Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
22/02/2024, 21:41
General
-
Target
3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe
-
Size
3.9MB
-
MD5
c93eb1803d22b1ea86a0e5b4c61ab5fc
-
SHA1
e1be31f724ba662e5067767f6144a3ce64167897
-
SHA256
3b9330b09929cc5391a31e5780a967d26f21b010b586b2226e3d22038226f800
-
SHA512
f2509c0e58064a517708e2cadee34805cf3d25043af41f70a34af69b6acfd74b09f1c0c2dc851128f2777e2e49bd9766c719c0f1f8bcf52d325bff54dcce08e1
-
SSDEEP
98304:yOYX6sYD1rXzznYLGRk3/ZuPqInTeNlZD6jdKkb8p:Fkdq1rIH3/OnaJuy
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe"C:\Users\Admin\AppData\Local\Temp\3b9330b09929cc5391a31e5780a967d26f21b010b586b.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\MsWebSession\aISwmBA1tz2Li9c6LCYbI0c56v7tmGzpAA7ZdNSGvv0YyEqFbmxvfE9xX.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\MsWebSession\28GBsRQl2u5EqD0HGx7YGeYZyO2za9W9ftVvHiRGielbEoVm.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\MsWebSession\agentreviewIntoRefdhcp.exe"C:\MsWebSession/agentreviewIntoRefdhcp.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8k7WoMfspP.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Windows\ShellExperiences\sihost.exe"C:\Windows\ShellExperiences\sihost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\MsWebSession\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\MsWebSession\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\MsWebSession\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MsWebSession\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MsWebSession\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MsWebSession\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95B
MD5d7fa26c8b1aa0d91d5c3682c87970269
SHA19934cb04ec5d81e86519c36c38d9e7caf5c01a1d
SHA256102e9e1f76065e7c6207880bdcdba7cad4aebb61e2644ac80f76ed1a2ca92b1b
SHA51271d72daaab45e8198d375a6fdf78bb7b3173c757cb2b6e349bbe516a67461b8ddb183ab028579f80c44392bba46a00b82f66bc5f01da4297af2a222be7ac5117
-
Filesize
250B
MD5472b891861c2851f23fc56f0da9834f0
SHA11938881b09e054a23c46369d850f92c52a9b1164
SHA256fee3cc05c5cd12982240bd1e83cf2362871ab9b656fd807928387ddb67e831f7
SHA51277850c8c9d95733ff9128a9e19f87be4b64ee450ed4aa27be4dcaceded74c0ec8c05d57d8c78249c30ad8cdfcd96a9eeae51e587adef1ad38cd24a0125cbb129
-
Filesize
3.6MB
MD51e8b556d7c4cefe0023e5ba9b6d021e5
SHA11f2dd53b352fd7b5972b38d1a5eeb2aec378b9e5
SHA2563ed028c17d0038c69998ad942feb78aff2f9f363bae2203250b0eba6ce0d26be
SHA512788395a9013db192ff4054fc766aef4f55335c5816d0b5fa57d3019f7254aea32e194790930bc8255e05e80e9e9d5e2a77d0dfb45aac142c6f65edb9ae6061c0
-
Filesize
320KB
MD532f9c6a2371b00201da5f10ec13d9716
SHA18f07dd41423c695ec7562b7374b460779ca5b791
SHA25634bc05b3274a24a166853240ae0f6293fe3883fc9a64e7c54c29b1a1ea179ae4
SHA512f4a46eb5317fb0970b53e6308e1b9cc5f0c2c3d653c434d1dbba83f38c324f981e95bfce46e806809c35d3373033f7841496a1b81347600a3277158521606f8f
-
Filesize
214B
MD5d9be5c6c98483d078352c7ae22175762
SHA168eded841f818603ef6f56b7f0ae07c1ad662622
SHA256bcf86718d4695f869ab420c72a85331f32bd7ca58f6eec824c421243e8652b42
SHA512ec949fe5bf6bd6b7fef50ee5bd925f90675c0abd347df0f04d8776422b2f0c225ab6af2905d09db1614044210f57e53fe1fadad8e3babaf2dab4fc2f696d6d49
-
Filesize
1024KB
MD55412c370c11788de3c87989f4f48cc89
SHA164bcbcf444ebd77cb6310c2e1016ac7214bd8b6a
SHA25634d1c0bc4e159421d45f3b09cfb20d6745a203e0a2ccb5e82be8caa5d833e8e7
SHA5122525c6c66b5564cbd577065d5a1e4c2443a3d552ff87e94c21f910a2b784424692a8445048df24bb9f179b840d0644720c86d7bd418304a6c7d166dcfc3680a7
-
Filesize
3.6MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
152KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
312KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
760KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
820KB
-
Filesize
32KB