Analysis Overview
SHA256
e84cad4f234445a47bf803591ac168031558e9215ba714c2197fe75b5188aa1c
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Zgrat family
Detect ZGRat V1
ZGRat
.NET Reactor proctector
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 09:37
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 09:37
Reported
2024-05-09 09:39
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1660 wrote to memory of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1660 wrote to memory of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 556
Network
Files
memory/1660-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/1660-1-0x0000000000080000-0x00000000004FA000-memory.dmp
memory/1660-2-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 09:37
Reported
2024-05-09 09:39
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
136s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3432 set thread context of 3436 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 5.42.65.67:48396 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3432-0-0x000000007441E000-0x000000007441F000-memory.dmp
memory/3432-1-0x0000000000AD0000-0x0000000000F4A000-memory.dmp
memory/3432-2-0x00000000059A0000-0x0000000005A3C000-memory.dmp
memory/3432-3-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3432-4-0x0000000005B70000-0x0000000005D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3432-10-0x0000000005980000-0x0000000005990000-memory.dmp
memory/3432-11-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3432-12-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3432-14-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3436-15-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3432-16-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3432-13-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3432-18-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3436-19-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3436-20-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/3436-21-0x00000000058D0000-0x0000000005962000-memory.dmp
memory/3436-23-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/3436-22-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/3436-24-0x0000000008FD0000-0x00000000095E8000-memory.dmp
memory/3436-25-0x0000000008B30000-0x0000000008C3A000-memory.dmp
memory/3436-26-0x0000000008A70000-0x0000000008A82000-memory.dmp
memory/3436-27-0x0000000008AD0000-0x0000000008B0C000-memory.dmp
memory/3436-28-0x0000000008C40000-0x0000000008C8C000-memory.dmp
memory/3436-29-0x0000000008DC0000-0x0000000008E26000-memory.dmp
memory/3436-30-0x00000000096F0000-0x0000000009766000-memory.dmp
memory/3436-31-0x0000000008FA0000-0x0000000008FBE000-memory.dmp
memory/3436-32-0x000000000A1D0000-0x000000000A392000-memory.dmp
memory/3436-33-0x000000000A8D0000-0x000000000ADFC000-memory.dmp
memory/3436-35-0x0000000074410000-0x0000000074BC0000-memory.dmp