Overview

overview

10

Static

static

3

36c1d1f6b1...51.exe

windows7-x64

10

36c1d1f6b1...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36c1d1f6b1379323dbce4fd7c1877451.exe

  • Size

    374KB

  • MD5

    36c1d1f6b1379323dbce4fd7c1877451

  • SHA1

    28f2fe2d0d3e503a21eb38e0f1689892c2ef6564

  • SHA256

    b56c7eb4bc0fb792543e4e52056922151cb34a96d948c0ae576f995916ab846c

  • SHA512

    a535626e5d4564401f17fa8dfe14bb3e2e116feb1cf7bc1f0d543b72d23f59631c08fa8201df616f8fc5b11d76b9b29dd3d46f7b60fdcfd22fd5cf616007173a

  • SSDEEP

    6144:ZOOAs8obIAPF2iJ6s2509pQOO5tgWJ1IS+aBkDKuBZ:oC8obIAPsiJ6sF98gWJ1R+aiGaZ

Score
10/10
revengeratzgratnyancatrevengepersistencerattrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3602

Mutex

774d753e6b8d42

Signatures

  • Detect ZGRat V1 34 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe
    "C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ytdjnmbey.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe" -Force
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2040
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_Ytdjnmbey.vbs
    Filesize

    149B

    MD5

    75fda8189e60e05655aea55fe68591c0

    SHA1

    de2177e12403c59f81d278497a387089ddd10d73

    SHA256

    cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5

    SHA512

    1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    aac1d9c13d2cdeb947b79f7e2dc00d86

    SHA1

    5fc5b17514c94fc0c07c49836332553e12fd64fa

    SHA256

    6c63d84a8cc43b11f2f131fe1c34c5978a9a6801f31cdc4a7e84e6df9bcbbe1f

    SHA512

    33a054320f6b8b8ed8221c417783d099e15ec5e940e42bdc0f228b7822e42cc497ca7cf8c2ba5919cb89e599e7130fac39f4221bbe3084e40dc57fcee9c31a8e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • memory/1036-2584-0x00000000705E0000-0x0000000070B8B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1036-2591-0x00000000705E0000-0x0000000070B8B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1036-2589-0x00000000027F0000-0x0000000002830000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1036-2587-0x00000000027F0000-0x0000000002830000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1036-2585-0x00000000027F0000-0x0000000002830000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1104-41-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-51-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-6-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-7-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-9-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-11-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-13-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-15-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-17-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-19-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-21-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-23-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-25-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-27-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-29-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-31-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-33-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-35-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-37-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-39-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-4-0x0000000005950000-0x00000000059D8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1104-43-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-45-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-47-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-49-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-5-0x0000000074260000-0x000000007494E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1104-53-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-55-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-57-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-59-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-61-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-63-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-65-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-67-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-69-0x0000000005950000-0x00000000059D2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1104-368-0x0000000000A20000-0x0000000000A60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1104-2573-0x0000000074260000-0x000000007494E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1104-3-0x0000000000AD0000-0x0000000000B22000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1104-0-0x00000000012A0000-0x0000000001302000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1104-1-0x0000000074260000-0x000000007494E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1104-2-0x0000000000A20000-0x0000000000A60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2040-2588-0x00000000026B0000-0x00000000026F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2040-2586-0x00000000705E0000-0x0000000070B8B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2040-2583-0x00000000705E0000-0x0000000070B8B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2040-2592-0x00000000705E0000-0x0000000070B8B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2400-2574-0x0000000074260000-0x000000007494E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2400-2575-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2400-2590-0x0000000004300000-0x0000000004340000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2400-2593-0x0000000074260000-0x000000007494E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2400-2594-0x0000000004300000-0x0000000004340000-memory.dmp
    Filesize

    256KB

    Download