Analysis Overview
SHA256
50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c
Threat Level: Known bad
The file 50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
AgentTesla
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 08:44
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 08:44
Reported
2024-05-10 08:47
Platform
win7-20240220-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2744 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
Files
memory/1724-10-0x00000000000F0000-0x00000000000F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epistemology
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2504-23-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2504-25-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2504-26-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2504-27-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
memory/2504-28-0x0000000001EC0000-0x0000000001F16000-memory.dmp
memory/2504-29-0x0000000002040000-0x0000000002094000-memory.dmp
memory/2504-30-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2504-31-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2504-84-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-93-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-90-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-88-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-86-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-82-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-80-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-78-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-77-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-74-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-73-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-70-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-68-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-64-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-61-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2504-59-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-55-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-54-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-66-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-62-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-57-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-51-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-49-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-47-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-45-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-43-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-41-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-39-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-37-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-35-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-33-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-32-0x0000000002040000-0x000000000208F000-memory.dmp
memory/2504-1129-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2504-1131-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2504-1132-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
memory/2504-1133-0x0000000074BA0000-0x000000007528E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 08:44
Reported
2024-05-10 08:47
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
123s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT = "C:\\Users\\Admin\\AppData\\Roaming\\ctsdvwT\\ctsdvwT.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4396 set thread context of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\50c24050cc83700989bbb281afd290df47f864702e0a957f1db1800a2c34b25c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.deeptrans.com.tr | udp |
| TR | 93.89.226.88:587 | mail.deeptrans.com.tr | tcp |
| US | 8.8.8.8:53 | 88.226.89.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2844-10-0x00000000038E0000-0x00000000038E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\epistemology
| MD5 | 4ee08b781bc9b2dd733ff73ef97add54 |
| SHA1 | bd98d8deb03a0ab56425fad85c7b1d8a86bd540e |
| SHA256 | 50d0eacea28853d2bc3651915988c078740208683101493e21c5bc3a20f930be |
| SHA512 | af3cc3893a6f777bffbb4f96b8eee7f1f805e28f4496d46220e91b7b75b5d17281a925dcd5fc23d8942494a1c7ba13921f02a5a8dd4da4e5f1094cb2cc09f0b1 |
C:\Users\Admin\AppData\Local\Temp\nonagglutinant
| MD5 | e57eea256683665468bb7fb55f13684d |
| SHA1 | 083f109a55fe7dd473ac50a1bec85bb608e978b9 |
| SHA256 | 47e48ca5d550c9a4907096eda37d5e648cc0fbdd1b375b9c7c996ab26b41d4b4 |
| SHA512 | cc20948a5643d8ca466589360d24ea7dff50989ed95880954dd50983e73f362caca1d67eda7908ad62e34520154373ff597a70ce245e4a6259f7ee61eb8e52f8 |
memory/1856-23-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1856-25-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1856-24-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1856-26-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1856-27-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/1856-28-0x0000000005000000-0x0000000005056000-memory.dmp
memory/1856-29-0x0000000074B20000-0x00000000752D0000-memory.dmp
memory/1856-30-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/1856-32-0x00000000050B0000-0x0000000005104000-memory.dmp
memory/1856-33-0x0000000074B20000-0x00000000752D0000-memory.dmp
memory/1856-31-0x0000000074B20000-0x00000000752D0000-memory.dmp
memory/1856-49-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-75-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-93-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-91-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-89-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-87-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-85-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-81-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-79-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-78-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-73-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-71-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-69-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-68-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-65-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-63-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-61-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-60-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-57-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-55-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-83-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-47-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-45-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-43-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-41-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-39-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-37-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-35-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-34-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-53-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-51-0x00000000050B0000-0x00000000050FF000-memory.dmp
memory/1856-1130-0x00000000052D0000-0x0000000005336000-memory.dmp
memory/1856-1131-0x0000000074B20000-0x00000000752D0000-memory.dmp
memory/1856-1133-0x00000000061C0000-0x0000000006210000-memory.dmp
memory/1856-1134-0x00000000062C0000-0x000000000635C000-memory.dmp
memory/1856-1135-0x0000000006680000-0x0000000006712000-memory.dmp
memory/1856-1136-0x0000000006650000-0x000000000665A000-memory.dmp
memory/1856-1137-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1856-1138-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/1856-1139-0x0000000074B20000-0x00000000752D0000-memory.dmp