Analysis Overview
SHA256
8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d
Threat Level: Known bad
The file 8370e6258d17dbbf8e9f4f3dced934ab was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-02-06 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 17:01
Reported
2024-02-06 17:02
Platform
win10v2004-20231215-en
Max time kernel
32s
Max time network
48s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe
"C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\UnlockInstall.dotx"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 216.120.118.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.255.100.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.237.102.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.195.83.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.116.99.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.234.66.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.6.77.100.in-addr.arpa | udp |
Files
memory/3076-0-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/3076-1-0x00000000006C0000-0x000000000073A000-memory.dmp
memory/3076-2-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/3076-3-0x0000000005180000-0x0000000005212000-memory.dmp
memory/3076-4-0x0000000005170000-0x0000000005180000-memory.dmp
memory/3076-5-0x0000000005130000-0x000000000513A000-memory.dmp
memory/3076-6-0x00000000752A0000-0x0000000075A50000-memory.dmp
memory/3860-7-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp
memory/3860-8-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-10-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp
memory/3860-9-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-12-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-11-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp
memory/3860-14-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-16-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp
memory/3860-15-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-17-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-18-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-13-0x00007FFADCC70000-0x00007FFADCC80000-memory.dmp
memory/3860-19-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-20-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-21-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-22-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-23-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-24-0x00007FFB1CBF0000-0x00007FFB1CDE5000-memory.dmp
memory/3860-25-0x00007FFADA730000-0x00007FFADA740000-memory.dmp
memory/3860-26-0x00007FFADA730000-0x00007FFADA740000-memory.dmp
memory/3076-29-0x0000000006520000-0x0000000006568000-memory.dmp
memory/3076-30-0x0000000007B30000-0x0000000007BAA000-memory.dmp
memory/3076-35-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-36-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-38-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-40-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-42-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-44-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-46-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-47-0x0000000005170000-0x0000000005180000-memory.dmp
memory/3076-49-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-51-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-53-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-55-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-57-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-59-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-61-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-64-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-66-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-68-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-70-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-72-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-74-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-77-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-79-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-81-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-83-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-85-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-87-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-89-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-91-0x0000000007B30000-0x0000000007BA3000-memory.dmp
memory/3076-93-0x0000000007B30000-0x0000000007BA3000-memory.dmp