Overview

overview

10

Static

static

3

586f79d31e...12.exe

windows7-x64

10

586f79d31e...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2024 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    586f79d31e3b60f3737c247810e56612.exe

  • Size

    1.8MB

  • MD5

    586f79d31e3b60f3737c247810e56612

  • SHA1

    ec148bed94d3a4e9dabe517533a74b6021d02fef

  • SHA256

    bf6b69cb7063d748e6404300ed8b587473b20b2239605862ccbec909bccf7485

  • SHA512

    0c72552226bebd0b71e789a875693fd157c3071e14ca5abebdb54e1d6cddb326be0db3a7c37957ab0b1a1cf090e3784c09e5085c1e322e16e9984c5e9af5142b

  • SSDEEP

    49152:V2GnkYpnt6j4Va7ep3sQDHDdtf4NN3cpbV:Vk0y4VoeN1DLfiKbV

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
    "C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
    • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
      C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
      2⤵
        PID:2520
      • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
        C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
        2⤵
          PID:2844
        • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
          C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
          2⤵
            PID:2532
          • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
            C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
            2⤵
              PID:2384
            • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
              C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
              2⤵
                PID:2700
              • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                2⤵
                  PID:2588
                • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                  C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                  2⤵
                    PID:2788
                  • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                    C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                    2⤵
                      PID:2596
                    • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                      C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                      2⤵
                        PID:972
                      • C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                        C:\Users\Admin\AppData\Local\Temp\586f79d31e3b60f3737c247810e56612.exe
                        2⤵
                          PID:784

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\_Ycpntjpyqzgdwajef.vbs
                        Filesize

                        137B

                        MD5

                        41c8a8551ff6fc7a2b9aadcff976ca0f

                        SHA1

                        444db8be2af0b1128229ac46e4963e0570159c3c

                        SHA256

                        bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

                        SHA512

                        b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

                        Download Submit
                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                        Filesize

                        7KB

                        MD5

                        40f90abf3191cb894e9696f4079a4b38

                        SHA1

                        02b37e6d75d752756f9876f519a80459709a6fd2

                        SHA256

                        1d685a31a6111e4d8c9a5d2f85d12fb768aefb7fa8235d1abbcbb217299ccb60

                        SHA512

                        a0cab38fb3a4021fe69ec717244d3af1e430f625afcc19f99cdcd9ff626087f2e6ef43b5a4fcbfa4a364f4be1ee68477c9c3c2dd55b928610caeafef82a8f129

                        Download Submit
                      • \??\PIPE\srvsvc
                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        Download Submit
                      • memory/2476-2380-0x000000006F760000-0x000000006FD0B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2476-2378-0x000000006F760000-0x000000006FD0B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2476-2379-0x0000000002A10000-0x0000000002A50000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2476-2381-0x0000000002A10000-0x0000000002A50000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2476-2382-0x000000006F760000-0x000000006FD0B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2504-20-0x000000006F4A0000-0x000000006FA4B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2504-15-0x000000006F4A0000-0x000000006FA4B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2504-17-0x000000006F4A0000-0x000000006FA4B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2504-16-0x0000000002870000-0x00000000028B0000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2504-19-0x0000000002870000-0x00000000028B0000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2928-69-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-53-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-21-0x0000000004DC0000-0x0000000004E00000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2928-22-0x00000000080C0000-0x0000000008274000-memory.dmp
                        Filesize

                        1.7MB

                        Download
                      • memory/2928-23-0x00000000026D0000-0x0000000002748000-memory.dmp
                        Filesize

                        480KB

                        Download
                      • memory/2928-45-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-71-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-87-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-85-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-83-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-81-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-79-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-77-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-75-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-73-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-0-0x00000000000C0000-0x0000000000292000-memory.dmp
                        Filesize

                        1.8MB

                        Download
                      • memory/2928-67-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-65-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-63-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-61-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-59-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-57-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-55-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-18-0x0000000074550000-0x0000000074C3E000-memory.dmp
                        Filesize

                        6.9MB

                        Download
                      • memory/2928-51-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-49-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-47-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-43-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-41-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-39-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-37-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-35-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-33-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-31-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-29-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-27-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-25-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-24-0x00000000026D0000-0x0000000002742000-memory.dmp
                        Filesize

                        456KB

                        Download
                      • memory/2928-1-0x0000000074550000-0x0000000074C3E000-memory.dmp
                        Filesize

                        6.9MB

                        Download
                      • memory/2928-2-0x0000000004DC0000-0x0000000004E00000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/2928-2377-0x0000000074550000-0x0000000074C3E000-memory.dmp
                        Filesize

                        6.9MB

                        Download
                      • memory/3056-8-0x0000000002990000-0x00000000029D0000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/3056-5-0x000000006F790000-0x000000006FD3B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/3056-6-0x0000000002990000-0x00000000029D0000-memory.dmp
                        Filesize

                        256KB

                        Download
                      • memory/3056-7-0x000000006F790000-0x000000006FD3B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/3056-9-0x000000006F790000-0x000000006FD3B000-memory.dmp
                        Filesize

                        5.7MB

                        Download