Analysis Overview
SHA256
28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf
Threat Level: Known bad
The file 28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
AgentTesla
ZGRat
Adds Run key to start application
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 10:01
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 10:01
Reported
2024-05-09 10:04
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2192 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe
"C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
Files
memory/2192-10-0x00000000001E0000-0x00000000001E4000-memory.dmp
memory/3028-11-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3028-13-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3028-14-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3028-15-0x000000007434E000-0x000000007434F000-memory.dmp
memory/3028-16-0x0000000000AE0000-0x0000000000B36000-memory.dmp
memory/3028-17-0x0000000000C70000-0x0000000000CC4000-memory.dmp
memory/3028-18-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/3028-65-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-53-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-79-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-144-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/3028-77-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-75-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-73-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-71-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-69-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-67-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-63-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-61-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-59-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-57-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-55-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-51-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-50-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-47-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-45-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-43-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-41-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-39-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-37-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-35-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-33-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-31-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-29-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-26-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-1117-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/3028-27-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/3028-24-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-22-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-20-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-19-0x0000000000C70000-0x0000000000CBF000-memory.dmp
memory/3028-1119-0x0000000000400000-0x0000000000447000-memory.dmp
memory/3028-1120-0x000000007434E000-0x000000007434F000-memory.dmp
memory/3028-1121-0x0000000074340000-0x0000000074A2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 10:01
Reported
2024-05-09 10:04
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
107s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4604 set thread context of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4604 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4604 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4604 wrote to memory of 1768 | N/A | C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe
"C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\28d2e9a575bc6c4db94ccd8fc97a03fb0cdd81d35b534ff62839714480a287cf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| BE | 2.17.196.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| BE | 2.17.196.154:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
| US | 8.8.8.8:53 | 88.226.89.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4604-10-0x0000000004140000-0x0000000004144000-memory.dmp
memory/1768-11-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1768-14-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1768-13-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1768-12-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1768-15-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/1768-16-0x0000000002870000-0x00000000028C6000-memory.dmp
memory/1768-18-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/1768-17-0x0000000073F90000-0x0000000074740000-memory.dmp
memory/1768-19-0x0000000005060000-0x00000000050B4000-memory.dmp
memory/1768-31-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-33-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-79-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-77-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-75-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-71-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-67-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-65-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-63-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-61-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-57-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-55-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-53-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-47-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-43-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-41-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-39-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-37-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-35-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-29-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-1118-0x0000000005250000-0x00000000052B6000-memory.dmp
memory/1768-1117-0x0000000073F90000-0x0000000074740000-memory.dmp
memory/1768-27-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-25-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-23-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-20-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-145-0x0000000073F90000-0x0000000074740000-memory.dmp
memory/1768-73-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-69-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-59-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-51-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-49-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-45-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-21-0x0000000005060000-0x00000000050AF000-memory.dmp
memory/1768-1120-0x0000000006040000-0x0000000006090000-memory.dmp
memory/1768-1121-0x0000000006130000-0x00000000061CC000-memory.dmp
memory/1768-1122-0x00000000064B0000-0x0000000006542000-memory.dmp
memory/1768-1123-0x0000000006470000-0x000000000647A000-memory.dmp
memory/1768-1124-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1768-1125-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/1768-1126-0x0000000073F90000-0x0000000074740000-memory.dmp