Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
zgratdiscoveryratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
      2⤵
        PID:2644

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
      Filesize

      62KB

      MD5

      5f691c24c109a5bf58dd5035d409b51a

      SHA1

      ae1110d5bbe2036579c7e7373bfd7fc78252cd5b

      SHA256

      f2d062f2d4b94e715bc289364b06e0c8c553d48ad9db25f4c8b272e31c1e1247

      SHA512

      aff65f8224e38da0d1589e468160931e7b69a2d78b32fe3929c3f583f94a2c822b2b173e67f149099f762dc86f0a2e75e840533705f6805f13b67952f1022a99

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
      Filesize

      54KB

      MD5

      4a5281097c7a60edb10a2807a6f3236b

      SHA1

      65efc50d6ac630d2c3ca60e5936860630b9d5dec

      SHA256

      d59d1f60c7fb9585b234cdf8905672ee6ff05684ace2286a8b1b5313e58f2f3a

      SHA512

      b73d2b49d6a5e5c8d0b8e9bcdf50a1c97f262e5c336682073bbe0d8fe54b999a26411038831e881544d39c4e46c5bcec101a350a015d8addb650b4eaaa41a0f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
      Filesize

      58KB

      MD5

      b4834d12a9f05625cc999f47ce290158

      SHA1

      d3cc5f15a71c9c3014d6a65caa45ebb862338cf8

      SHA256

      304b3f6aa26a8ec0b9a2966b1eee674368cc6d6e37f2bfda851adf881d95b994

      SHA512

      cb7728e29d4c8ebf0538c9ed3a01de0f53e1822b17a3cc442a5793d5018670d43dc313ef20103c7c8119c6ebab7588fcb5a515949491a2d95ff53b93f1596894

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
      Filesize

      160KB

      MD5

      0d63d73b6c5d284b1d29897d15d167e3

      SHA1

      54fdb14689b4e181aaea111b01935d8409a2bbfc

      SHA256

      13c8c726182c101b81fa758e4b467c86a64c492507f6f2bf7f9ae4e2db49c319

      SHA512

      9d2c5fd4d176cca06aece75cb322a995eda934fbcb3b0099e9fede4f4236a8889a5da0ad591de5b630082d3b6b69075f5b7ae93744354bc2eaf678e95e0fc373

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
      Filesize

      130KB

      MD5

      8c847e80f700d312d59d5d761e5075ce

      SHA1

      ab951e2d6f6e69befa09107e31127f1795bd3b97

      SHA256

      564afd8b9d3eefe5381919a25751eece619dac36697ae36c89bbd4a1401a6157

      SHA512

      13c949b83ecdfce480ebf3fe23376f0ca719f9ae25588d3be433814ba275bbdf856db6d74bd38d57b9ded4d8d4a03230488d3f2fa4aed7affd7264d965c6682b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
      Filesize

      149KB

      MD5

      8d339be0801701230971f52ee55c66d9

      SHA1

      e4927d0bae0cdf46770365ad8a0d5651d68623de

      SHA256

      5384edcbfc10a3209a373a095453a6c6ac922aee8505b968a604610e85f579c8

      SHA512

      35a80b4de388bbeecbb684590da2203d9560decb8e29e76bca9eadb3270e337695cbbefa9ba95ce146443e5680a5720ca075af584c00a3abd36dd4d7a49afa15

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
      Filesize

      998KB

      MD5

      cc3e279aa72e600ac7aec70790daca32

      SHA1

      3d1ef11fc3cfd4455e21db50da467d7e4e2f2632

      SHA256

      2cb109c5b7a21c8ad1904a99670d7b97eb4c2ce0241c7d01b6cb66f7cc170027

      SHA512

      18cc116dfb07f9c169b2ad704936f979311782e8900c2979c947d29b0b4043cb93520922fbbbc31f4be43624b974224358f7079f159f2dd72d4dc0039eec78e7

      Download Submit
    • memory/1824-3-0x0000000004D40000-0x0000000004D50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1824-2-0x0000000004B30000-0x0000000004BCC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1824-1-0x0000000000180000-0x0000000000188000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1824-0-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1824-32-0x0000000004D40000-0x0000000004D50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1824-31-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4760-22-0x0000000004F40000-0x0000000004F8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4760-30-0x0000000007A80000-0x0000000007FAC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4760-23-0x00000000052C0000-0x0000000005326000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4760-24-0x0000000005D80000-0x0000000005DF6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4760-25-0x0000000005EA0000-0x0000000005F32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4760-26-0x00000000064F0000-0x0000000006A94000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4760-27-0x0000000006080000-0x000000000609E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4760-28-0x0000000006AF0000-0x0000000006B40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4760-29-0x0000000006D10000-0x0000000006ED2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4760-21-0x0000000004F00000-0x0000000004F3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4760-19-0x0000000004EA0000-0x0000000004EB2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4760-20-0x0000000004FD0000-0x00000000050DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4760-33-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4760-34-0x0000000002910000-0x0000000002920000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4760-18-0x00000000054A0000-0x0000000005AB8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4760-16-0x0000000075330000-0x0000000075AE0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4760-17-0x0000000002910000-0x0000000002920000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4760-15-0x0000000000590000-0x00000000005EA000-memory.dmp
      Filesize

      360KB

      Download