Analysis
-
max time kernel
0s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
470009d741e322fe3c1325400818adb1.vbs
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
470009d741e322fe3c1325400818adb1.vbs
Resource
win10v2004-20231215-en
General
-
Target
470009d741e322fe3c1325400818adb1.vbs
-
Size
2.1MB
-
MD5
470009d741e322fe3c1325400818adb1
-
SHA1
b820684ec4f06ecd27ca84bfd5c36f83d14144fa
-
SHA256
3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43
-
SHA512
7625698b872e20bc14bb9c60b97162be94ea1ccbca736f448a20dad420d7358518be49a5699af68d354997f420856720fe5fa48abc0b3197c3f8779a9b8787a0
-
SSDEEP
24576:OQOFZDEVQiHz09jcAVQYc7RtyXZxolR7UMx9ke7zxV1a3Xh6gvEycpryXxoOR7Un:u/g/BdRWol1nPkMgvMpgoOfuj
Malware Config
Signatures
-
Detect ZGRat V1 36 IoCs
resource yara_rule behavioral1/memory/2380-21-0x0000000008290000-0x000000000830C000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-20-0x0000000006720000-0x000000000678C000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-25-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-24-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-23-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-29-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-28-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-33-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-32-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-37-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-41-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-44-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-45-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-40-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-49-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-48-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-53-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-52-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-57-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-61-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-60-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-65-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-64-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-69-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-73-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-77-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-82-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-87-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-86-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-81-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-76-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-72-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-68-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-56-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2380-36-0x0000000008290000-0x0000000008306000-memory.dmp family_zgrat_v1 behavioral1/memory/2744-22-0x0000000006720000-0x0000000006787000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 1 IoCs
pid Process 2380 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2380 2996 WScript.exe 21 PID 2996 wrote to memory of 2380 2996 WScript.exe 21 PID 2996 wrote to memory of 2380 2996 WScript.exe 21 PID 2996 wrote to memory of 2380 2996 WScript.exe 21
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470009d741e322fe3c1325400818adb1.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:696
-
-
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵PID:1032
-
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
PID:2380
-