Overview

overview

10

Static

static

10

0874096005...14.exe

windows7-x64

10

0874096005...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe

  • Size

    1.9MB

  • MD5

    14f6f2650e4115f846437a021780ad79

  • SHA1

    11825457804c1aec20dfb7049bc9d21e409e8094

  • SHA256

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

  • SHA512

    97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8

  • SSDEEP

    24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score
10/10
zgratevasionrat

Malware Config

Signatures

  • Detect ZGRat V1 7 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 7 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
    "C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:384
        • C:\chainCrt\ComContainerServercomponentDll.exe
          "C:\chainCrt/ComContainerServercomponentDll.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcIwb8DxYe.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2796
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:2744
              • C:\Windows\Help\Corporate\csrss.exe
                "C:\Windows\Help\Corporate\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\cmd.exe
      Filesize

      1.6MB

      MD5

      c85bd715ac92063c07314d1ce33bb5a1

      SHA1

      36d690ccafaf3bcf312cb6055b1c33d18631cc01

      SHA256

      a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

      SHA512

      d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fcIwb8DxYe.bat
      Filesize

      163B

      MD5

      011d5471993852d6ea17abba52ad5c3d

      SHA1

      de15a1ba7af4e0bcdc847d6bc6dbd3d1f6d91904

      SHA256

      31e22e1202fd5a10fce458649f11bfa484716e6c0665ec259104ff22b9e466e6

      SHA512

      db5a15d2092bcd9203eb65658968a217ee589552ef1f46b2c1cf3f2e36a08c241861698cbbe7151b5ec7cb001e212306af092277a4f0251f8dae0a0a500057ae

      Download Submit

    • C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat
      Filesize

      219B

      MD5

      2c6552d7067705b8adc060be796cc726

      SHA1

      f1f4ca6df3799590d29048d8c0ef8c377b72b29a

      SHA256

      8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

      SHA512

      969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

      Download Submit

    • C:\chainCrt\ComContainerServercomponentDll.exe
      Filesize

      894KB

      MD5

      f9f544b9eaf7bb363e1b63fa20dddb02

      SHA1

      01b269eefe8b36e011f8aa4adf8a474b27521d5f

      SHA256

      38da4875bd7990db8f99f46db041a056a566d3f594063a3b05bb2c2f4e88a0da

      SHA512

      a0f233abac96f0ffb7f00c56ef73a25ec46208658d808acb7d0a647c74c4cc91ed3be581f9f2eaec1f63ee082b6ab2a325c50b65ee26a8f0ba16623c0bf0247d

      Download Submit

    • C:\chainCrt\ComContainerServercomponentDll.exe
      Filesize

      807KB

      MD5

      b32e21c8af8dd314d30f093854b2d036

      SHA1

      eaedd24f38f91cc6cf3805e861c09042d5822ea5

      SHA256

      7b02a937902d0dd5e372501884dbf3f5d41412074e0f66f30ba4c09e45b30872

      SHA512

      49e866ce01c8e58efeb6f2d42887d80ca39f214f3e9c4138731d68780ef255df10e92921ebb468b7f8de67dde9cc8f3ebac47f990f0d979f45c4e15292c47f7a

      Download Submit

    • C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe
      Filesize

      222B

      MD5

      864c2b2879ddb78e052cd8710b7c74e2

      SHA1

      065354d8ea5079825a29f4f9fb5a8f9fdddd660e

      SHA256

      fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

      SHA512

      08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

      Download Submit

    • \chainCrt\ComContainerServercomponentDll.exe
      Filesize

      1.0MB

      MD5

      17e5272f9e3281fc0fb1b1c593ddb246

      SHA1

      c3ba495ab01d114c4fc2bc21ab14f7f87a497609

      SHA256

      6b5ea2b83e8f5703ee0afb6f3d5dd9964d01cae6545cdda1da44142397aa26a3

      SHA512

      4d2e230d27b6ec708a0f65b3e806a7122ba5244be36d809321510010a09297abf28f35ceb14983c110592778e266644104c2ada53146b007db297108f15fe10b

      Download Submit

    • \chainCrt\ComContainerServercomponentDll.exe
      Filesize

      64KB

      MD5

      9ed4a7eb53b111c2c928a31493b411dc

      SHA1

      43a875d488594e201a181aa2614c71ec69effd66

      SHA256

      3f94f85c00a3e51ee562948b25c8f1819fb86907fde4cbed295fc9f608dce2cc

      SHA512

      c96f34c6bf5145bfbd730a291dc4780371151486c27dd1340291509c95ba32c4698afe527752116bb7cb035f0f37ff2dd3d2bd95e868ddaecf6af56b7600096d

      Download Submit

    • memory/2752-36-0x0000000000A70000-0x0000000000C0A000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2752-45-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-43-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-46-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-44-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-47-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-37-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2752-38-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2752-39-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-40-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-41-0x000000001B290000-0x000000001B310000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2752-42-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2860-13-0x0000000000E20000-0x0000000000FBA000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2860-32-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2860-16-0x0000000000330000-0x0000000000331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2860-15-0x000000001B430000-0x000000001B4B0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2860-14-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

      Filesize

      9.9MB

      Download