Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12/01/2024, 22:33
General
-
Target
011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba.exe
-
Size
99KB
-
MD5
94c0ceb9bf2ba3ea4b60d67db728132c
-
SHA1
1fa5ca6058e19602675076907748b08948495897
-
SHA256
011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba
-
SHA512
2d5e24f01237875317272afec8c0fcfbbee5bf56532332f129345931f0c1444f84a0f0415cf72ce4872e90157c5229338b8fc7cff4404d60e68a1ff80a5aeb88
-
SSDEEP
1536:TaRU9m4HYvSIX0u+7+j71+s5g2YEcIQ7/AzWOWuEdeHZMcziqU1ZyiL:BOhX0N7+f135dcIxWazScuqCMY
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba.exe"C:\Users\Admin\AppData\Local\Temp\011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\temo_clean\client32.exeC:\Users\Admin\AppData\Local\temo_clean\client32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "temo_clean" /tr "C:\Users\Admin\AppData\Local\temo_clean\client32.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD557e3a39940a2e1c44beb4f9db2bff62a
SHA1385322bc1caab1a92ee1309b3d1f8ed49fecce6b
SHA256198487618c0a63e523213a3971209a22489c927e768cc6d7b9203ab89edde96d
SHA5120c779f67baffe73a4505705abb90439667840a85b2af9a0008134cce58d9c0d1d635e4021e30fb188d2c442cb29f1ed52afc96aa0e4a912394c73c8f90e6ffe4
-
Filesize
382KB
MD558b4be66a38037a265426c3f2b8ee6b1
SHA115f2ef08d83263e6bf446f861b710fa6f964d886
SHA2561b43c858724e96d38289ba0a2d7de79edf9e5d22981e717e97027866880cf35a
SHA512711590f09c03390c971679513836e0b44cf8100e59a4ce735822f5b4f01f6164bd63a7b888f076de348122c99c58f1ea1e9afa6e71a270bdcc0e83069dcc7a02
-
Filesize
662KB
MD5bdebdc0f9f0dd28021ed0e4ae807b4b1
SHA1596f6d02d61202abe452fdfe9f24d9845f46c5fa
SHA25664da8e6543986bda8510358cde7ae6a8bc82e16090bf6bc5a6224a7236fd2d57
SHA5124c7e32771143707c9d22bc29ab4802050aaed6604f94baa9ee96aa007329c1df0a2a051a9971ef75fbbf1f2d66208098b9406e0fd4904b5c4facd6802ded057f
-
Filesize
117KB
MD5a2b46c59f6e7e395d479b09464ecdba0
SHA192c132307dd21189b6d7912ddd934b50e50d1ec1
SHA25689f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA5124f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
680KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
652KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
256KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
160KB
-
Filesize
160KB