Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27-02-2024 14:58
General
-
Target
a97286be2249f7896f0a5c171deb80d0.exe
-
Size
2.5MB
-
MD5
a97286be2249f7896f0a5c171deb80d0
-
SHA1
f10351ff6bc3fbababea9bdf13be7e7e4a7d04e5
-
SHA256
95211867154e018e2ab4ca9cb0b4fdf18c2ba79a312ccb01eba95b2eb899d0bd
-
SHA512
bbdce4fe5ef2dcebc15ce92d174cb776de79404c70ab660c4bc5e9546004719c0e180dd185bec1dffc57a0d1be3ba76775b967a0c95f87bb1337a9c4ba110984
-
SSDEEP
49152:KDVzY8tMlX0pXGRMuK3JaEzXW+DHFgmDY8HrsjhqWl:PKGX0ARVK3J5zG+DH2IYysjhRl
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe"C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection bing.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exeC:\Users\Admin\AppData\Local\Temp\a97286be2249f7896f0a5c171deb80d0.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD585c996d0486c70750a736eac5a012e8d
SHA12336d8444d48cf90b603ebb67113ab5b74138c5e
SHA25692d72835bb959ca79d12d41709147e8cf31054870e172a319b25aa8d1c59cef7
SHA5128d5fbd18e30b278994fc2eb4f393b25807c354055e31274a1a2956998241d8d4450987b2434731c9bd1646aeed48dc0b24df39a66c31c924c4e9bce07d6a49ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5becf478a566113f2b0ca35d4ee2a7ed6
SHA1d46e47a670f03bb118e96670410445afd521b4d7
SHA2565ded69b35844cac2312f6bd7cb060d256db98141b27ee7beb90e32becd280865
SHA51255507601e2ca5e372f523dabde97608a045300f79c3afb7850baefcd512954de24e16d24c5391466e2f466151efae99f229c8e1e5245ca178a19adcf04b86b21
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/772-54-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/772-53-0x0000000002810000-0x0000000002850000-memory.dmpFilesize
256KB
-
memory/772-50-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/772-51-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/772-52-0x0000000002810000-0x0000000002850000-memory.dmpFilesize
256KB
-
memory/1536-106-0x0000000002540000-0x0000000002580000-memory.dmpFilesize
256KB
-
memory/1536-103-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1536-104-0x0000000002540000-0x0000000002580000-memory.dmpFilesize
256KB
-
memory/1536-105-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1536-107-0x0000000002540000-0x0000000002580000-memory.dmpFilesize
256KB
-
memory/1536-108-0x0000000002540000-0x0000000002580000-memory.dmpFilesize
256KB
-
memory/1536-109-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1656-62-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/1656-63-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1656-60-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1656-61-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1664-95-0x0000000002410000-0x0000000002450000-memory.dmpFilesize
256KB
-
memory/1664-92-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/1664-93-0x0000000002410000-0x0000000002450000-memory.dmpFilesize
256KB
-
memory/1664-91-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/1664-94-0x0000000002410000-0x0000000002450000-memory.dmpFilesize
256KB
-
memory/1664-96-0x0000000002410000-0x0000000002450000-memory.dmpFilesize
256KB
-
memory/1664-97-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/1928-82-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1928-81-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/1928-80-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/1928-83-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/1928-84-0x00000000027F0000-0x0000000002830000-memory.dmpFilesize
256KB
-
memory/1928-85-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2040-129-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-141-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-2134-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/2040-175-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-173-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-171-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-169-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-167-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-165-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-163-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-161-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-159-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-157-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-155-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-153-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-151-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-145-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-27-0x0000000004FB0000-0x0000000004FF0000-memory.dmpFilesize
256KB
-
memory/2040-149-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-147-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-19-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/2040-143-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-139-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-137-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-135-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-133-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-131-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-0-0x0000000001310000-0x000000000158A000-memory.dmpFilesize
2.5MB
-
memory/2040-127-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-125-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-2-0x0000000004FB0000-0x0000000004FF0000-memory.dmpFilesize
256KB
-
memory/2040-1-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/2040-110-0x0000000008660000-0x000000000886A000-memory.dmpFilesize
2.0MB
-
memory/2040-111-0x0000000005F60000-0x0000000005FC8000-memory.dmpFilesize
416KB
-
memory/2040-112-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-113-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-115-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-117-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-119-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-121-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2040-123-0x0000000005F60000-0x0000000005FC3000-memory.dmpFilesize
396KB
-
memory/2060-42-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2060-40-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/2060-41-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2060-39-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2060-43-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/2256-73-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB
-
memory/2256-69-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2256-70-0x0000000002680000-0x00000000026C0000-memory.dmpFilesize
256KB
-
memory/2256-71-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2256-72-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2436-16-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2436-20-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2436-21-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2436-17-0x000000006F110000-0x000000006F6BB000-memory.dmpFilesize
5.7MB
-
memory/2436-18-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2512-9-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2512-5-0x000000006F3C0000-0x000000006F96B000-memory.dmpFilesize
5.7MB
-
memory/2512-10-0x000000006F3C0000-0x000000006F96B000-memory.dmpFilesize
5.7MB
-
memory/2512-8-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2512-7-0x00000000026F0000-0x0000000002730000-memory.dmpFilesize
256KB
-
memory/2512-6-0x000000006F3C0000-0x000000006F96B000-memory.dmpFilesize
5.7MB
-
memory/2584-32-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2584-33-0x0000000002640000-0x0000000002680000-memory.dmpFilesize
256KB
-
memory/2584-31-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB
-
memory/2584-30-0x0000000002640000-0x0000000002680000-memory.dmpFilesize
256KB
-
memory/2584-29-0x0000000002640000-0x0000000002680000-memory.dmpFilesize
256KB
-
memory/2584-28-0x000000006F390000-0x000000006F93B000-memory.dmpFilesize
5.7MB