Analysis
-
max time kernel
127s -
max time network
141s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-04-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe
Resource
win10v2004-20240412-en
General
-
Target
e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe
-
Size
442KB
-
MD5
30c1e232e40c6666a65717df4198f381
-
SHA1
579ea8d0d6869a8c75e0dfd977076cc3dbc90994
-
SHA256
e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172
-
SHA512
a70dc3230ca57759e49f92d2335aa39dda1ff5528e3405b922dd48b95f0b8bb0b9b998421ec995f70f4241874f3f62219a831d5bac62baf072dc25dd87094572
-
SSDEEP
12288:NVRBcNop3qLuzIn/bpRKrdjOIAUQAXZw0:NxSWdjr5TZw0
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3128-159-0x000001D543400000-0x000001D546CF8000-memory.dmp family_zgrat_v1 behavioral2/memory/3128-160-0x000001D5614D0000-0x000001D5615E0000-memory.dmp family_zgrat_v1 behavioral2/memory/3128-164-0x000001D548B40000-0x000001D548B64000-memory.dmp family_zgrat_v1 -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-195-0x00000000005B0000-0x0000000000676000-memory.dmp family_sectoprat -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
u130.0.exerun.exeu130.3.exepid Process 1892 u130.0.exe 1452 run.exe 1612 u130.3.exe -
Loads dropped DLL 1 IoCs
Processes:
run.exepid Process 1452 run.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
run.execmd.exedescription pid Process procid_target PID 1452 set thread context of 2076 1452 run.exe 87 PID 2076 set thread context of 1652 2076 cmd.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4012 1892 WerFault.exe 80 4444 1404 WerFault.exe 78 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
u130.3.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u130.3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u130.3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u130.3.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
run.execmd.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepid Process 1452 run.exe 1452 run.exe 2076 cmd.exe 2076 cmd.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
run.execmd.exepid Process 1452 run.exe 2076 cmd.exe 2076 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeMSBuild.exedescription pid Process Token: SeDebugPrivilege 3128 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 1652 MSBuild.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
u130.3.exepid Process 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
u130.3.exepid Process 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe 1612 u130.3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
run.exepid Process 1452 run.exe 1452 run.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exerun.exeu130.3.execmd.exedescription pid Process procid_target PID 1404 wrote to memory of 1892 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 80 PID 1404 wrote to memory of 1892 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 80 PID 1404 wrote to memory of 1892 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 80 PID 1404 wrote to memory of 1452 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 86 PID 1404 wrote to memory of 1452 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 86 PID 1404 wrote to memory of 1452 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 86 PID 1452 wrote to memory of 2076 1452 run.exe 87 PID 1452 wrote to memory of 2076 1452 run.exe 87 PID 1452 wrote to memory of 2076 1452 run.exe 87 PID 1404 wrote to memory of 1612 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 89 PID 1404 wrote to memory of 1612 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 89 PID 1404 wrote to memory of 1612 1404 e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe 89 PID 1452 wrote to memory of 2076 1452 run.exe 87 PID 1612 wrote to memory of 3128 1612 u130.3.exe 93 PID 1612 wrote to memory of 3128 1612 u130.3.exe 93 PID 2076 wrote to memory of 1652 2076 cmd.exe 96 PID 2076 wrote to memory of 1652 2076 cmd.exe 96 PID 2076 wrote to memory of 1652 2076 cmd.exe 96 PID 2076 wrote to memory of 1652 2076 cmd.exe 96 PID 2076 wrote to memory of 1652 2076 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe"C:\Users\Admin\AppData\Local\Temp\e25db466fd48e8e3e5bd946e54fff96dedb4011d68123fa5cdd5d8b75c99d172.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\u130.0.exe"C:\Users\Admin\AppData\Local\Temp\u130.0.exe"2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 12683⤵
- Program crash
PID:4012
-
-
-
C:\Users\Admin\AppData\Local\Temp\u130.2\run.exe"C:\Users\Admin\AppData\Local\Temp\u130.2\run.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u130.3.exe"C:\Users\Admin\AppData\Local\Temp\u130.3.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 16042⤵
- Program crash
PID:4444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1892 -ip 18921⤵PID:1592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1404 -ip 14041⤵PID:4820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5fb839eed30d45c74e32680de7a273550
SHA1f45f1428e3de57f89048bf5f61a4831d7da89606
SHA2564dc368d5a9463eb8ad561c7c2ba5fc3e16c097c1f6142625173e8a19b5cbd8a0
SHA512f9a4763813e5ef61cdf4fac2f7e58540391ce55562a124c8ac25f80543e4353942cf2e24912904020c9effc5482fdc4173ff129c77fcb1beaf9cbea63b5619e4
-
Filesize
2KB
MD565a4f602fb979dddce0959f30ef1caa5
SHA11e302685a7e57827eb55b64e75ae8beed71a38b5
SHA256636cf100fcd8fa002827cb452af1842b6f2c32816a22ef5f7baa0b13bd149565
SHA51209a8ba90c2b6b0dd7c70676737706c55158494e72366060547eaff2c3860c5263d87bfc21b78c9cdaace0715221604b6be7308fc9ff11bce09ed540b8112cbe1
-
Filesize
298KB
MD5be531dfdb40e97826d86e1fb73fa73c8
SHA112f16e6983d1c911b7ed1a485cdbe706c48d78ed
SHA256d42d82224b04de2afe5659a7fc3ee03ba255a76f58445d10fc14093b1565b24c
SHA5127ce943e84f69cc19bc0dca2597f74f6ed464e4b2b6935d1e63be854f5947530089045a60cf0578ac8c2df58e9e50c2bd69ce3a707090f9bb09394e01c5ae614b
-
Filesize
3.7MB
MD578d3ca6355c93c72b494bb6a498bf639
SHA12fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA5121b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea
-
Filesize
1.6MB
MD5d1ba9412e78bfc98074c5d724a1a87d6
SHA10572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA5128765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f
-
Filesize
1.3MB
MD51e8237d3028ab52821d69099e0954f97
SHA130a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA2569387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3
-
Filesize
1.5MB
MD510d51becd0bbce0fab147ff9658c565e
SHA14689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA2567b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA51229faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29
-
Filesize
2.4MB
MD59fb4770ced09aae3b437c1c6eb6d7334
SHA1fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256
-
Filesize
85KB
MD5a723bf46048e0bfb15b8d77d7a648c3e
SHA18952d3c34e9341e4425571e10f22b782695bb915
SHA256b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954