Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 07:25
Behavioral task
behavioral1
Sample
c66b1f6942762649c44bca726995a227.exe
Resource
win7-20240220-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
c66b1f6942762649c44bca726995a227.exe
Resource
win10v2004-20240226-en
10 signatures
150 seconds
General
-
Target
c66b1f6942762649c44bca726995a227.exe
-
Size
4.5MB
-
MD5
c66b1f6942762649c44bca726995a227
-
SHA1
d22eba1dd78f3ab676afd3442a4b2a24c9342bf8
-
SHA256
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb
-
SHA512
1785bc2becad09b83aa98fe5d1191328f7f8336615144c07974ff4aeb61ec4a72940ba5d10cc9b91185a9f644b093ae74abef22531c0dc191839613369a23144
-
SSDEEP
98304:AaHg3Vqv+AigbRik7kZ3srMw2FX+qK60L:AaH0VqhiKj7kZ3U+FuqA
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1656-0-0x00000000000B0000-0x000000000052C000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/1656-0-0x00000000000B0000-0x000000000052C000-memory.dmp net_reactor -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2652 1656 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c66b1f6942762649c44bca726995a227.exedescription pid Process procid_target PID 1656 wrote to memory of 2652 1656 c66b1f6942762649c44bca726995a227.exe 28 PID 1656 wrote to memory of 2652 1656 c66b1f6942762649c44bca726995a227.exe 28 PID 1656 wrote to memory of 2652 1656 c66b1f6942762649c44bca726995a227.exe 28 PID 1656 wrote to memory of 2652 1656 c66b1f6942762649c44bca726995a227.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c66b1f6942762649c44bca726995a227.exe"C:\Users\Admin\AppData\Local\Temp\c66b1f6942762649c44bca726995a227.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 5482⤵
- Program crash
PID:2652
-