Analysis Overview
SHA256
05e693b2c2b5329ed092a137681aa749ec21fc64c879f34ba87a6e2daf800b97
Threat Level: Known bad
The file PO-20231228003.rar was found to be: Known bad.
Malicious Activity Summary
AgentTesla
ZGRat
Detect ZGRat V1
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 07:04
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 07:04
Reported
2024-05-10 07:06
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4632 set thread context of 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3680-10-0x0000000004E30000-0x0000000004E34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ageless
| MD5 | c3a05fabceffe2fc8def9cbdd30cd3d2 |
| SHA1 | 32ef7e0a9d3f2ba30c3573fdd26714a96b12428c |
| SHA256 | 91fb367c7bff600e4db5b8a96136b0fe500b193f4587d971563baa9d8187b7a9 |
| SHA512 | 2dc0d4b09aabe3a9b931d4f6ec99fecf19e5845a9f4d7765ed858fb4f77ec15824bbc600ccdc6bd30816ed6ff3189e2203f059d6989d33bc48501a0f34310573 |
C:\Users\Admin\AppData\Local\Temp\maneuverability
| MD5 | 0890ddda3c33d9596c0ed994671c138e |
| SHA1 | 00d5c6a246cb9ad2620feca83d27731b65116eb8 |
| SHA256 | d9afa70063c694a5c80caee8f4f5f55a66cc1289896d3f0993fd7ed9c97551c9 |
| SHA512 | d8631f8ec094770c1a369140af157837232e90173b764c73339cac3911efc6559ee9667fde656ffad9e0ba40f79ab8536bf6a55a057101e2770eb74f483b4a2f |
C:\Users\Admin\AppData\Local\Temp\aut47A8.tmp
| MD5 | 620d101fc3ca4048f9a01f26aa7c8962 |
| SHA1 | 262d92881ab6e0a0dc0b8028a1d392954fda77e1 |
| SHA256 | e6fce92b74e0b6aa310731cc4b8f3157f87666be782dd3a2f4f68945b6fe06ea |
| SHA512 | 9199d5a32c6ba5eb9c0f941aca13bcdcfa79231ab8e7fe39be14af5dd0a997ad1240f2fe93fe25fcb277805200bd8fa43c1149dbdeba5579a28d9a37d791c9a3 |
C:\Users\Admin\AppData\Local\Temp\aut47B8.tmp
| MD5 | 509a6a9ff60c7922a8fb4dfe70b927d4 |
| SHA1 | 6d37d1d9940e4e8542f294247700bf31acc19afd |
| SHA256 | 378d85f3bc69533db8aea7d813fd63a9192fd4e7de59cb8e81fbcfad2d7d7f14 |
| SHA512 | 5799f1db9780e6cc1ff5f847eb272423fc467a31596b7cb8393a86cbe1b027d8a8e8615d4e931fc7264ce66ffcde76b3553dcfee079e3abf10af6b57e2c4ee57 |
memory/3180-35-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3180-37-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3180-38-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3180-36-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3180-39-0x0000000002E40000-0x0000000002E94000-memory.dmp
memory/3180-40-0x0000000005AD0000-0x0000000006074000-memory.dmp
memory/3180-41-0x0000000005400000-0x0000000005452000-memory.dmp
memory/3180-49-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-103-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-101-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-99-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-95-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-91-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-89-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-88-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-85-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-83-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-67-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-65-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-63-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-61-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-59-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-57-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-55-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-53-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-51-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-47-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-45-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-97-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-93-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-43-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-81-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-79-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-42-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-77-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-75-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-73-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-71-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-69-0x0000000005400000-0x000000000544D000-memory.dmp
memory/3180-1072-0x0000000005620000-0x0000000005686000-memory.dmp
memory/3180-1073-0x0000000006410000-0x0000000006460000-memory.dmp
memory/3180-1074-0x0000000006500000-0x0000000006592000-memory.dmp
memory/3180-1075-0x0000000006460000-0x000000000646A000-memory.dmp
memory/3180-1076-0x0000000000400000-0x0000000000446000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 07:04
Reported
2024-05-10 07:06
Platform
win7-20240419-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PO-20231228003.exe"
Network
Files
memory/2288-10-0x0000000000690000-0x0000000000694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ageless
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2684-23-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2684-26-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2684-25-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2684-27-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2684-28-0x0000000001E30000-0x0000000001E84000-memory.dmp
memory/2684-29-0x00000000021A0000-0x00000000021F2000-memory.dmp
memory/2684-30-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2684-70-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-52-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-178-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2684-90-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-88-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-86-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-85-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-82-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-80-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-78-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-76-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-74-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-72-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-68-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-66-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-64-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-62-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-60-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-58-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-56-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-54-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-50-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-48-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-46-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-44-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-42-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-40-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-38-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-36-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-34-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-32-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-31-0x00000000021A0000-0x00000000021ED000-memory.dmp
memory/2684-359-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2684-1063-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2684-1064-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2684-1065-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2684-1066-0x0000000074910000-0x0000000074FFE000-memory.dmp