Overview

overview

10

Static

static

10

0874096005...14.exe

windows7-x64

10

0874096005...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe

  • Size

    1.9MB

  • MD5

    14f6f2650e4115f846437a021780ad79

  • SHA1

    11825457804c1aec20dfb7049bc9d21e409e8094

  • SHA256

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

  • SHA512

    97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8

  • SSDEEP

    24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score
10/10
zgratevasionrat

Malware Config

Signatures

  • Detect ZGRat V1 5 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 5 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
    "C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:2676
        • C:\chainCrt\ComContainerServercomponentDll.exe
          "C:\chainCrt/ComContainerServercomponentDll.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xtnlk7Fmr.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1980
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2268
                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe
                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2200

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe
        Filesize

        960KB

        MD5

        f794898a90b74b144ecdc2087bfa048e

        SHA1

        af51a5b4ebb95a636bc848732808fd7e42e0f475

        SHA256

        8f16699c7511be45ec5b19d5275098bd58709af02e17d5494d0992d9378309ac

        SHA512

        81a9dc22018822176cafa6981848ccb91b74e1845c7eaa26055647f0266875862793ac623a2d6546601ccca61b64a9326a780773ad8c299a70d0ec15ae7c50e6

        Download Submit

      • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe
        Filesize

        896KB

        MD5

        85b02c1310719e014723a849271b845e

        SHA1

        be3d0085f8f86c2388e45186996abd1643f2d19f

        SHA256

        d8d08612d1e81f9764933efeb9403dfb40b69f5ab9088b9d465d29e46fdabc34

        SHA512

        5cb5b071017449d034f6e839a8ec6398975790640905696d53ec48456ad0c073bdaaa0a70c69317ee041663e8927cf5d18b895588cc5e7bf88c078a452174df3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8xtnlk7Fmr.bat
        Filesize

        252B

        MD5

        0caf7333eaa1e62a9306fa587085fb11

        SHA1

        bf93d983015407de7f2c338af7c97020a7d3fd79

        SHA256

        5f4cf3ef21c138fb2cab830434e07122dc76337925a719fa39c26ac607feac5e

        SHA512

        ab74624725bea137f860a17b249c696c1a7dd9609bde962d88a4c7b24dfd9ae8024a5c565935b2d557e3840bef5f920dd271f14423f629816c067a1aea4ff11d

        Download Submit

      • C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat
        Filesize

        219B

        MD5

        2c6552d7067705b8adc060be796cc726

        SHA1

        f1f4ca6df3799590d29048d8c0ef8c377b72b29a

        SHA256

        8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

        SHA512

        969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

        Download Submit

      • C:\chainCrt\ComContainerServercomponentDll.exe
        Filesize

        1.6MB

        MD5

        c85bd715ac92063c07314d1ce33bb5a1

        SHA1

        36d690ccafaf3bcf312cb6055b1c33d18631cc01

        SHA256

        a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

        SHA512

        d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

        Download Submit

      • C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe
        Filesize

        222B

        MD5

        864c2b2879ddb78e052cd8710b7c74e2

        SHA1

        065354d8ea5079825a29f4f9fb5a8f9fdddd660e

        SHA256

        fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

        SHA512

        08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

        Download Submit

      • memory/2200-39-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-43-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-46-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-45-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-44-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-35-0x0000000001070000-0x000000000120A000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2200-37-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-36-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2200-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2200-42-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-40-0x0000000000B10000-0x0000000000B90000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2200-41-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2812-13-0x0000000000FD0000-0x000000000116A000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2812-16-0x00000000003C0000-0x00000000003C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2812-14-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2812-15-0x000000001B1A0000-0x000000001B220000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2812-32-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

        Filesize

        9.9MB

        Download