Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe
Resource
win10v2004-20240508-en
General
-
Target
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe
-
Size
1.1MB
-
MD5
3958dafe982242ba8f1f7e7e825ec4a2
-
SHA1
39a4d7bae94362f847e27a74d6bdde9e67156151
-
SHA256
efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f
-
SHA512
84dc7972a23def2db184688e22a7d2a32b0aa574b521e63d180485eac38d154ed67c745b15e55de01990b009248316e05a118ed7d67b84024d890bf0e2664458
-
SSDEEP
24576:CA0ReRHP4+ngiPzZPQgBt9o/1bIhTmOLp:CUd+gBWbIhaO9
Malware Config
Extracted
Protocol: smtp- Host:
mail.flowja.com - Port:
587 - Username:
[email protected] - Password:
526242227
Signatures
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral2/memory/732-14-0x0000000049D60000-0x0000000049DBA000-memory.dmp family_zgrat_v1 behavioral2/memory/732-18-0x0000000049F80000-0x0000000049FDA000-memory.dmp family_zgrat_v1 behavioral2/memory/732-19-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-36-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-78-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-76-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-74-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-72-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-70-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-68-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-67-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-64-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-62-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-60-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-58-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-56-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-54-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-52-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-48-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-46-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-44-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-42-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-40-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-38-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-34-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-32-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-30-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-28-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-26-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-24-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-22-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-20-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 behavioral2/memory/732-50-0x0000000049F80000-0x0000000049FD3000-memory.dmp family_zgrat_v1 -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/732-11-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/732-8-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 732 qhtzuahX.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xhauzthq = "C:\\Users\\Public\\Xhauzthq.url" efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 api.ipify.org 30 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 536 set thread context of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8 qhtzuahX.pif Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8\Blob = 03000000010000001400000027ac9369faf25207bb2627cefaccbe4ef9c319b814000000010000001400000040c2bd278ecc348330a233d7fb6cb3f0b42c80ce04000000010000001000000096c25031bc0dc35cfba723731e1b41400f0000000100000020000000f9ff37f02e632cb7387025c07e57908a3d371b7c95d8cdd0390de231ed943a12190000000100000010000000ce63bdc595635c1c37b040b4e554bf565c00000001000000040000000008000018000000010000001000000021d008b47b7a2a81c8435903ded424c92000000001000000d4040000308204d0308203b8a003020102020107300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3131303530333037303030305a170d3331303530333037303030305a3081b4310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e312d302b060355040b1324687474703a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f313330310603550403132a476f2044616464792053656375726520436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100b9e0cb10d4af76bdd49362eb3064b881086cc304d962178e2fff3e65cf8fce62e63c521cda16454b55ab786b63836290ce0f696c99c81a148b4ccc4533ea88dc9ea3af2bfe80619d7957c4cf2ef43f303c5d47fc9a16bcc3379641518e114b54f828bed08cbef030381ef3b026f86647636dde7126478f384753d1461db4e3dc00ea45acbdbc71d9aa6f00dbdbcd303a794f5f4c47f81def5bc2c49d603bb1b24391d8a4334eeab3d6274fad258aa5c6f4d5d0a6ae7405645788b54455d42d2a3a3ef8b8bde9320a029464c4163a50f14aaee77933af0c20077fe8df0439c269026c6352fa77c11bc87487c8b993185054354b694ebc3bd3492e1fdcc1d252fb0203010001a382011a30820116300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e0416041440c2bd278ecc348330a233d7fb6cb3f0b42c80ce301f0603551d230418301680143a9a8507106728b6eff6bd05416e20c194da0fde303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e676f64616464792e636f6d2f30350603551d1f042e302c302aa028a0268624687474703a2f2f63726c2e676f64616464792e636f6d2f6764726f6f742d67322e63726c30460603551d20043f303d303b0604551d20003033303106082b06010505070201162568747470733a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b05000382010100087e6c9310c838b896a9904bffa15f4f04ef6c3e9c8806c9508fa673f757311bbebce42fdbf8bad35be0b4e7e679620e0ca2d76a637331b5f5a848a43b082da25d90d7b47c254f115630c4b6449d7b2c9de55ee6ef0c61aabfe42a1bee849eb8837dc143ce44a713700d911ff4c813ad8360d9d872a873241eb5ac220eca17896258441bab892501000fcdc41b62db51b4d30f512a9bf4bc73fc76ce36a4cdd9d82ceaae9bf52ab290d14d75188a3f8a4190237d5b4bfea403589b46b2c3606083f87d5041cec2a190c3bbef022fd21554ee4415d90aaea78a33edb12d763626dc04eb9ff7611f15dc876fee469628ada1267d0a09a72e04a38dbcf8bc043001 qhtzuahX.pif -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 732 qhtzuahX.pif 732 qhtzuahX.pif 732 qhtzuahX.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 732 qhtzuahX.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 732 qhtzuahX.pif -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 536 wrote to memory of 2068 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 96 PID 536 wrote to memory of 2068 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 96 PID 536 wrote to memory of 2068 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 96 PID 536 wrote to memory of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97 PID 536 wrote to memory of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97 PID 536 wrote to memory of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97 PID 536 wrote to memory of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97 PID 536 wrote to memory of 732 536 efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe"C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\efd16c6f8fc22f43df89359117ff7ee0b82b82bce6d0849c1b1fd40bdf0a841f.exe C:\\Users\\Public\\Libraries\\Xhauzthq.PIF2⤵PID:2068
-
-
C:\Users\Public\Libraries\qhtzuahX.pifC:\Users\Public\Libraries\qhtzuahX.pif2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:81⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6