Analysis

  • max time kernel
    124s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2023 23:37

General

  • Target

    0727ab0b9ded99f5dedfd6203f574111.exe

  • Size

    2.1MB

  • MD5

    0727ab0b9ded99f5dedfd6203f574111

  • SHA1

    58eb40d2c4ca79af5e5b6df1f1c441843f8c5b8c

  • SHA256

    4592c4585d662c266a84016c91bd6cea368c51d467a985a22cb14f71f3f5d5c7

  • SHA512

    e38e963246d0ff0842ae9c0a13454699bfb094e57681a3d1de543d279dd0b61f933aa6caf44eff57a20bf8dd8a0afe7ee38da53c074db076329c99b2fd01451d

  • SSDEEP

    49152:A2sffjuMZX0CoAMSe3JTimD/Ymv+gdCrmbBI05ik4G3nvHBFtST:A2szuUF/e3JTVzN+gkKbik4OTs

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe
    "C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe
      C:\Users\Admin\AppData\Local\Temp\0727ab0b9ded99f5dedfd6203f574111.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1604
        • C:\Windows\SysWOW64\wscript.exe
          WScript "C:\ProgramData\LKBNMTFJgl\r.vbs"
          4⤵
          • Drops startup file
          PID:2068
      • C:\Windows\notepad.exe
        "C:\Windows\notepad.exe" -c "C:\ProgramData\LKBNMTFJgl\cfgi"
        3⤵
          PID:1836

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\LKBNMTFJgl\r.vbs

      Filesize

      652B

      MD5

      19b2d791962e01151e4b6a40a90e8cd8

      SHA1

      a1ee500267dd1d457b3f840f8a00ba808bb46eb3

      SHA256

      67824e30ec5d2b61ffb266e8a37e9b929e82d507d09d21961b8293c99816c664

      SHA512

      4d39fd8f11e86490041190f1419273c702ccd85dcc603e5d7acc9d55cc60031ef1f7cc901a2c09b46d6bdc560a4c81d464c8495e7f9e8707ec7cd999f49c49fe

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

      Filesize

      69B

      MD5

      e03e6937ba1878ace3d849b233adecfe

      SHA1

      affbb4f8b53af6cf35660b775a0a8f70fb95f8b5

      SHA256

      9846a8975f8e2dbc96cd18d5015c03b4d8226fddf69bcb99a0610c855b0a9e6d

      SHA512

      99ea03b8635d89409c6e65dc1dd1e995eac8c02e373f3b01faa7d715f347722075cc0d5d629914399505a2ca8ffb80bfa8cafa9d99a2e702d1fcd94fb0baeca9

    • memory/2208-2271-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

    • memory/2208-2282-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

    • memory/2208-2272-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

    • memory/2332-37-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-29-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-69-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-67-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-65-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-63-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-61-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-59-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-57-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-55-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-53-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-51-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-49-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-47-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-43-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-41-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-39-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2332-35-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-33-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-31-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-45-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-27-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-25-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-23-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-21-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-935-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

    • memory/2332-19-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-17-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-15-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-13-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-11-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-9-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-6-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-5-0x0000000000940000-0x00000000009BC000-memory.dmp

      Filesize

      496KB

    • memory/2332-7-0x0000000000940000-0x00000000009B6000-memory.dmp

      Filesize

      472KB

    • memory/2332-2269-0x0000000074C10000-0x00000000752FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2332-4-0x00000000081A0000-0x00000000083B0000-memory.dmp

      Filesize

      2.1MB

    • memory/2332-3-0x0000000074C10000-0x00000000752FE000-memory.dmp

      Filesize

      6.9MB

    • memory/2332-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

      Filesize

      256KB

    • memory/2332-0-0x0000000000AB0000-0x0000000000CC4000-memory.dmp

      Filesize

      2.1MB