Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
-
submitted
10/12/2023, 16:20
General
-
Target
ab0443c4b5ae89cd913377183852ecb3.exe
-
Size
1.2MB
-
MD5
ab0443c4b5ae89cd913377183852ecb3
-
SHA1
23cf5fb65377cfe0af63adede50c50fb24dc32ab
-
SHA256
8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
-
SHA512
149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b
-
SSDEEP
24576:vhH733J6mChDoplHDnS5DYL65kXy2eO9S0Q2eFctQU:JDMCljnK2ok9l9SX2L
Malware Config
Signatures
-
Detect ZGRat V1 37 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe"C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exeC:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7690D575-1AD8-4A27-8D9F-390161C04B08} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AceFlags\cxwmvf\ContextProperties.exeC:\Users\Admin\AppData\Local\AceFlags\cxwmvf\ContextProperties.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\AceFlags\cxwmvf\ContextProperties.exeC:\Users\Admin\AppData\Local\AceFlags\cxwmvf\ContextProperties.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5ab0443c4b5ae89cd913377183852ecb3
SHA123cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA2568252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b
-
Filesize
1.2MB
-
Filesize
304KB
-
Filesize
9.9MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
1.2MB
-
Filesize
808KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
912KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
336KB
-
Filesize
512KB
-
Filesize
912KB
-
Filesize
9.9MB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
9.9MB
-
Filesize
680KB
-
Filesize
9.9MB
-
Filesize
1.2MB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
9.9MB