp
memory/3708-0-0x00000000735D0000-0x0000000073CBE000-memory.dmp
memory/3708-2-0x0000000005870000-0x000000000590C000-memory.dmp
memory/3708-3-0x00000000735D0000-0x0000000073CBE000-memory.dmp
memory/3708-4-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3708-5-0x0000000005BC0000-0x0000000005DB8000-memory.dmp
memory/3708-6-0x0000000006EF0000-0x0000000007082000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3708-12-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3708-11-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3708-13-0x0000000003330000-0x0000000003340000-memory.dmp
memory/3708-15-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3708-14-0x0000000005920000-0x0000000005930000-memory.dmp
memory/3708-16-0x00000000075D0000-0x00000000076D0000-memory.dmp
memory/3708-18-0x00000000075D0000-0x00000000076D0000-memory.dmp
memory/3708-17-0x00000000075D0000-0x00000000076D0000-memory.dmp
memory/4576-19-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4576-23-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3708-22-0x00000000735D0000-0x0000000073CBE000-memory.dmp
memory/4576-24-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4576-25-0x00000000040B0000-0x00000000044B0000-memory.dmp
memory/4576-26-0x00000000040B0000-0x00000000044B0000-memory.dmp
memory/4576-27-0x00000000040B0000-0x00000000044B0000-memory.dmp
memory/4576-28-0x00007FF944110000-0x00007FF9442EB000-memory.dmp
memory/4576-30-0x00000000040B0000-0x00000000044B0000-memory.dmp
memory/4576-31-0x0000000076680000-0x0000000076842000-memory.dmp
memory/4740-32-0x0000000000F40000-0x0000000000F49000-memory.dmp
memory/4740-34-0x0000000004E40000-0x0000000005240000-memory.dmp
memory/4740-36-0x00007FF944110000-0x00007FF9442EB000-memory.dmp
memory/4740-35-0x0000000004E40000-0x0000000005240000-memory.dmp
memory/4740-39-0x00007FF944110000-0x00007FF9442EB000-memory.dmp
memory/4740-40-0x0000000076680000-0x0000000076842000-memory.dmp
memory/4740-38-0x0000000004E40000-0x0000000005240000-memory.dmp
memory/4740-41-0x0000000004E40000-0x0000000005240000-memory.dmp
memory/4576-42-0x00000000040B0000-0x00000000044B0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-27 19:56
Reported
2024-03-27 20:11
Platform
win10v2004-20240226-en
Max time kernel
576s
Max time network
602s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 60 created 2556 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | C:\Windows\system32\sihost.exe |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1704 set thread context of 60 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe
"C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 60 -ip 60
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 60 -ip 60
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 428
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.138.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.179.17.96.in-addr.arpa | udp |
Files
memory/1704-0-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1704-1-0x0000000000880000-0x0000000000CFC000-memory.dmp
memory/1704-2-0x0000000005730000-0x00000000057CC000-memory.dmp
memory/1704-3-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1704-4-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-5-0x00000000059D0000-0x0000000005BC8000-memory.dmp
memory/1704-6-0x0000000006D00000-0x0000000006E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1704-11-0x0000000003170000-0x0000000003180000-memory.dmp
memory/1704-14-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-17-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-16-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-15-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-13-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-12-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/1704-18-0x00000000072C0000-0x00000000073C0000-memory.dmp
memory/1704-19-0x00000000072C0000-0x00000000073C0000-memory.dmp
memory/60-24-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1704-21-0x00000000072C0000-0x00000000073C0000-memory.dmp
memory/60-25-0x0000000000400000-0x000000000046D000-memory.dmp
memory/1704-26-0x0000000075060000-0x0000000075810000-memory.dmp
memory/60-20-0x0000000000400000-0x000000000046D000-memory.dmp
memory/60-27-0x0000000003FC0000-0x00000000043C0000-memory.dmp
memory/60-28-0x0000000003FC0000-0x00000000043C0000-memory.dmp
memory/60-29-0x0000000003FC0000-0x00000000043C0000-memory.dmp
memory/60-30-0x00007FFE09A70000-0x00007FFE09C65000-memory.dmp
memory/60-31-0x0000000003FC0000-0x00000000043C0000-memory.dmp
memory/60-33-0x0000000075920000-0x0000000075B35000-memory.dmp
memory/4628-34-0x0000000001250000-0x0000000001259000-memory.dmp
memory/4628-37-0x0000000002E40000-0x0000000003240000-memory.dmp
memory/4628-36-0x0000000002E40000-0x0000000003240000-memory.dmp
memory/4628-38-0x00007FFE09A70000-0x00007FFE09C65000-memory.dmp
memory/4628-39-0x0000000002E40000-0x0000000003240000-memory.dmp
memory/4628-41-0x0000000075920000-0x0000000075B35000-memory.dmp
memory/60-42-0x0000000003FC0000-0x00000000043C0000-memory.dmp
memory/4628-43-0x0000000002E40000-0x0000000003240000-memory.dmp
memory/1620-44-0x0000025905840000-0x0000025905850000-memory.dmp
memory/1620-60-0x0000025905940000-0x0000025905950000-memory.dmp
memory/1620-76-0x000002590DEE0000-0x000002590DEE1000-memory.dmp
memory/1620-77-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-78-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-79-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-80-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-81-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-82-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-83-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-84-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-85-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-86-0x000002590DF00000-0x000002590DF01000-memory.dmp
memory/1620-87-0x000002590DB30000-0x000002590DB31000-memory.dmp
memory/1620-88-0x000002590DB20000-0x000002590DB21000-memory.dmp
memory/1620-90-0x000002590DB30000-0x000002590DB31000-memory.dmp
memory/1620-96-0x000002590DA60000-0x000002590DA61000-memory.dmp
memory/1620-93-0x000002590DB20000-0x000002590DB21000-memory.dmp
memory/1620-108-0x000002590DC60000-0x000002590DC61000-memory.dmp
memory/1620-110-0x000002590DC70000-0x000002590DC71000-memory.dmp
memory/1620-111-0x000002590DC70000-0x000002590DC71000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-27 19:56
Reported
2024-03-27 20:11
Platform
win11-20240214-en
Max time kernel
453s
Max time network
455s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3448 created 2852 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | C:\Windows\system32\sihost.exe |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2488 set thread context of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe
"C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3448 -ip 3448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2488-0-0x0000000074D70000-0x0000000075521000-memory.dmp
memory/2488-1-0x00000000009A0000-0x0000000000E1C000-memory.dmp
memory/2488-2-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/2488-3-0x0000000074D70000-0x0000000075521000-memory.dmp
memory/2488-4-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-5-0x0000000005C30000-0x0000000005E28000-memory.dmp
memory/2488-6-0x0000000006F60000-0x00000000070F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/2488-12-0x00000000031F0000-0x0000000003200000-memory.dmp
memory/2488-11-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-13-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-14-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-17-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-16-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-15-0x0000000005870000-0x0000000005880000-memory.dmp
memory/2488-18-0x00000000074A0000-0x00000000075A0000-memory.dmp
memory/2488-21-0x00000000074A0000-0x00000000075A0000-memory.dmp
memory/2488-20-0x00000000074A0000-0x00000000075A0000-memory.dmp
memory/3448-19-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3448-24-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2488-25-0x0000000074D70000-0x0000000075521000-memory.dmp
memory/3448-26-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3448-27-0x0000000003C80000-0x0000000004080000-memory.dmp
memory/3448-29-0x0000000003C80000-0x0000000004080000-memory.dmp
memory/3448-28-0x0000000003C80000-0x0000000004080000-memory.dmp
memory/3448-30-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp
memory/3448-32-0x0000000003C80000-0x0000000004080000-memory.dmp
memory/3448-33-0x00000000761F0000-0x0000000076442000-memory.dmp
memory/2312-34-0x0000000000A00000-0x0000000000A09000-memory.dmp
memory/2312-37-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/2312-36-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/2312-38-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp
memory/2312-41-0x00000000761F0000-0x0000000076442000-memory.dmp
memory/2312-42-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp
memory/2312-40-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/2312-43-0x0000000002730000-0x0000000002B30000-memory.dmp
memory/2312-45-0x00007FFB420A0000-0x00007FFB422A9000-memory.dmp
memory/3448-44-0x0000000003C80000-0x0000000004080000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-27 19:56
Reported
2024-03-27 20:11
Platform
win7-20240221-en
Max time kernel
362s
Max time network
366s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2328 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2328 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2328 wrote to memory of 2852 | N/A | C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe
"C:\Users\Admin\AppData\Local\Temp\instrumentMAIN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 548
Network
Files
memory/2328-1-0x0000000073EE0000-0x00000000745CE000-memory.dmp
memory/2328-0-0x0000000000BC0000-0x000000000103C000-memory.dmp
memory/2328-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp
memory/2328-3-0x0000000073EE0000-0x00000000745CE000-memory.dmp