Analysis Overview
SHA256
43302fd5ef74a7c1e9c4e2c899b3828851502b64917d77be603243c741a42043
Threat Level: Known bad
The file Launcher4.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Detect ZGRat V1
Zgrat family
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-04 16:39
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 16:35
Reported
2024-04-04 16:43
Platform
win7-20231129-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2252 created 1336 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Explorer.EXE |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2240 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Launcher4.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
Files
memory/2240-0-0x0000000001320000-0x00000000013A8000-memory.dmp
memory/2240-1-0x0000000073F40000-0x000000007462E000-memory.dmp
memory/2240-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp
memory/2240-6-0x00000000027B0000-0x00000000047B0000-memory.dmp
memory/2252-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2252-11-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-10-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-9-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2240-17-0x0000000073F40000-0x000000007462E000-memory.dmp
memory/2252-14-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-7-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-18-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-19-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2252-20-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/2252-21-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/2252-22-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/2252-23-0x0000000076E90000-0x0000000077039000-memory.dmp
memory/2252-25-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/2252-26-0x0000000075F30000-0x0000000075F77000-memory.dmp
memory/2736-27-0x00000000000D0000-0x00000000000D9000-memory.dmp
memory/2252-28-0x0000000003620000-0x0000000003A20000-memory.dmp
memory/2736-31-0x0000000001D70000-0x0000000002170000-memory.dmp
memory/2736-30-0x0000000076E90000-0x0000000077039000-memory.dmp
memory/2736-33-0x0000000001D70000-0x0000000002170000-memory.dmp
memory/2736-36-0x0000000076E90000-0x0000000077039000-memory.dmp
memory/2736-35-0x0000000075F30000-0x0000000075F77000-memory.dmp
memory/2736-37-0x0000000001D70000-0x0000000002170000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 16:35
Reported
2024-04-04 16:43
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4940 created 2552 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\system32\sihost.exe |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4252 set thread context of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\Launcher4.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 660
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
memory/4252-0-0x0000000000120000-0x00000000001A8000-memory.dmp
memory/4252-1-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4252-2-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/4940-5-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4252-9-0x00000000025B0000-0x00000000045B0000-memory.dmp
memory/4940-8-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4940-11-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4252-12-0x0000000074FC0000-0x0000000075770000-memory.dmp
memory/4940-13-0x0000000003790000-0x0000000003B90000-memory.dmp
memory/4940-15-0x0000000003790000-0x0000000003B90000-memory.dmp
memory/4940-14-0x0000000003790000-0x0000000003B90000-memory.dmp
memory/4940-16-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp
memory/4940-18-0x0000000003790000-0x0000000003B90000-memory.dmp
memory/4940-19-0x00000000767B0000-0x00000000769C5000-memory.dmp
memory/720-20-0x0000000000510000-0x0000000000519000-memory.dmp
memory/720-23-0x00000000023F0000-0x00000000027F0000-memory.dmp
memory/720-22-0x00000000023F0000-0x00000000027F0000-memory.dmp
memory/720-24-0x00007FFA9BF30000-0x00007FFA9C125000-memory.dmp
memory/720-25-0x00000000023F0000-0x00000000027F0000-memory.dmp
memory/720-27-0x00000000767B0000-0x00000000769C5000-memory.dmp
memory/720-28-0x00000000023F0000-0x00000000027F0000-memory.dmp
memory/4940-29-0x0000000003790000-0x0000000003B90000-memory.dmp