Overview

overview

10

Static

static

10

88CC26F5D6...4F.exe

windows7-x64

10

88CC26F5D6...4F.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    24/11/2023, 13:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe

  • Size

    20.4MB

  • MD5

    88cc26f5d63af5fcfdc36accae0db04f

  • SHA1

    46d7627f0a00cd378684555e30d7bfbe78687143

  • SHA256

    ee2f4598d9f48283bdd46bb0c9bd70f250a257e89bcfc2fc03275b913230d358

  • SHA512

    3cd33e09524223a1baf882671eacb8033b354a03993c2d2ed7a4ba04796f9b518b5d5b92c93210492f0228bbbb057538bbf23507d10fd8112dce38b359f92cb5

  • SSDEEP

    393216:WDfxovk0AJIh+vncZ9YvMQRVbjUU+5+NBoTRdDzWjWl2xEIYYOoq:WVovkNJIh+vXMwVb3+5+Xo1dva9FYYFq

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 11 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe
    "C:\Users\Admin\AppData\Local\Temp\88CC26F5D63AF5FCFDC36ACCAE0DB04F.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ComponentSavesmonitordll\4R9Rg51iS3uwufB6AmlFTJfH4UnV5i8D9fFIGn1EV7sKuTgZgKEMxEZz4Pb.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ComponentSavesmonitordll\UEE5DygFrJCmvXGMhlwQJ.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            "C:\ComponentSavesmonitordll/HyperDriverIntocrtDll.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B8W2aAH07C.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1960
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:1092
                • C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
                  "C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2504

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ComponentSavesmonitordll\4R9Rg51iS3uwufB6AmlFTJfH4UnV5i8D9fFIGn1EV7sKuTgZgKEMxEZz4Pb.vbe
            Filesize

            223B

            MD5

            f8a786f4c014917d7813e05e5a8dcdf0

            SHA1

            e136d8e4d9ac5223810dab7b51937266647ca104

            SHA256

            f90b392e0e4fec9e3a7993d75aca2919e04d294347957452f1196a04a738bdb7

            SHA512

            2cb0be5d04d002aabcddd3d9794f13b264ea852e0c800e3ddc5f9992552cc5b2c718d0d34023ae1285df2e65801f4cc7adc005a41d9ca03f114ffc7a2a1056ab

            Download Submit

          • C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • C:\ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • C:\ComponentSavesmonitordll\UEE5DygFrJCmvXGMhlwQJ.bat
            Filesize

            101B

            MD5

            8ac9a3a332f136cefbe9c27eab65a4c7

            SHA1

            8aef4996baf542b09f11692cc91c3aa9a6d85bbe

            SHA256

            3a9ed449a604fded1dbbef4ff997dc7ed5d9366c262eaf6c687d2c0dffbaa1b3

            SHA512

            4928cb40bc3ebdcbf4b1d155d6581eaafdd2f37c2029bb8a7c35302ba6da6bbd414d3d7ec43b7b120874dcd7c0e168573c055be111663626998960a335d7afe7

            Download Submit

          • C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsm.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B8W2aAH07C.bat
            Filesize

            181B

            MD5

            5f535ee0f14cdd399a3521d798127449

            SHA1

            d539e58601ba42dc3f7dab1a79d895f4f701886a

            SHA256

            dfe4a90f25879a9498582ed2ed44d13828cf44c581b46412fd9b9b7e804bbf7e

            SHA512

            a76ab31a2dbe7ff2ca7c023930a2239f58d688bc7bad424aea891fe697ee22666d2e3cc35bd85e7fb7e34a71f8712095e8662b2248ddaf1bd128643579bfca2f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
            Filesize

            4.0MB

            MD5

            10ac3ea14e236503bc422f963d20d510

            SHA1

            bdde4479f4fd0c87e918a71a42138aa2811e6f1a

            SHA256

            339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

            SHA512

            81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
            Filesize

            4.0MB

            MD5

            10ac3ea14e236503bc422f963d20d510

            SHA1

            bdde4479f4fd0c87e918a71a42138aa2811e6f1a

            SHA256

            339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

            SHA512

            81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

            Download Submit

          • \ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • \ComponentSavesmonitordll\HyperDriverIntocrtDll.exe
            Filesize

            3.5MB

            MD5

            0f9b1f324db2774c14c2257eeed247fe

            SHA1

            52dcd3675150cf90e2ebc27bf745f700f747b758

            SHA256

            d89ca804c1df9ae20c5ca623469b736e10f8bc649ffc4de9fa7929448d04fc08

            SHA512

            7563c259bef09530c3b7c57ff885ddfba1a4aa05a33e54abd789b75aed25afa1fa5c7c22e99da21806dc8a09797dd106f80306ae665c81d8e21e7bbb3b651187

            Download Submit

          • \Users\Admin\AppData\Local\Temp\Nursultan.exe
            Filesize

            4.0MB

            MD5

            10ac3ea14e236503bc422f963d20d510

            SHA1

            bdde4479f4fd0c87e918a71a42138aa2811e6f1a

            SHA256

            339078555e679d49401fbd5cd170a5418f8d7899d0d2fe277b456062f11aa4d2

            SHA512

            81831fec1e2fdbe1abd27d378a6db11725e97b52051b11c200c80f4dd8bdea8ff797e7eac32e1356f2f0912bb585e3b36c000959fa9a26cb0f8c5ea702a4f6f2

            Download Submit

          • memory/1740-61-0x0000000077270000-0x0000000077271000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-71-0x0000000000640000-0x000000000064E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-26-0x0000000077310000-0x0000000077311000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-27-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-29-0x0000000000430000-0x0000000000456000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1740-31-0x0000000000370000-0x0000000000380000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-32-0x0000000077300000-0x0000000077301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-35-0x00000000772F0000-0x00000000772F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-34-0x0000000000380000-0x0000000000390000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-36-0x00000000772E0000-0x00000000772E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-38-0x0000000000390000-0x00000000003A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-41-0x00000000772D0000-0x00000000772D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-40-0x00000000003A0000-0x00000000003AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-44-0x00000000772C0000-0x00000000772C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-43-0x0000000000460000-0x000000000046E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-46-0x0000000000470000-0x000000000047C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1740-48-0x0000000000480000-0x000000000048E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-51-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1740-52-0x00000000772B0000-0x00000000772B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-50-0x0000000000660000-0x0000000000672000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1740-53-0x0000000077290000-0x0000000077291000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-54-0x00000000772A0000-0x00000000772A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-57-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-58-0x0000000077280000-0x0000000077281000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-56-0x0000000000490000-0x000000000049C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1740-60-0x0000000000620000-0x0000000000630000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-24-0x0000000000330000-0x0000000000331000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-62-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-64-0x0000000000680000-0x0000000000696000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1740-65-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-66-0x0000000077260000-0x0000000077261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-69-0x0000000000C70000-0x0000000000C82000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1740-67-0x0000000077250000-0x0000000077251000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-25-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-72-0x0000000077240000-0x0000000077241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-74-0x0000000000650000-0x000000000065C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1740-75-0x0000000077230000-0x0000000077231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-76-0x0000000077220000-0x0000000077221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-78-0x00000000006A0000-0x00000000006AC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1740-79-0x0000000077210000-0x0000000077211000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-81-0x0000000000C90000-0x0000000000CA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-83-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-85-0x00000000011D0000-0x000000000122A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/1740-88-0x00000000771E0000-0x00000000771E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-87-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-90-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1740-91-0x00000000771D0000-0x00000000771D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1740-93-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1740-95-0x0000000000E00000-0x0000000000E18000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1740-97-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1740-99-0x0000000001230000-0x000000000127E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/1740-23-0x0000000001150000-0x00000000011D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/1740-116-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1740-22-0x000007FEF5950000-0x000007FEF633C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1740-21-0x00000000012C0000-0x0000000001648000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/2124-7-0x0000000000400000-0x0000000001865000-memory.dmp

            Filesize

            20.4MB

            Download

          • memory/2504-118-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2504-119-0x000000001B0A0000-0x000000001B120000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2504-120-0x00000000003C0000-0x00000000003C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2504-121-0x000000001B0A0000-0x000000001B120000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2504-123-0x0000000077310000-0x0000000077311000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2504-124-0x000000001B0A0000-0x000000001B120000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2504-126-0x0000000077300000-0x0000000077301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2504-128-0x00000000772F0000-0x00000000772F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2504-130-0x00000000772E0000-0x00000000772E1000-memory.dmp

            Filesize

            4KB

            Download