Overview

overview

10

Static

static

3

36c1d1f6b1...51.exe

windows7-x64

10

36c1d1f6b1...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36c1d1f6b1379323dbce4fd7c1877451.exe

  • Size

    374KB

  • MD5

    36c1d1f6b1379323dbce4fd7c1877451

  • SHA1

    28f2fe2d0d3e503a21eb38e0f1689892c2ef6564

  • SHA256

    b56c7eb4bc0fb792543e4e52056922151cb34a96d948c0ae576f995916ab846c

  • SHA512

    a535626e5d4564401f17fa8dfe14bb3e2e116feb1cf7bc1f0d543b72d23f59631c08fa8201df616f8fc5b11d76b9b29dd3d46f7b60fdcfd22fd5cf616007173a

  • SSDEEP

    6144:ZOOAs8obIAPF2iJ6s2509pQOO5tgWJ1IS+aBkDKuBZ:oC8obIAPsiJ6sF98gWJ1R+aiGaZ

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe
    "C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ytdjnmbey.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\36c1d1f6b1379323dbce4fd7c1877451.exe" -Force
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1292-2596-0x000000007F1F0000-0x000000007F200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1292-2618-0x0000000007980000-0x000000000798E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1292-2569-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1292-2570-0x0000000005BB0000-0x0000000005BD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1292-2620-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1292-2621-0x00000000079D0000-0x00000000079D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1292-2619-0x0000000007990000-0x00000000079A4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1292-2600-0x0000000070460000-0x00000000704AC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1292-2616-0x0000000007950000-0x0000000007961000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1292-2615-0x00000000079E0000-0x0000000007A76000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1292-2614-0x00000000077B0000-0x00000000077BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1292-2610-0x0000000006A10000-0x0000000006A2E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1292-2612-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1292-2571-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1292-2611-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1292-2572-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1292-2624-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1292-2593-0x0000000006020000-0x0000000006374000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1292-2613-0x0000000007640000-0x00000000076E3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1292-2598-0x0000000007600000-0x0000000007632000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1444-2573-0x0000000005F40000-0x0000000005FA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1444-2594-0x0000000006630000-0x000000000664E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1444-2629-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1444-2584-0x0000000006020000-0x0000000006086000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1444-2597-0x0000000007C80000-0x00000000082FA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1444-2595-0x0000000006670000-0x00000000066BC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1444-2599-0x0000000006B60000-0x0000000006B7A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1444-2564-0x0000000005060000-0x0000000005096000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1444-2625-0x0000000006C10000-0x0000000006C32000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1444-2565-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1444-2567-0x00000000051D0000-0x00000000051E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1444-2568-0x0000000005810000-0x0000000005E38000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1444-2566-0x00000000051D0000-0x00000000051E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-61-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-57-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-27-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-25-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-23-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-21-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-19-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-17-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-15-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-1030-0x0000000005810000-0x0000000005820000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3316-2561-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3316-33-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-35-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-37-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-39-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-41-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-43-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-47-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-49-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-51-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-53-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-103-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3316-1-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3316-2-0x0000000005D70000-0x0000000006314000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3316-55-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-31-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-0-0x0000000000F30000-0x0000000000F92000-memory.dmp
    Filesize

    392KB

    Download
  • memory/3316-69-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-71-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-63-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-65-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-67-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-59-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-45-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-29-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-13-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-9-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-11-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-8-0x0000000006CB0000-0x0000000006D32000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3316-7-0x0000000006CB0000-0x0000000006D38000-memory.dmp
    Filesize

    544KB

    Download
  • memory/3316-3-0x00000000058C0000-0x0000000005952000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3316-6-0x0000000006B20000-0x0000000006B72000-memory.dmp
    Filesize

    328KB

    Download
  • memory/3316-5-0x0000000005870000-0x000000000587A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3316-4-0x0000000005810000-0x0000000005820000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3432-2617-0x0000000005480000-0x0000000005490000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3432-2562-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3432-2563-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3432-2630-0x0000000074620000-0x0000000074DD0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3432-2631-0x0000000005480000-0x0000000005490000-memory.dmp
    Filesize

    64KB

    Download