Analysis

  • max time kernel
    0s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 19:23

General

  • Target

    470009d741e322fe3c1325400818adb1.vbs

  • Size

    2.1MB

  • MD5

    470009d741e322fe3c1325400818adb1

  • SHA1

    b820684ec4f06ecd27ca84bfd5c36f83d14144fa

  • SHA256

    3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43

  • SHA512

    7625698b872e20bc14bb9c60b97162be94ea1ccbca736f448a20dad420d7358518be49a5699af68d354997f420856720fe5fa48abc0b3197c3f8779a9b8787a0

  • SSDEEP

    24576:OQOFZDEVQiHz09jcAVQYc7RtyXZxolR7UMx9ke7zxV1a3Xh6gvEycpryXxoOR7Un:u/g/BdRWol1nPkMgvMpgoOfuj

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 36 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470009d741e322fe3c1325400818adb1.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\name.exe
      "C:\Users\Admin\AppData\Local\Temp\name.exe"
      2⤵
        PID:2744
        • C:\Users\Admin\AppData\Local\Temp\name.exe
          C:\Users\Admin\AppData\Local\Temp\name.exe
          3⤵
            PID:2036
          • C:\Users\Admin\AppData\Local\Temp\name.exe
            C:\Users\Admin\AppData\Local\Temp\name.exe
            3⤵
              PID:1516
            • C:\Users\Admin\AppData\Local\Temp\name.exe
              C:\Users\Admin\AppData\Local\Temp\name.exe
              3⤵
                PID:2492
              • C:\Users\Admin\AppData\Local\Temp\name.exe
                C:\Users\Admin\AppData\Local\Temp\name.exe
                3⤵
                  PID:2700
                • C:\Users\Admin\AppData\Local\Temp\name.exe
                  C:\Users\Admin\AppData\Local\Temp\name.exe
                  3⤵
                    PID:696
                  • C:\Users\Admin\AppData\Local\Temp\name.exe
                    C:\Users\Admin\AppData\Local\Temp\name.exe
                    3⤵
                      PID:1032
                  • C:\Users\Admin\AppData\Local\Temp\file.exe
                    "C:\Users\Admin\AppData\Local\Temp\file.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:2380

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/2036-2440-0x0000000000400000-0x0000000000438000-memory.dmp

                        Filesize

                        224KB

                      • memory/2036-2442-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

                        Filesize

                        256KB

                      • memory/2036-2445-0x0000000000610000-0x000000000061A000-memory.dmp

                        Filesize

                        40KB

                      • memory/2036-2447-0x0000000000640000-0x000000000064A000-memory.dmp

                        Filesize

                        40KB

                      • memory/2036-2446-0x0000000000620000-0x000000000063E000-memory.dmp

                        Filesize

                        120KB

                      • memory/2036-2441-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2380-68-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-56-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-21-0x0000000008290000-0x000000000830C000-memory.dmp

                        Filesize

                        496KB

                      • memory/2380-12-0x0000000000980000-0x0000000000A40000-memory.dmp

                        Filesize

                        768KB

                      • memory/2380-25-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-14-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2380-23-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-16-0x00000000049A0000-0x00000000049E0000-memory.dmp

                        Filesize

                        256KB

                      • memory/2380-28-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-384-0x00000000049A0000-0x00000000049E0000-memory.dmp

                        Filesize

                        256KB

                      • memory/2380-32-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-36-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-18-0x0000000005120000-0x0000000005180000-memory.dmp

                        Filesize

                        384KB

                      • memory/2380-44-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-72-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-40-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-80-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2380-48-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-87-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-52-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-82-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-77-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-60-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2380-64-0x0000000008290000-0x0000000008306000-memory.dmp

                        Filesize

                        472KB

                      • memory/2744-13-0x00000000001A0000-0x0000000000266000-memory.dmp

                        Filesize

                        792KB

                      • memory/2744-17-0x0000000004A20000-0x0000000004A60000-memory.dmp

                        Filesize

                        256KB

                      • memory/2744-73-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-61-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-57-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-53-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-86-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-85-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2744-81-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-49-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-76-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-45-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-69-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-37-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-65-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-22-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-389-0x0000000004A20000-0x0000000004A60000-memory.dmp

                        Filesize

                        256KB

                      • memory/2744-33-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-2439-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2744-19-0x0000000004E60000-0x0000000004EC8000-memory.dmp

                        Filesize

                        416KB

                      • memory/2744-29-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-41-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-15-0x0000000074B90000-0x000000007527E000-memory.dmp

                        Filesize

                        6.9MB

                      • memory/2744-24-0x0000000006720000-0x0000000006787000-memory.dmp

                        Filesize

                        412KB

                      • memory/2744-20-0x0000000006720000-0x000000000678C000-memory.dmp

                        Filesize

                        432KB