Overview

overview

10

Static

static

3

ab0443c4b5...b3.exe

windows7-x64

10

ab0443c4b5...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/12/2023, 16:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ab0443c4b5ae89cd913377183852ecb3.exe

  • Size

    1.2MB

  • MD5

    ab0443c4b5ae89cd913377183852ecb3

  • SHA1

    23cf5fb65377cfe0af63adede50c50fb24dc32ab

  • SHA256

    8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237

  • SHA512

    149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

  • SSDEEP

    24576:vhH733J6mChDoplHDnS5DYL65kXy2eO9S0Q2eFctQU:JDMCljnK2ok9l9SX2L

Score
10/10
xmrigzgratminerrat

Malware Config

Signatures

  • Detect ZGRat V1 38 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe
    "C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe
      C:\Users\Admin\AppData\Local\Temp\ab0443c4b5ae89cd913377183852ecb3.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
  • C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
    C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
      C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2180
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
  • C:\Users\Admin\AppData\Local\Temp\njgepu.exe
    C:\Users\Admin\AppData\Local\Temp\njgepu.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3696

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
          Filesize

          1.2MB

          MD5

          ab0443c4b5ae89cd913377183852ecb3

          SHA1

          23cf5fb65377cfe0af63adede50c50fb24dc32ab

          SHA256

          8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237

          SHA512

          149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

          Download Submit

        • C:\Users\Admin\AppData\Local\AceFlags\nxafect\ContextProperties.exe
          Filesize

          235KB

          MD5

          027867362c2e503eb0d688e6c9a29419

          SHA1

          2881d149932efaaac48d60615c80c9765fcf5085

          SHA256

          c4d7eb74c5b4c39e106da72e1df302dfe5ef86265a1f512d5cbd553383128f9f

          SHA512

          2475c93cdc62e088d68c10032bfc72473a64047547ce39c9c0ea656dac25276ef850873325ddb54bb897539c9eb1fddcc6812c466824941bf8b080f33b0b9851

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ab0443c4b5ae89cd913377183852ecb3.exe.log
          Filesize

          1KB

          MD5

          bdd50fab193bb1a687efd2214c3ddd75

          SHA1

          2ed9874e543e755b7d7fb9f52fd687f2c287399f

          SHA256

          bfedba89a98eaff3bc2b9cabf01a9059f5a052e3849fb08f6fa00f845abc11e7

          SHA512

          318c4096b76cdb767ecc13ea9887098312140e2851c0a7b3e925d71bfc9ff03bc14bc8de9c3c38de39bc836368c0e29a09b9603d0769ebab4204895ae2f8c444

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\njgepu.exe
          Filesize

          158KB

          MD5

          80cd35af18d332773114eebebf587d96

          SHA1

          eaecf93668b14c554ef3d941074079ef4d9cac47

          SHA256

          d1ca711e3eaffd0c14e5b40f7aa32686eecb3f11f84842a39b7d663f167cf138

          SHA512

          c3c215c3d4ff425220d434ea6234457a9f8194265f37241701c6f1fa4a893466c1047a5c61f46ecf961ce522787f7c0273cab1e0d23ec31cef2623054abca5b3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\njgepu.exe
          Filesize

          150KB

          MD5

          f0fa3bb40fcaad74b35d6141b2c3bebd

          SHA1

          84e781e0b73ab9a2103aeed1babbbe9993c8b3a0

          SHA256

          1948c1f2683a9249a4cb5295cc496ad3c8df07c2011fcd4c5fda6048b4f81c79

          SHA512

          e35eb064335b9f6c04ed6e606cf819a92770ac01be835e63dc0b38ce07f2d65eb4198acef624cecbff804ff4e37d354d5905007f7422391d435cd03a989b369b

          Download Submit

        • memory/828-10365-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/828-10364-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/828-10344-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/828-10366-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/828-10362-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/828-10350-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/828-10345-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/828-10343-0x0000020DFFB40000-0x0000020DFFC40000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/828-10348-0x0000020D801C0000-0x0000020D80216000-memory.dmp

          Filesize

          344KB

          Download

        • memory/828-10347-0x0000020D801B0000-0x0000020D801B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/828-10342-0x0000000000400000-0x00000000004B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/828-10349-0x0000020DE7370000-0x0000020DE7380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1592-6275-0x000001CCF63F0000-0x000001CCF6400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1592-4072-0x000001CCF6310000-0x000001CCF63F4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/1592-4071-0x000001CCF63F0000-0x000001CCF6400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1592-4070-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1592-6280-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1592-6273-0x000001CCF63F0000-0x000001CCF6400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1824-30-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-32-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-44-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-48-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-56-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-66-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-64-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-62-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-60-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-58-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-54-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-52-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-50-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-926-0x000001F51D5E0000-0x000001F51D5E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1824-925-0x000001F5377A0000-0x000001F5377B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1824-928-0x000001F5379B0000-0x000001F5379FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1824-927-0x000001F5378E0000-0x000001F5379AA000-memory.dmp

          Filesize

          808KB

          Download

        • memory/1824-933-0x00007FFEBF890000-0x00007FFEC0351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1824-42-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-40-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-34-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-38-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-36-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-46-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-0-0x000001F51D120000-0x000001F51D25A000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-20-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-22-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-24-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-28-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-26-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-18-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-16-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-3-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-4-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-12-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-14-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-2-0x00007FFEBF890000-0x00007FFEC0351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1824-6-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-1-0x000001F5377B0000-0x000001F5378E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-10-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-8-0x000001F5377B0000-0x000001F5378DA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2180-7200-0x000002721D1F0000-0x000002721D1F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2180-7206-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2180-6274-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2180-6276-0x0000027237440000-0x0000027237450000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2184-3136-0x000002A8759F0000-0x000002A875A44000-memory.dmp

          Filesize

          336KB

          Download

        • memory/2184-3138-0x00007FFEBF890000-0x00007FFEC0351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2184-935-0x000002A8754C0000-0x000002A8755A4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/2184-934-0x00007FFEBF890000-0x00007FFEC0351000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2184-932-0x0000000000400000-0x00000000004AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2184-3134-0x000002A873380000-0x000002A873388000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2184-3135-0x000002A875430000-0x000002A875486000-memory.dmp

          Filesize

          344KB

          Download

        • memory/3696-10371-0x000001E9BE5B0000-0x000001E9BE5D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3696-10370-0x000001E9BE5B0000-0x000001E9BE5D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3696-10367-0x0000000140000000-0x00000001407CF000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/3696-10363-0x000001E9BCBE0000-0x000001E9BCC00000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3696-10356-0x0000000140000000-0x00000001407CF000-memory.dmp

          Filesize

          7.8MB

          Download

        • memory/4220-4064-0x0000026EA38C0000-0x0000026EA38D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4220-3141-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4220-4065-0x0000026E8AEF0000-0x0000026E8AEF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4220-4073-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4296-10339-0x000001BD5D2F0000-0x000001BD5D3C2000-memory.dmp

          Filesize

          840KB

          Download

        • memory/4296-10346-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4296-10337-0x000001BD5D2E0000-0x000001BD5D2F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4296-10338-0x000001BD449D0000-0x000001BD449D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4296-9412-0x000001BD5D130000-0x000001BD5D26A000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4296-9413-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4296-9411-0x000001BD42BC0000-0x000001BD42D02000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4456-7205-0x0000022556BB0000-0x0000022556BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-10351-0x0000022556BB0000-0x0000022556BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-7204-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4456-9408-0x00007FFEBF7E0000-0x00007FFEC02A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4456-10044-0x0000022556BB0000-0x0000022556BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-9407-0x0000022556BB0000-0x0000022556BC0000-memory.dmp

          Filesize

          64KB

          Download