Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    271s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c73b68c96462a0e1edc2041fd95a65d5ad98ac1c79906ef5d736737974cea87a.exe

  • Size

    522KB

  • MD5

    b7258e6011dbfc67b96d157d507510be

  • SHA1

    7b5361870a7f58a6352f5a5f6d14297aa39ef377

  • SHA256

    c73b68c96462a0e1edc2041fd95a65d5ad98ac1c79906ef5d736737974cea87a

  • SHA512

    c01eb2a78a188a18e6bd118158a922215d51c0f8eb8db4d800b78c39aeaebf1b2d0dfb8915907ba88c0a85787dac41626406d6f1ccab5d794d42d9be46a6dbc6

  • SSDEEP

    6144:m06j7HKD2eaNKgwl3R+JLSEhxhKkENKLKwHHH9SUnmgcrp+YJHHFaI13hclBn6Bb:0jzKqeUYE/EjNKGuSARYJHTxea6CPTz

Score
10/10
zgratdiscoveryratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c73b68c96462a0e1edc2041fd95a65d5ad98ac1c79906ef5d736737974cea87a.exe
    "C:\Users\Admin\AppData\Local\Temp\c73b68c96462a0e1edc2041fd95a65d5ad98ac1c79906ef5d736737974cea87a.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
      2⤵
      • Executes dropped EXE
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    Filesize

    4KB

    MD5

    a5ce3aba68bdb438e98b1d0c70a3d95c

    SHA1

    013f5aa9057bf0b3c0c24824de9d075434501354

    SHA256

    9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

    SHA512

    7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

    Download Submit

  • memory/1612-16-0x0000000000E00000-0x0000000000E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1612-17-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1612-18-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2220-0-0x00000000000E0000-0x000000000013A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/2220-4-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-5-0x0000000004D10000-0x0000000004D50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2220-6-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2220-7-0x0000000004D10000-0x0000000004D50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2220-15-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download