Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/05/2024, 12:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb508c21c59a7fff7924f7243e5949e8.exe
Resource
win7-20240221-en
0 signatures
150 seconds
General
-
Target
eb508c21c59a7fff7924f7243e5949e8.exe
-
Size
545KB
-
MD5
eb508c21c59a7fff7924f7243e5949e8
-
SHA1
8ff01f312f4c37aeb98e6a4afd61aa9dd0fec383
-
SHA256
bc415aafd68de975f42d71ef25868a7de65ddf166a0bb03246243c6d1b0a0af1
-
SHA512
3e5b19768160960710b3d7d198d5a8bc3d040a084ad6a47c1e7f1b03bf780df3886a0c7d8ff58c30f06afc4a136b91eb2841c895c01f0e8020f52b298a9de5e0
-
SSDEEP
12288:/AyIUo5xsD8c/7Oyo8LR9zom3Q3WZaIVir52gPi:9IHLyogR5omUIAv
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/2992-1-0x0000000000400000-0x000000000045C000-memory.dmp family_zgrat_v1 behavioral2/memory/4076-6-0x0000000000DB0000-0x0000000000E39953-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 -
Program crash 1 IoCs
pid pid_target Process procid_target 2340 4076 WerFault.exe 82 -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeBackupPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe Token: SeSecurityPrivilege 2992 RegAsm.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4076 wrote to memory of 4784 4076 eb508c21c59a7fff7924f7243e5949e8.exe 84 PID 4076 wrote to memory of 4784 4076 eb508c21c59a7fff7924f7243e5949e8.exe 84 PID 4076 wrote to memory of 4784 4076 eb508c21c59a7fff7924f7243e5949e8.exe 84 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85 PID 4076 wrote to memory of 2992 4076 eb508c21c59a7fff7924f7243e5949e8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb508c21c59a7fff7924f7243e5949e8.exe"C:\Users\Admin\AppData\Local\Temp\eb508c21c59a7fff7924f7243e5949e8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 3042⤵
- Program crash
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4076 -ip 40761⤵PID:4796