Malware Analysis Report

2024-11-30 20:06

Sample ID 240509-adzz4sfc8x
Target e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf
SHA256 e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf
Tags
zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf

Threat Level: Known bad

The file e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf was found to be: Known bad.

Malicious Activity Summary

zgrat rat

Detect ZGRat V1

ZGRat

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 00:06

Reported

2024-05-09 00:11

Platform

win7-20240215-en

Max time kernel

297s

Max time network

290s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 2764 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 2764 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 2764 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
PID 2584 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe
PID 2584 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe
PID 2584 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe
PID 2584 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe

"C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe"

Network

Country Destination Domain Proto
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 a1350f68fccdf680e99b49fe741c69e1
SHA1 537254d87a0ab447673c0ebdc6875b6cd510f93c
SHA256 fb54da30664d062a1f8f850002addffabc6a86758aaa6d0119770007bd2fe923
SHA512 b5799b96ae49adee077859d9b73b684e37d33f5d09c5fc5040d00d371e0dd62a3e5b8e0cc505d5090df8fc779a6f1c7d59e1689da46e64c1020a2f8503d41299

\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

MD5 4e6930393bf1cb3337d7b3cdf2049476
SHA1 2588e74150491e169e897e43d7572d7e131f8d24
SHA256 d55be1d28b389d4f5c7540d7278fcf47943fa123817a8b85fc8d6350f1aa454e
SHA512 e8f9840a8af147275534594199846ed5d276780f7738cb2ae75a97117fbbaa52daf870258bb861b2ca372863853e4b7985f9002fa903b76037645c3695f68018

memory/2584-36-0x0000000003D60000-0x0000000004120000-memory.dmp

memory/2584-35-0x0000000003D60000-0x0000000004120000-memory.dmp

memory/2920-38-0x0000000000DC0000-0x0000000001180000-memory.dmp

memory/2920-40-0x0000000000DC0000-0x0000000001180000-memory.dmp

memory/2584-43-0x0000000003D60000-0x0000000004120000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 00:06

Reported

2024-05-09 00:11

Platform

win10-20240404-en

Max time kernel

295s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe

"C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe"

Network

Country Destination Domain Proto
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
US 52.111.229.48:443 tcp
NL 89.110.68.218:21572 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp
NL 89.110.68.218:21572 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

MD5 a1350f68fccdf680e99b49fe741c69e1
SHA1 537254d87a0ab447673c0ebdc6875b6cd510f93c
SHA256 fb54da30664d062a1f8f850002addffabc6a86758aaa6d0119770007bd2fe923
SHA512 b5799b96ae49adee077859d9b73b684e37d33f5d09c5fc5040d00d371e0dd62a3e5b8e0cc505d5090df8fc779a6f1c7d59e1689da46e64c1020a2f8503d41299

C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

MD5 4e6930393bf1cb3337d7b3cdf2049476
SHA1 2588e74150491e169e897e43d7572d7e131f8d24
SHA256 d55be1d28b389d4f5c7540d7278fcf47943fa123817a8b85fc8d6350f1aa454e
SHA512 e8f9840a8af147275534594199846ed5d276780f7738cb2ae75a97117fbbaa52daf870258bb861b2ca372863853e4b7985f9002fa903b76037645c3695f68018

memory/5112-19-0x0000000001060000-0x0000000001420000-memory.dmp

memory/5112-21-0x0000000001060000-0x0000000001420000-memory.dmp

memory/5112-22-0x0000000005CE0000-0x00000000061DE000-memory.dmp

memory/5112-23-0x00000000057E0000-0x0000000005872000-memory.dmp

memory/5112-24-0x0000000003560000-0x000000000356A000-memory.dmp

memory/5112-25-0x0000000008BF0000-0x00000000091F6000-memory.dmp

memory/5112-26-0x00000000087A0000-0x00000000088AA000-memory.dmp

memory/5112-27-0x00000000086E0000-0x00000000086F2000-memory.dmp

memory/5112-28-0x0000000008740000-0x000000000877E000-memory.dmp

memory/5112-29-0x00000000088B0000-0x00000000088FB000-memory.dmp

memory/5112-32-0x0000000001060000-0x0000000001420000-memory.dmp