Overview

overview

10

Static

static

10

eb1807ea8c...d5.exe

windows7-x64

10

eb1807ea8c...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2024, 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe

  • Size

    2.2MB

  • MD5

    84c895e5e9d2e8a4a33bcc6ec7657b20

  • SHA1

    f7efe5f005597309a25ad8eeaba6c77dff827caf

  • SHA256

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5

  • SHA512

    423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff

  • SSDEEP

    24576:2TbBv5rUyXVgEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOL:IBJLj8ZbkNF0m/0vV1eKghUYFtML/sJU

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
    "C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
          "C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8yXT8NHeen.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1536
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1388
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:2080
              • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
                "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2628
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2236
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1964
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1412
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe
      Filesize

      251B

      MD5

      288ece3d2e1006c5fa8a526d2d0fab12

      SHA1

      b466938792d856b963788f55037be3893024169f

      SHA256

      47a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1

      SHA512

      f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7

      Download Submit

    • C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat
      Filesize

      101B

      MD5

      a1e10402205eb4379b696c320914eea5

      SHA1

      048575ccf93cf9d1e039b1b1bce5eb97d61e1048

      SHA256

      0861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5

      SHA512

      fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\8yXT8NHeen.bat
      Filesize

      198B

      MD5

      6ac992cdfd5f4f42e6a8661318885b54

      SHA1

      5a1e336a6487a8cef8e833f31f52bbc0b956c7a2

      SHA256

      8781ac597030e1fa0efc7593ec1ebe456f2b9ec5270447bbcb7fa4953767d761

      SHA512

      44c52dc1274aca67e8cc38c18fae3bc02684cb1fc818337c3f656e512367a4c7854eaeb4d83637850749c253b3a85f549710d35a084b69e53d0c1ec5f120fbe7

      Download Submit

    • \PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
      Filesize

      1.9MB

      MD5

      d67f722b73a3cbef568a2e3124a4bc04

      SHA1

      27e0a75a646fb2869b31eab2f34f1de4db7e35e6

      SHA256

      b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

      SHA512

      c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

      Download Submit

    • memory/1824-69-0x00000000770E0000-0x00000000770E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-68-0x00000000770F0000-0x00000000770F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-73-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-72-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1824-71-0x00000000770D0000-0x00000000770D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-92-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-93-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-74-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-66-0x0000000077100000-0x0000000077101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-61-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-60-0x0000000077120000-0x0000000077121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-59-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-58-0x0000000000130000-0x0000000000131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1824-57-0x000000001B500000-0x000000001B580000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1824-55-0x00000000012A0000-0x0000000001492000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1824-56-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2564-19-0x0000000000810000-0x0000000000890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2564-52-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2564-35-0x00000000003F0000-0x00000000003FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2564-33-0x00000000770D0000-0x00000000770D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-32-0x00000000003A0000-0x00000000003AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2564-30-0x00000000770E0000-0x00000000770E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-29-0x0000000000390000-0x000000000039E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2564-27-0x00000000770F0000-0x00000000770F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-26-0x00000000003D0000-0x00000000003E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2564-24-0x0000000077100000-0x0000000077101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-23-0x00000000003B0000-0x00000000003CC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2564-21-0x0000000000380000-0x000000000038E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2564-18-0x0000000077120000-0x0000000077121000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-17-0x0000000000810000-0x0000000000890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2564-16-0x0000000000340000-0x0000000000341000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2564-15-0x0000000000810000-0x0000000000890000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2564-14-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2564-13-0x00000000008A0000-0x0000000000A92000-memory.dmp

      Filesize

      1.9MB

      Download