Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
08-02-2024 16:29
General
-
Target
eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
-
Size
2.2MB
-
MD5
84c895e5e9d2e8a4a33bcc6ec7657b20
-
SHA1
f7efe5f005597309a25ad8eeaba6c77dff827caf
-
SHA256
eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5
-
SHA512
423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff
-
SSDEEP
24576:2TbBv5rUyXVgEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOL:IBJLj8ZbkNF0m/0vV1eKghUYFtML/sJU
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe"C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3OCCoXM78I.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\PortproviderwinMonitorSvc\dllhost.exe"C:\PortproviderwinMonitorSvc\dllhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BangdtZtLJ.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\PortproviderwinMonitorSvc\dllhost.exe"C:\PortproviderwinMonitorSvc\dllhost.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\odt\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk-1.8\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exeFilesize
1.9MB
MD5d67f722b73a3cbef568a2e3124a4bc04
SHA127e0a75a646fb2869b31eab2f34f1de4db7e35e6
SHA256b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303
SHA512c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb
-
C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbeFilesize
251B
MD5288ece3d2e1006c5fa8a526d2d0fab12
SHA1b466938792d856b963788f55037be3893024169f
SHA25647a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1
SHA512f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7
-
C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.batFilesize
101B
MD5a1e10402205eb4379b696c320914eea5
SHA1048575ccf93cf9d1e039b1b1bce5eb97d61e1048
SHA2560861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5
SHA512fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.logFilesize
1KB
MD5935ecb30a8e13f625a9a89e3b0fcbf8f
SHA141cb046b7b5f89955fd53949efad8e9f3971d731
SHA2562a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9
SHA5121210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa
-
C:\Users\Admin\AppData\Local\Temp\3OCCoXM78I.batFilesize
168B
MD526a038435ad5e23b95a54f9a8691dce1
SHA1cbf013d324a203f0bf71698a762ffe6a441ee9f6
SHA256c6eec864ff4385f16519e85b1169b34d6e655a0835e0bc88e7c69568ebbc8f21
SHA5125da99dc044919c59f53609266ee33eedb97eb11be9346d40c67d8511e4ee3311e4a3a57604257c1a752669f87606da7232ac92266173fc2fbc55b734acdf8fdd
-
C:\Users\Admin\AppData\Local\Temp\BangdtZtLJ.batFilesize
216B
MD527bddc4b2c65c27cc6d2e833dc157f5e
SHA1b8082672413745ea7d02cca1330f92b2b6403f4e
SHA2569970888c1c2ccd04f3f5ff113cafe1d9db65a8f5a1cfc99ca6e59e6f12cb49d9
SHA5125d3b72c0c3306dbae9166ba62b374d71c174e6355ca43d5810a5fda37aa68c718154dccba61194de1526ece077c25ef275ba1ecf36de0057119ec246621e99f8
-
memory/3444-86-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/3444-68-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/3444-78-0x00007FFEDBD30000-0x00007FFEDC7F1000-memory.dmpFilesize
10.8MB
-
memory/3444-75-0x00007FFEF9F30000-0x00007FFEF9F31000-memory.dmpFilesize
4KB
-
memory/3444-74-0x00007FFEF9F40000-0x00007FFEF9F41000-memory.dmpFilesize
4KB
-
memory/3444-72-0x00007FFEF9F50000-0x00007FFEF9F51000-memory.dmpFilesize
4KB
-
memory/3444-69-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmpFilesize
4KB
-
memory/3444-79-0x00007FFEF9F20000-0x00007FFEF9F21000-memory.dmpFilesize
4KB
-
memory/3444-66-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmpFilesize
4KB
-
memory/3444-85-0x00007FFEDBD30000-0x00007FFEDC7F1000-memory.dmpFilesize
10.8MB
-
memory/3444-65-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/3444-64-0x00000000030B0000-0x00000000030C0000-memory.dmpFilesize
64KB
-
memory/3444-63-0x00000000030B0000-0x00000000030C0000-memory.dmpFilesize
64KB
-
memory/3444-62-0x0000000001600000-0x0000000001601000-memory.dmpFilesize
4KB
-
memory/3444-61-0x00007FFEDBD30000-0x00007FFEDC7F1000-memory.dmpFilesize
10.8MB
-
memory/4232-26-0x000000001B7C0000-0x000000001B810000-memory.dmpFilesize
320KB
-
memory/4232-13-0x00007FFEDC080000-0x00007FFEDCB41000-memory.dmpFilesize
10.8MB
-
memory/4232-38-0x00007FFEF9F20000-0x00007FFEF9F21000-memory.dmpFilesize
4KB
-
memory/4232-35-0x0000000002D00000-0x0000000002D0E000-memory.dmpFilesize
56KB
-
memory/4232-56-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4232-55-0x00007FFEDC080000-0x00007FFEDCB41000-memory.dmpFilesize
10.8MB
-
memory/4232-33-0x00007FFEF9F30000-0x00007FFEF9F31000-memory.dmpFilesize
4KB
-
memory/4232-32-0x00007FFEF9F40000-0x00007FFEF9F41000-memory.dmpFilesize
4KB
-
memory/4232-31-0x0000000002CF0000-0x0000000002CFE000-memory.dmpFilesize
56KB
-
memory/4232-29-0x00007FFEF9F50000-0x00007FFEF9F51000-memory.dmpFilesize
4KB
-
memory/4232-28-0x0000000002D30000-0x0000000002D48000-memory.dmpFilesize
96KB
-
memory/4232-23-0x0000000002D10000-0x0000000002D2C000-memory.dmpFilesize
112KB
-
memory/4232-24-0x000000001B840000-0x000000001B850000-memory.dmpFilesize
64KB
-
memory/4232-25-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmpFilesize
4KB
-
memory/4232-21-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmpFilesize
4KB
-
memory/4232-20-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4232-18-0x0000000002CA0000-0x0000000002CAE000-memory.dmpFilesize
56KB
-
memory/4232-19-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4232-16-0x000000001B840000-0x000000001B850000-memory.dmpFilesize
64KB
-
memory/4232-15-0x000000001B840000-0x000000001B850000-memory.dmpFilesize
64KB
-
memory/4232-14-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/4232-37-0x0000000002D50000-0x0000000002D5E000-memory.dmpFilesize
56KB
-
memory/4232-12-0x00000000008E0000-0x0000000000AD2000-memory.dmpFilesize
1.9MB
-
memory/4308-101-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4308-140-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-90-0x00007FFEDBC80000-0x00007FFEDC741000-memory.dmpFilesize
10.8MB
-
memory/4308-93-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-95-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4308-96-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmpFilesize
760KB
-
memory/4308-98-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmpFilesize
4KB
-
memory/4308-99-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-92-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-91-0x0000000001820000-0x0000000001821000-memory.dmpFilesize
4KB
-
memory/4308-105-0x00007FFEF9F40000-0x00007FFEF9F41000-memory.dmpFilesize
4KB
-
memory/4308-103-0x00007FFEF9F50000-0x00007FFEF9F51000-memory.dmpFilesize
4KB
-
memory/4308-107-0x00007FFEF9F30000-0x00007FFEF9F31000-memory.dmpFilesize
4KB
-
memory/4308-109-0x00007FFEF9F20000-0x00007FFEF9F21000-memory.dmpFilesize
4KB
-
memory/4308-110-0x00007FFEDBC80000-0x00007FFEDC741000-memory.dmpFilesize
10.8MB
-
memory/4308-111-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-112-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-139-0x000000001BC20000-0x000000001BC30000-memory.dmpFilesize
64KB
-
memory/4308-102-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmpFilesize
4KB