Overview

overview

10

Static

static

10

a6eb2d0e93...74.exe

windows7-x64

10

a6eb2d0e93...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    87s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2024 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6eb2d0e9381ff6eb2aca7bf1d797774.exe

  • Size

    1.7MB

  • MD5

    a6eb2d0e9381ff6eb2aca7bf1d797774

  • SHA1

    64becc3595f0467f12e2b20bd3a34603fb7e472e

  • SHA256

    10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e

  • SHA512

    46f60e6d26e1cd6c3a78d842fe5258588623e7fc0dbded7ed1e3bf1baa020fb71dd75f3e77678bb71298cb59171a1150e1847daa20f10b7091724706ad567878

  • SSDEEP

    24576:8s6fQKBl6XngXq9rvXdXwApsgDhhqMWUO9lmRmY7gBgT7muTYpC0M3/biezlI/s:8KRXwATqMW9y5OUJjTzl

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a6eb2d0e9381ff6eb2aca7bf1d797774.exe
    "C:\Users\Admin\AppData\Local\Temp\a6eb2d0e9381ff6eb2aca7bf1d797774.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3584
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3872
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\unsecapp.exe'
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a6eb2d0e9381ff6eb2aca7bf1d797774.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rATFv46Q9y.bat"
      2⤵
        PID:2256
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:5312
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:5800
          • C:\odt\csrss.exe
            "C:\odt\csrss.exe"
            3⤵
              PID:4432

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          436B

          MD5

          818d879fe29d455e535edf580734ef6e

          SHA1

          eb4d22c0973fee78bf4296ceb75ae5a11cf05fcc

          SHA256

          2fccad62074b83373044556d3891144e2bf14f265739f19e4b083c9192e028ee

          SHA512

          4e30320c324374cbfb730ef0eee8fed402c5c97a52b5e9ab138a7e6a1a1a82f42cc8720b4511bd0f0e4373e2edc70fd1cf0330adc3a48025701c1f1efe20901f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          96cb80a142b37ab4b3b6006fb9344bac

          SHA1

          cfb0d756fbad277e9c508cbea162cf16ea28bd8d

          SHA256

          bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6

          SHA512

          d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          60804e808a88131a5452fed692914a8e

          SHA1

          fdb74669923b31d573787fe024dbd701fa21bb5b

          SHA256

          064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

          SHA512

          d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          9611cc3fb39fedd4b0e81d90b044531c

          SHA1

          e35c10c1c1e29d44222114e0f72d58b3072880fd

          SHA256

          2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

          SHA512

          92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3z5royro.zmn.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rATFv46Q9y.bat
          Filesize

          144B

          MD5

          8edc8a3287f8d801fc1e00077c70086f

          SHA1

          3e0be118643413705e38c6d9d90e8192393ddbc4

          SHA256

          c7bffb43c62b17e128bf34fdff1a46c5f17b7baaa243e0dd06564cf8832134ad

          SHA512

          3a6009b4fb45f3c70ad160a50774923cc40962b10cb4b2dd9934ede8812275c54079f3bef2656b3a1106619258a03623059bf7c1c577ca66b5354bf7ff1818bc

          Download Submit

        • C:\odt\lsass.exe
          Filesize

          1.7MB

          MD5

          a6eb2d0e9381ff6eb2aca7bf1d797774

          SHA1

          64becc3595f0467f12e2b20bd3a34603fb7e472e

          SHA256

          10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e

          SHA512

          46f60e6d26e1cd6c3a78d842fe5258588623e7fc0dbded7ed1e3bf1baa020fb71dd75f3e77678bb71298cb59171a1150e1847daa20f10b7091724706ad567878

          Download Submit

        • memory/1144-234-0x0000018DB9A50000-0x0000018DB9A60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1144-240-0x0000018DB9A50000-0x0000018DB9A60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1684-86-0x0000020071B40000-0x0000020071B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1684-60-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1984-228-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2376-241-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2376-230-0x000001BD434C0000-0x000001BD434D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2376-243-0x000001BD434C0000-0x000001BD434D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2464-42-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2464-44-0x000001C7F84A0000-0x000001C7F84B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2484-188-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2484-195-0x000001ACCA610000-0x000001ACCA620000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2808-38-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2808-43-0x000001A0D4350000-0x000001A0D4360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2808-54-0x000001A0EC780000-0x000001A0EC7A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2856-231-0x0000025514040000-0x0000025514050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-237-0x0000025514040000-0x0000025514050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-229-0x0000025514040000-0x0000025514050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2856-242-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3204-245-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3240-238-0x000002D93FC70000-0x000002D93FC80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3240-205-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3240-216-0x000002D93FC70000-0x000002D93FC80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3240-217-0x000002D93FC70000-0x000002D93FC80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3324-239-0x0000021271BB0000-0x0000021271BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3324-227-0x0000021271BB0000-0x0000021271BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3324-226-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3584-235-0x0000022843BF0000-0x0000022843C00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3584-215-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3872-222-0x000001BAD0220000-0x000001BAD0230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3872-221-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3944-36-0x000001DAEF700000-0x000001DAEF710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3944-40-0x000001DAEF700000-0x000001DAEF710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3944-236-0x000001DAEF700000-0x000001DAEF710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3944-35-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4424-16-0x00007FFB1B150000-0x00007FFB1B151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4424-13-0x00007FFB1B160000-0x00007FFB1B161000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4424-1-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4424-7-0x00007FFB1B170000-0x00007FFB1B171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4424-15-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4424-2-0x0000000000A60000-0x0000000000A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4424-39-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4424-0-0x0000000000300000-0x00000000004C6000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4424-8-0x000000001B490000-0x000000001B4A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4424-34-0x000000001B490000-0x000000001B4A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4424-3-0x000000001B490000-0x000000001B4A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4424-6-0x00007FFB1B180000-0x00007FFB1B23E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4424-18-0x0000000000D50000-0x0000000000D5C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4424-4-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4424-10-0x0000000000D30000-0x0000000000D4C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4424-41-0x00007FFB1B180000-0x00007FFB1B23E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4424-5-0x000000001B490000-0x000000001B4A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4424-12-0x0000000002770000-0x00000000027C0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4424-11-0x00007FFB1B180000-0x00007FFB1B23E000-memory.dmp

          Filesize

          760KB

          Download

        • memory/4624-224-0x000001EE72DB0000-0x000001EE72DC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4624-223-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4624-225-0x000001EE72DB0000-0x000001EE72DC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4712-87-0x0000024A58220000-0x0000024A58230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4712-244-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4712-72-0x0000024A58220000-0x0000024A58230000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4752-219-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4752-220-0x00000231F5600000-0x00000231F5610000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4952-233-0x00000202FD9F0000-0x00000202FDA00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4952-232-0x00007FFAFE090000-0x00007FFAFEB51000-memory.dmp

          Filesize

          10.8MB

          Download