Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 04:16
Behavioral task
behavioral1
Sample
0e77c7eaf29e7cc81d6a5870545509a3.exe
Resource
win7-20240508-en
General
-
Target
0e77c7eaf29e7cc81d6a5870545509a3.exe
-
Size
2.0MB
-
MD5
0e77c7eaf29e7cc81d6a5870545509a3
-
SHA1
e56496e200c3246c149b41bd826b9e762fa5e534
-
SHA256
64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e
-
SHA512
bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18
-
SSDEEP
49152:R6K39H/NzGjGzMErFiEntNARL3AVtsk53gEdMJ9O:R6KnjrLntNAR2tPfO
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/452-1-0x0000000000100000-0x000000000030E000-memory.dmp family_zgrat_v1 behavioral2/files/0x0007000000023441-32.dat family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 0e77c7eaf29e7cc81d6a5870545509a3.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\56085415360792 0e77c7eaf29e7cc81d6a5870545509a3.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe 0e77c7eaf29e7cc81d6a5870545509a3.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Logs\NetSetup\smss.exe 0e77c7eaf29e7cc81d6a5870545509a3.exe File created C:\Windows\Logs\NetSetup\69ddcba757bf72 0e77c7eaf29e7cc81d6a5870545509a3.exe File created C:\Windows\diagnostics\scheduled\Maintenance\RuntimeBroker.exe 0e77c7eaf29e7cc81d6a5870545509a3.exe File created C:\Windows\Registration\RuntimeBroker.exe 0e77c7eaf29e7cc81d6a5870545509a3.exe File created C:\Windows\Registration\9e8d7a4ca61bd9 0e77c7eaf29e7cc81d6a5870545509a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 0e77c7eaf29e7cc81d6a5870545509a3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 452 0e77c7eaf29e7cc81d6a5870545509a3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 452 0e77c7eaf29e7cc81d6a5870545509a3.exe Token: SeDebugPrivilege 2792 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 452 wrote to memory of 2980 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 87 PID 452 wrote to memory of 2980 452 0e77c7eaf29e7cc81d6a5870545509a3.exe 87 PID 2980 wrote to memory of 4184 2980 cmd.exe 89 PID 2980 wrote to memory of 4184 2980 cmd.exe 89 PID 2980 wrote to memory of 2312 2980 cmd.exe 90 PID 2980 wrote to memory of 2312 2980 cmd.exe 90 PID 2980 wrote to memory of 2792 2980 cmd.exe 103 PID 2980 wrote to memory of 2792 2980 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe"C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KMLwiImDmk.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4184
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2312
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5e712ee35d679c412149df1720a419353
SHA1ecefef3b21625d17dc50948f6db94e1cf6fa5d5a
SHA25689e57be4649ac3702d1076a4b56c10706cdaa00a79cc06c44a05c66002503f84
SHA5124d4d39a727e6d9fbc02b122c5dceb510b0887c793e8a8b35dbd4b13f2ee0332120c8448c2ec3d7bc6f41a7904b6cc12914bc8f283a3b9a3d94ef5d13852f1d28
-
Filesize
2.0MB
MD50e77c7eaf29e7cc81d6a5870545509a3
SHA1e56496e200c3246c149b41bd826b9e762fa5e534
SHA25664839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e
SHA512bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18