Overview

overview

10

Static

static

1

Adopt Me D...or.exe

windows7-x64

10

Adopt Me D...or.exe

windows10-2004-x64

10

opengl32.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    131s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adopt Me DupIicator.exe

  • Size

    66.5MB

  • MD5

    de4239701e2752924f4cd708058e1270

  • SHA1

    cc22264e5e8b44baee16dc557fac85ccd05d420f

  • SHA256

    9db39c31fee60756e0b08ad1576b699350173eb2476d0c0e06e77e7b02931491

  • SHA512

    67d3b8b6182b73a8e4aa393feaa50c577e1d82b0df4609f00317bfc331784a35a0a30234e80b6924af520c4a402adac9abaa2836c70c9d6c8bb1e7d6c9180f5a

  • SSDEEP

    393216:3HlGwix6bVYeCovVXbiAi95SLc59c25vBFkIeG:3HlTixeYstEH59VfuIeG

Score
10/10
zgratdiscoveryexecutionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adopt Me DupIicator.exe
    "C:\Users\Admin\AppData\Local\Temp\Adopt Me DupIicator.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Users\Admin\AppData\Roaming\support1.exe
      C:\Users\Admin\AppData\Roaming\support1.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault44aa40b0h88cfh4d7bhaa07hbb7af48c4492
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9d50546f8,0x7ff9d5054708,0x7ff9d5054718
      2⤵
        PID:1608
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16497987251109135209,15059339359485135977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
        2⤵
          PID:388
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16497987251109135209,15059339359485135977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:964
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,16497987251109135209,15059339359485135977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:8
          2⤵
            PID:432
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:5220
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:5260

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
              Filesize

              152B

              MD5

              1cbd0e9a14155b7f5d4f542d09a83153

              SHA1

              27a442a921921d69743a8e4b76ff0b66016c4b76

              SHA256

              243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

              SHA512

              17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
              Filesize

              5KB

              MD5

              811f1bb860a288e08f62c9119f3c8df6

              SHA1

              e549018fdc4b9a5139c0cf8dfd3a209cb06444a0

              SHA256

              9d832a526e360248ab58d0e8f989c50eea1acc5531b7627f96f3215d2fe362c5

              SHA512

              59041340c3786f5196153589685e501430808be1a2455c8f7081969f09676c0dfcda88b670fbb3277c7ba3d144a8d6af868d7c9bd7d776a92bcebbafadb2f54f

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
              Filesize

              8KB

              MD5

              18982a15794201481ef282dcfeae0b58

              SHA1

              4d9de7d26bc18b265a251382a5d2dd11bf168f98

              SHA256

              468751e772e06c4f781be99947f18e89b28a453d7b8691afc92f0690f69f8fe7

              SHA512

              99d82ef5159b3e4001784254883d6c3e4b3914b72a342082198af62feaa6441dbe9a0687a8544c8f196ce8be0ab5b73f69f8ef64e81b485ecab9eae9528cac91

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fmazpdb.ynq.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Roaming\support1.exe
              Filesize

              337KB

              MD5

              fd17203a07622e1f2c47b7ee8f69a408

              SHA1

              cb62caca556d164a83a6cc5173bdb5c66a4573b4

              SHA256

              784ceb21fb9ec436d79f9c5b3a6f1626ffe75f159e6ece025f8c8cc2045dec54

              SHA512

              8a9c95de740827c726daf4c1e696e1dce4c2134405f6201aa76af3162f7c28c7ecad4173dc499e877c1f9bd868fe7fc445553088c298c57964fd30d439ea203f

              Download Submit

            • memory/3440-1-0x0000011F197A0000-0x0000011F197C2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3440-11-0x00007FF9D6350000-0x00007FF9D6E11000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3440-12-0x00007FF9D6350000-0x00007FF9D6E11000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3440-15-0x00007FF9D6350000-0x00007FF9D6E11000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3440-0-0x00007FF9D6353000-0x00007FF9D6355000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3564-23-0x000000001DFE0000-0x000000001E0EA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/3564-27-0x000000001DF20000-0x000000001DF3E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/3564-28-0x000000001F150000-0x000000001F312000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/3564-29-0x000000001F850000-0x000000001FD78000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3564-26-0x000000001E570000-0x000000001E5E6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/3564-25-0x000000001DF40000-0x000000001DF7C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/3564-24-0x000000001DEE0000-0x000000001DEF2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3564-22-0x0000000000240000-0x000000000029A000-memory.dmp

              Filesize

              360KB

              Download