Analysis
-
max time kernel
129s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 10:56
Static task
static1
Behavioral task
behavioral1
Sample
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe
Resource
win7-20240215-en
General
-
Target
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe
-
Size
968KB
-
MD5
577df0d0d1ebfde0c67cf6489d9a1974
-
SHA1
a57a31db630fd55666cfd3ccdacf78cec8fabc43
-
SHA256
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e
-
SHA512
5144fbd78a903c866e4e8becefb707656c19caf94c7b82c18d6b50ab86899dd149545b34e2fb8f5f71b02baa9ec95f1aaf97aa65ce94ed6e463b4b51f8cc4fd0
-
SSDEEP
12288:M9tmvboNKAM9qPg6f0blJwoodEJLaCyi5yHhFDsw/DEdLpIeBTRPJ3Ap1H+9:M9mENKAiGolJwooKJVyJF3qLpIYyHM
Malware Config
Signatures
-
Detect ZGRat V2 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-3-0x0000000000A70000-0x0000000000AAA000-memory.dmp family_zgrat_v2 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exedescription ioc process File opened (read-only) \??\o: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\q: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\s: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\a: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\g: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\k: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\l: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\m: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\t: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\w: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\y: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\h: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\i: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\p: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\u: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\x: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\z: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\b: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\e: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\r: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\v: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\j: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe File opened (read-only) \??\n: 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2608-4-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-7-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-8-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-9-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-27-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-33-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-35-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-39-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-43-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-47-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-55-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-59-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-63-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe behavioral1/memory/2608-81-0x0000000000400000-0x00000000004E2000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exedescription pid process target process PID 2156 set thread context of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exedescription pid process Token: SeDebugPrivilege 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exedescription pid process target process PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2156 wrote to memory of 2608 2156 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe PID 2608 wrote to memory of 2560 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2560 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2560 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2560 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2316 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2316 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2316 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2316 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2192 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2192 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2192 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2192 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2404 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2404 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2404 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2404 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2320 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2320 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2320 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2320 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2880 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2880 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2880 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2880 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2732 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2732 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2732 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2732 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2856 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2856 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2856 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2856 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2920 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2920 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2920 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2920 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1696 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1696 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1696 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1696 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1908 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1908 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1908 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1908 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1912 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1912 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1912 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1912 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1468 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1468 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1468 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 1468 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe PID 2608 wrote to memory of 2236 2608 4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe"C:\Users\Admin\AppData\Local\Temp\4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exeC:\Users\Admin\AppData\Local\Temp\4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e.exe2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A3⤵PID:2560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A3⤵PID:2316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A3⤵PID:2192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A3⤵PID:2320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A3⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A3⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A3⤵PID:2856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A3⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A3⤵PID:1696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A3⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A3⤵PID:1912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A3⤵PID:1468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A3⤵PID:2236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A3⤵PID:1368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A3⤵PID:2208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A3⤵PID:532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A3⤵PID:1580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-6-0x00000000747A0000-0x0000000074E8E000-memory.dmpFilesize
6.9MB
-
memory/2156-0-0x0000000000D00000-0x0000000000DF6000-memory.dmpFilesize
984KB
-
memory/2156-2-0x0000000000BF0000-0x0000000000C30000-memory.dmpFilesize
256KB
-
memory/2156-3-0x0000000000A70000-0x0000000000AAA000-memory.dmpFilesize
232KB
-
memory/2156-1-0x00000000747A0000-0x0000000074E8E000-memory.dmpFilesize
6.9MB
-
memory/2608-9-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-39-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-8-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-4-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-27-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-33-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-35-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-7-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-43-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-47-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-55-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-59-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-63-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/2608-81-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB