Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
18-01-2024 01:27
General
-
Target
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
-
Size
2.2MB
-
MD5
506cd587919d4bb571795ea1c1e64d80
-
SHA1
c04c19373251eb40197975fbf901ff802e92e22d
-
SHA256
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256
-
SHA512
ab9577410cb2eb1e0fd3e71c2c5d3d13a38563db70e7017734f5067171442b561b1297bf339ddfa54ae266c720a383c7e4c7a63b23a6cdb433651b7ed8cbc30b
-
SSDEEP
24576:2TbBv5rUyXVl6fDEs25370/5lJHI2cxaSzXykO0eW66f3XEWpEmEQ/2VmCthZ2yt:IBJEECrHjxdXZsUWzuUQME46LMEQ70
Malware Config
Signatures
-
Detect ZGRat V1 9 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperchainserverRefBroker\15rdJvHs8fLqyO2NujCXYGmVvYkYhVqPlDU.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HyperchainserverRefBroker\aChfOVIZNk46BVBd6tQOJDuZO9i8SfzQwF1KcbSw3gaIMh1jz.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"C:\HyperchainserverRefBroker/hyperportServerFontdhcp.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jzxlpwyh\jzxlpwyh.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19E7.tmp" "c:\Windows\System32\CSCD8034E72C4A8452BA6A4642BD0985D4.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z8HBMNttbe.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\MSOCache\All Users\audiodg.exe"C:\MSOCache\All Users\audiodg.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 14 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\chcp.comchcp 650011⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost1⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcp" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD54a61f0d242786b7e9caa34fa552a0791
SHA147a7114f25574bf8ba482e561c395c2d942f40d8
SHA2565db96d7ae442161d7e6b12f9bd1380030d7e951cdebfb198bdd3bf76ce514c2f
SHA5124262524a95b9a7756d327ae338d065565c38dd3548679b21ed7593293f2e8703084439dff9fb44d7c8667115adeda4f262ccbbe43dd39e215d77e51369ddd042
-
Filesize
210B
MD5bdec11d125abfe788f5249bd9f8e8453
SHA1e5850a47337f36270fdc5bb49c57a4f81358730b
SHA256836e8052513d49530612a8f405e1eeef196834e6431b345eaebd09dc23693c50
SHA5129c8418bec2565a82f200d40cf9254d3219f9f81da1a55e1d4c88bab0de3947986c94168c4db53c6e49191030c81c9284ecb4c3429d3d0cfe48421a26de7c623f
-
Filesize
611KB
MD5f77765e7bae242dead92b0bfd9f4f28a
SHA16135d7937a24f69519fef8f56f6fe888b514e457
SHA2569e72d49bd0b8796f88346448f85dbb34ef59294e842e9544a6496017eda8704e
SHA5124635a0ea802a6ede44b554195b6e61ee900ed81491f7c2f7bbb1bd69f71ed84b4c7a1378ad7cfa399c3dc6ab0bfaf259c8d7491f67405ffdfce0eefefa92e00d
-
Filesize
552KB
MD553fcd61bfa58d229051aa3bfe7a644b4
SHA1d6c7c8b24173bb4a0a9430dba7c52d7c015e896d
SHA256211d77880a6f18e6307ac87704222918f8287c3aeb397e5ea00e33fa9b27b5cf
SHA512bf6339b10f50673705fed5880a173725d79593b02695e5da8fe472738974f859ed46d6a8889e354510ba3faff02badff8e942b3578acf42e0c49f50fe0b89d5d
-
Filesize
1.1MB
MD5dfdc27573faf32baa37ee3d7d8928754
SHA1d1a04b6da47b1f5f3be65464da3808a4e03b2f6a
SHA25658c74642aff93dc24801ab348c4c731f795727a4059a23c51ed375b752f0ca39
SHA5127f7215ab313b6deb09b5ed8509cb4b68332d9feca5686bc14d3825fafb20671e61b6a7eb05b73484e9c8f8b911c0068a42af9bbc2e4a93dd847106c875efae60
-
Filesize
923KB
MD575004db81702a9f9f3a2ad313b304781
SHA1d770e611d51d42217a667effc50e91101dfbd65d
SHA2563a95805a703ab21dca070966b86702629c27a2e94939497ae4e95301739bc349
SHA5124225b1e685270859e0f94156a347ed60fa1f058bf2f9cb633fdf9d54b4ae2fb9b5f8e2370a7c18f6838e61f476e7c2a2d4d732719ec6e47b62d4dcc357e1c4b3
-
Filesize
574KB
MD5c43bf3a41db4df8877244f6785647ab7
SHA18213b1ff53681a069d72200be62202bcbbba40c8
SHA256d08412ff2219d8eec39f2d8eb7b29018df07646d42ad58e3cae86c623bf8b06f
SHA512857ca1f6c54aeef9814f098a1e66a253a1889f1f935119a8189ea5b0cf5146ad7473239eed9b7e9f88deb737047516825e47ad383b29b2a90fa51dd5ebc73714
-
Filesize
1KB
MD507196fae7b06e47f6dcea15c20a0ce45
SHA13c19cd74603129291e3057bcf4fa1ab295f35de7
SHA256c8ebfe6d7cb563908a0b56a37803a21fd6b5c57cfd64f988682057c92c68ecf4
SHA512e5b1937303bb85d88ec85d87b0f4a8d517c75486b0cc949343b92f0726db17ae4e93ff60fb9f2ad3151d1640f0de06e16457b884b722be7654e25681452b5629
-
Filesize
161B
MD52bbb4511e9d388c749d068b641179324
SHA1bc9e5d0a91df8bdf01c1b94eec92da202b091fa8
SHA2561f1630d8ba23d17b9423e26d68eefe1cd2087d7b3ca113e0b954bcf131cc2eb4
SHA512581ecced19dc9d7387379ce8e38854e4a0743de3ade85f47d3a670ca8b04ba0c57821abcd5bb14bd578560464755d17a0ae2177e3152298bb3d7ea9fafc9f885
-
Filesize
365B
MD5e27f70ee267e36afee068bfcb7b8e8f4
SHA1ce0f8742792e715abb2c57da9b4ee7703c6fb9a2
SHA25670c8619aaeb2086fa181d29a41ebaa30ea1519e1dbc74d8bddc188777cfda636
SHA51250d23a62bdffc140e4a90736e1bcbe1f94a17282ee74de5e43665495acf18dc5a885815754fab83d6dcfa9e553624787f40502c22f4801b826b6494363607a37
-
Filesize
235B
MD5c1a1006bbf6fa1aead242d0114cbe948
SHA144db79d34fbd25607232525f8614f23a1bf0ea4b
SHA256176226675ae0ca146fc708837e1ed48eaf61db748db7af812fe02f917ac5f4df
SHA5126a615a3eeb1aa36408ee8f137bbe73d5c55bfa23ce004edf546fcbc6ec4582f6e883a5cd9daadc22cc707a98b9b85aeed2d1f3345271a6c7ef02f86458d2ecc2
-
Filesize
1KB
MD53fcb2bd8a227751c0367dff5940613bb
SHA1bcca174ab4499de5713d836fbc368966aa1f5b2c
SHA256aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c
SHA512c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672
-
Filesize
636KB
MD578a58254bb08ed85490d5950cafba3bc
SHA1bdb7ff19afb2ec691226ba904029c5767d949669
SHA25631dc93030238a95280b5f6fa049560c7103260ff13d09338e6a64090f2033ce2
SHA512118b0c02e767e9f2fdfffcba3bb9f3198ca8b44738fdef2f0fc20a65b3e5a3da3fdad2bc0330a6262b5e8d2f808de0980be5b8cf7d0863866e95e57bd14c50f0
-
Filesize
1.3MB
MD5c27b78933127b54aa18c33e4683ca483
SHA1a321d87d34b6af6aae6250835f87a420422994e1
SHA2567be51fa54cc1f6122ac36a92c18a2dddacc4892330309d21e210ef977bcf3c59
SHA512c290deaffb20d515f66775e7065419fbccce79543511bd07f1ee4eab6eb4c358acf5466ff0d6a449e68250efd264c5c10ace5536bc4e4b7ac7d310b13b85bff9
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
1.9MB