Overview

overview

10

Static

static

1

f206fcd4c9...11.exe

windows7-x64

10

f206fcd4c9...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f206fcd4c9308dbd966384dc94ea6811.exe

  • Size

    451KB

  • MD5

    f206fcd4c9308dbd966384dc94ea6811

  • SHA1

    49e1c7affefcbdc4a69ce941704b63f0508760de

  • SHA256

    301042d2e4c7c38c45d27312dffcd8260060bc8d98ddb510dbbf7f52f1f0f151

  • SHA512

    efcce74dc0f7a326a54f7b7a999071236f92d1f0930630f10dbd070e4c3c4d4aef43dcaaa1d570ccb665f39490889529b4a87d73109f83f4477d60c9f2e49789

  • SSDEEP

    6144:vuS/mbZR6tzw+HYzXfjn7FdXjxTpUQPY5e9JfQ3EIY0FY:XmbZRp+4pxxJY5cQ3EIYR

Score
10/10
wshratzgratpersistencerattrojan

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f206fcd4c9308dbd966384dc94ea6811.exe
    "C:\Users\Admin\AppData\Local\Temp\f206fcd4c9308dbd966384dc94ea6811.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\f206fcd4c9308dbd966384dc94ea6811.exe
      "C:\Users\Admin\AppData\Local\Temp\f206fcd4c9308dbd966384dc94ea6811.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Roaming\ugbeh.vbs
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f206fcd4c9308dbd966384dc94ea6811.exe.log
    Filesize

    1KB

    MD5

    7ebe314bf617dc3e48b995a6c352740c

    SHA1

    538f643b7b30f9231a3035c448607f767527a870

    SHA256

    48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

    SHA512

    0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ugbeh.vbs
    Filesize

    180KB

    MD5

    8ffe3d7ee738e0573bd189ccc3b539b2

    SHA1

    94eab63679eca28bcd764d6d5d42094467e3d2ac

    SHA256

    f4af882c098d1e7c1e989ab36b0653a580d55ac0b52b2f6cd1faa070c738698f

    SHA512

    5f30d676aca05fcde57f17ddc87ba86a2d05bbf72fe166d97de042eca60dca76413a2bdaebe10e22471ae4689601d849e58cb78eb6aaf4cfa6fd6384dc81b273

    Download Submit

  • memory/1012-10-0x0000000000400000-0x0000000000488000-memory.dmp

    Filesize

    544KB

    Download

  • memory/1012-17-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-15-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-11-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4800-4-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4800-7-0x00000000065F0000-0x0000000006638000-memory.dmp

    Filesize

    288KB

    Download

  • memory/4800-8-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4800-6-0x0000000005150000-0x000000000515A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4800-5-0x0000000004D20000-0x0000000004D30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4800-14-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4800-0-0x00000000748F0000-0x00000000750A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4800-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4800-2-0x0000000005240000-0x00000000057E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4800-1-0x00000000002A0000-0x0000000000316000-memory.dmp

    Filesize

    472KB

    Download