Analysis Overview
SHA256
7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a
Threat Level: Known bad
The file 7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
AgentTesla
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:24
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:24
Reported
2024-05-10 01:27
Platform
win7-20240215-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 1560 | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\acceptancy
| MD5 | 39def1f6fd13a577df97f8345de0cbd3 |
| SHA1 | 3a203ad04dbb10d9afb2f2a4015e6d23f7339b92 |
| SHA256 | 7cf9ea69a7c672acee7d4f24854bb6edac94c77adda2e77437f49d331619071f |
| SHA512 | ec6a67e3cf2a99c5a4fcbc55d2900cf5ca0ff523e61bfa97a980a7ae1ff7d1289b6ba6d354a49f99934029dca5c17e8159598f6b51613255967ea3821aab4850 |
memory/2072-11-0x00000000001A0000-0x00000000001A4000-memory.dmp
memory/1560-12-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1560-14-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1560-15-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1560-16-0x00000000747AE000-0x00000000747AF000-memory.dmp
memory/1560-17-0x0000000000340000-0x0000000000396000-memory.dmp
memory/1560-18-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1560-19-0x0000000000530000-0x0000000000584000-memory.dmp
memory/1560-20-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1560-24-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-22-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-34-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-79-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-77-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-81-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-75-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-73-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-71-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-69-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-67-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-65-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-63-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-61-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-59-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-57-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-55-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-53-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-51-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-49-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-47-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-45-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-43-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-41-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-38-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-32-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-30-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-28-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-1066-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1560-39-0x00000000747A0000-0x0000000074E8E000-memory.dmp
memory/1560-26-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-21-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-36-0x0000000000530000-0x000000000057E000-memory.dmp
memory/1560-1067-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1560-1068-0x00000000747AE000-0x00000000747AF000-memory.dmp
memory/1560-1069-0x00000000747A0000-0x0000000074E8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:24
Reported
2024-05-10 01:27
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
101s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3112 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7e72fb7f88505149fc397376b4d2a68633c51496d989781e873afd6b8b9c669a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut3CBB.tmp
| MD5 | 39def1f6fd13a577df97f8345de0cbd3 |
| SHA1 | 3a203ad04dbb10d9afb2f2a4015e6d23f7339b92 |
| SHA256 | 7cf9ea69a7c672acee7d4f24854bb6edac94c77adda2e77437f49d331619071f |
| SHA512 | ec6a67e3cf2a99c5a4fcbc55d2900cf5ca0ff523e61bfa97a980a7ae1ff7d1289b6ba6d354a49f99934029dca5c17e8159598f6b51613255967ea3821aab4850 |
memory/1880-12-0x00000000024C0000-0x00000000024C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\poufs
| MD5 | e1867297336bc3289387b7ba5081d94e |
| SHA1 | 1bd184db7aca06a9e80dcba65021a78dbbda997b |
| SHA256 | 70d33ad98043da59a4bef719203be888cdf4fca8873a11e27ab2579d77053939 |
| SHA512 | d003a771eda9d494c94f603c457549f924a69532089d72f668babdb4204549713d0f587567d721a2dea1b7655b1e783bc075c4051a3c2754296ee4f7649c8c48 |
C:\Users\Admin\AppData\Local\Temp\aut417E.tmp
| MD5 | 3a4c9e2fe3f60df151deb69ab2f71670 |
| SHA1 | b2dc4a22965388e536f633bd2a68b235f37836dc |
| SHA256 | 816951e8097cd9f407872fda452734b59957bfe6d1c25216e6d5fec9cd100416 |
| SHA512 | 4db6b8de90e131c4f829937d5d792df43a4a825b01baba7306aad66a32bb5471dc6db7b64d56f13e3929c508ae0fcee3b77d05edf82cf0ee4efee7d46b49cd25 |
C:\Users\Admin\AppData\Local\Temp\acceptancy
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2936-55-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2936-56-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2936-57-0x0000000002870000-0x00000000028C6000-memory.dmp
memory/2936-58-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/2936-59-0x0000000004F40000-0x0000000004F94000-memory.dmp
memory/2936-89-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-80-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-87-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-122-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-119-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-117-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-115-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-107-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-105-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-103-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-97-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-95-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-85-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-83-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-81-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-77-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-75-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-73-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-71-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-114-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-111-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-109-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-101-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-99-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-94-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-91-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-69-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-67-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-65-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-63-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-61-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-60-0x0000000004F40000-0x0000000004F8E000-memory.dmp
memory/2936-1104-0x0000000005160000-0x00000000051C6000-memory.dmp
memory/2936-1105-0x0000000006440000-0x0000000006490000-memory.dmp
memory/2936-1106-0x0000000006530000-0x00000000065C2000-memory.dmp
memory/2936-1107-0x00000000064C0000-0x00000000064CA000-memory.dmp