Analysis Overview
SHA256
328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa
Threat Level: Known bad
The file 328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa was found to be: Known bad.
Malicious Activity Summary
ZGRat
Detect ZGRat V1
AgentTesla
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 11:54
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 11:54
Reported
2024-05-09 11:57
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\skyT = "C:\\Users\\Admin\\AppData\\Roaming\\skyT\\skyT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
Network
Files
memory/2360-10-0x00000000001A0000-0x00000000001A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Esher
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\autF3D.tmp
| MD5 | b4518906b831aa6ae5072d7702fadbcf |
| SHA1 | 53f276bb0725903e159a677e2100908df128138f |
| SHA256 | a8d534f7fb880dcba3a56c9384237c5b286df56dc0a0a8da0b3fb8bc2696321b |
| SHA512 | a9ad64eff4bd622ceebebfc8ce886a19597b3d17518bc705113bdeb4fd7d1442696e75558aebe994eb29621b1715bbcb73332bd92e07dbb071707d43af34343d |
C:\Users\Admin\AppData\Local\Temp\Esher
| MD5 | 18ed30c344f8d682fab7d478762b1cf2 |
| SHA1 | 98a5297149ae03a5f3c1bf29dc6ace3afb2fb0ed |
| SHA256 | 66e8574b0659e2e43cf6c1958db0abc5c9650b9999d6c287d31dbf00a2042751 |
| SHA512 | 57090c253807e22ba130f37a0b69ce6950cd72a37477040a645669d66f669e27263b452af7fd6fb85decbbd7e5d6fe9d9e3ab98796ef8b351ca595564b9f778b |
C:\Users\Admin\AppData\Local\Temp\autF5D.tmp
| MD5 | 9af133b9b553010c1b0b19f98de14813 |
| SHA1 | 3644139a3c6d3429f1f2d662461c4b4f4d0e8245 |
| SHA256 | 484827a635f7959666ab32f84f086867584f24b88b820406b247088de45cf88a |
| SHA512 | debd4b9c4b06c1b2a1b03ec5fe986020a2d48d28087409ff13b3b1a8853fd6b879ba8ebca5f396c6dd0872d01a96ee03c9ca5eb725a64f2e06e088f1010dab5e |
C:\Users\Admin\AppData\Local\Temp\nonhazardousness
| MD5 | eafe8751898e0b3c1ea7f59f88dbb724 |
| SHA1 | 3e94472d4b13544dccf63cae2b695b486458f40c |
| SHA256 | f6efb701356255d6b13eb6a66d405337a30d1d1b2d1263c382fab079ccc34df9 |
| SHA512 | 575e8c115202394c75910021ffbd7d7c0519f9ffb3777bcf5107179267c02ba3b3aa59a0116d839a3a5aea73e152bd053fccd5b83a421f2a3dc0332c39a1bd28 |
memory/2612-35-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2612-38-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2612-37-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2612-39-0x000000007422E000-0x000000007422F000-memory.dmp
memory/2612-40-0x00000000005C0000-0x0000000000614000-memory.dmp
memory/2612-41-0x0000000000B30000-0x0000000000B82000-memory.dmp
memory/2612-42-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2612-49-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-289-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2612-103-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-101-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-97-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-95-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-93-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-91-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-87-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-85-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-83-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-79-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-77-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-75-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-71-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-69-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-67-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-63-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-61-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-59-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-57-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-55-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-54-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-51-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-47-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-46-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2612-44-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-43-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-99-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-89-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-81-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-73-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-65-0x0000000000B30000-0x0000000000B7D000-memory.dmp
memory/2612-1077-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2612-1079-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2612-1080-0x000000007422E000-0x000000007422F000-memory.dmp
memory/2612-1081-0x0000000074220000-0x000000007490E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 11:54
Reported
2024-05-09 11:57
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skyT = "C:\\Users\\Admin\\AppData\\Roaming\\skyT\\skyT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2828 set thread context of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2828 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2828 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2828 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2828 wrote to memory of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/2828-10-0x0000000003AE0000-0x0000000003AE4000-memory.dmp
memory/1068-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1068-12-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1068-13-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1068-14-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1068-15-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/1068-16-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-17-0x0000000002EE0000-0x0000000002F34000-memory.dmp
memory/1068-18-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-19-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-20-0x00000000059D0000-0x0000000005F74000-memory.dmp
memory/1068-21-0x0000000005300000-0x0000000005352000-memory.dmp
memory/1068-49-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-81-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-79-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-77-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-75-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-73-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-71-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-69-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-67-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-65-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-63-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-61-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-59-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-57-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-55-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-53-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-51-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-47-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-43-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-41-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-39-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-37-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-35-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-34-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-31-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-27-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-25-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-23-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-45-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-29-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-22-0x0000000005300000-0x000000000534D000-memory.dmp
memory/1068-1054-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-1055-0x0000000005520000-0x0000000005586000-memory.dmp
memory/1068-1056-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1068-1057-0x00000000743DE000-0x00000000743DF000-memory.dmp
memory/1068-1059-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-1060-0x0000000006330000-0x0000000006380000-memory.dmp
memory/1068-1061-0x0000000006420000-0x00000000064B2000-memory.dmp
memory/1068-1062-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-1063-0x00000000063F0000-0x00000000063FA000-memory.dmp
memory/1068-1064-0x00000000743D0000-0x0000000074B80000-memory.dmp
memory/1068-1065-0x00000000743D0000-0x0000000074B80000-memory.dmp