Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 12:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8246f422d28415bbb58d8fa3e2891817.exe
Resource
win7-20240508-en
windows7-x64
2 signatures
150 seconds
General
-
Target
8246f422d28415bbb58d8fa3e2891817.exe
-
Size
582KB
-
MD5
8246f422d28415bbb58d8fa3e2891817
-
SHA1
0a7d9fa2340210aa6090be64a26385b78d13c6ef
-
SHA256
9f38ec0ae60879931f99054695285b54f0d2454990249d4672acfb568905bf91
-
SHA512
4f44bcb125b14b86f6b772d23a99338be0394d04a32839a0bc7bd0344cab785bde2529bcd01a62032f74614125718666935fa4be1d276e60ce9969200ff317f0
-
SSDEEP
12288:es7vnRmS7+nqB3visIP1z20lBoLhaByXOh7OWMsIaHqZm+Ps6:XvQSUq0sIPB20UVasX07isFHqZm+Ps6
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/4040-2-0x0000000000400000-0x000000000046C000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3448 set thread context of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4040 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4040 RegAsm.exe Token: SeBackupPrivilege 4040 RegAsm.exe Token: SeSecurityPrivilege 4040 RegAsm.exe Token: SeSecurityPrivilege 4040 RegAsm.exe Token: SeSecurityPrivilege 4040 RegAsm.exe Token: SeSecurityPrivilege 4040 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3448 wrote to memory of 1224 3448 8246f422d28415bbb58d8fa3e2891817.exe 86 PID 3448 wrote to memory of 1224 3448 8246f422d28415bbb58d8fa3e2891817.exe 86 PID 3448 wrote to memory of 1224 3448 8246f422d28415bbb58d8fa3e2891817.exe 86 PID 3448 wrote to memory of 3004 3448 8246f422d28415bbb58d8fa3e2891817.exe 87 PID 3448 wrote to memory of 3004 3448 8246f422d28415bbb58d8fa3e2891817.exe 87 PID 3448 wrote to memory of 3004 3448 8246f422d28415bbb58d8fa3e2891817.exe 87 PID 3448 wrote to memory of 684 3448 8246f422d28415bbb58d8fa3e2891817.exe 88 PID 3448 wrote to memory of 684 3448 8246f422d28415bbb58d8fa3e2891817.exe 88 PID 3448 wrote to memory of 684 3448 8246f422d28415bbb58d8fa3e2891817.exe 88 PID 3448 wrote to memory of 4400 3448 8246f422d28415bbb58d8fa3e2891817.exe 89 PID 3448 wrote to memory of 4400 3448 8246f422d28415bbb58d8fa3e2891817.exe 89 PID 3448 wrote to memory of 4400 3448 8246f422d28415bbb58d8fa3e2891817.exe 89 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90 PID 3448 wrote to memory of 4040 3448 8246f422d28415bbb58d8fa3e2891817.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8246f422d28415bbb58d8fa3e2891817.exe"C:\Users\Admin\AppData\Local\Temp\8246f422d28415bbb58d8fa3e2891817.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1224
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4400
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
-