Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 06:33
Behavioral task
behavioral1
Sample
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe
Resource
win11-20240221-en
General
-
Target
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe
-
Size
4.5MB
-
MD5
c66b1f6942762649c44bca726995a227
-
SHA1
d22eba1dd78f3ab676afd3442a4b2a24c9342bf8
-
SHA256
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb
-
SHA512
1785bc2becad09b83aa98fe5d1191328f7f8336615144c07974ff4aeb61ec4a72940ba5d10cc9b91185a9f644b093ae74abef22531c0dc191839613369a23144
-
SSDEEP
98304:AaHg3Vqv+AigbRik7kZ3srMw2FX+qK60L:AaH0VqhiKj7kZ3U+FuqA
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5052-1-0x00000000002C0000-0x000000000073C000-memory.dmp family_zgrat_v1 -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
MsBuild.exedescription pid Process procid_target PID 4756 created 2676 4756 MsBuild.exe 45 -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral1/memory/5052-1-0x00000000002C0000-0x000000000073C000-memory.dmp net_reactor -
Loads dropped DLL 1 IoCs
Processes:
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exepid Process 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exedescription pid Process procid_target PID 5052 set thread context of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4848 4756 WerFault.exe 97 1784 4756 WerFault.exe 97 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MsBuild.exedialer.exepid Process 4756 MsBuild.exe 4756 MsBuild.exe 4692 dialer.exe 4692 dialer.exe 4692 dialer.exe 4692 dialer.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exeMsBuild.exedescription pid Process procid_target PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 5052 wrote to memory of 4756 5052 859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe 97 PID 4756 wrote to memory of 4692 4756 MsBuild.exe 98 PID 4756 wrote to memory of 4692 4756 MsBuild.exe 98 PID 4756 wrote to memory of 4692 4756 MsBuild.exe 98 PID 4756 wrote to memory of 4692 4756 MsBuild.exe 98 PID 4756 wrote to memory of 4692 4756 MsBuild.exe 98
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2676
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692
-
-
C:\Users\Admin\AppData\Local\Temp\859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe"C:\Users\Admin\AppData\Local\Temp\859f296afcad7531a5e2ee4b5b8346da0d5ac0ba33700804216aa7365920f7cb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 4323⤵
- Program crash
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 4283⤵
- Program crash
PID:1784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4756 -ip 47561⤵PID:2456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4756 -ip 47561⤵PID:2764
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719