Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-02-2024 16:41
General
-
Target
53cef565077e1ba82825cd96017ff7e5d43ab9ba1ab9885d70fd129ec1f57020.exe
-
Size
6.8MB
-
MD5
02b0a64fe2784c334a5a7d835b301c95
-
SHA1
3a8eadba100c38378fbd0b3f22bad47a363fcdda
-
SHA256
53cef565077e1ba82825cd96017ff7e5d43ab9ba1ab9885d70fd129ec1f57020
-
SHA512
2d1b91593636c736faec83867c2688b65befd4357320ed8e5e903d09dd682b2626602eac6ff1b6fe13967a3f2dc30db8d4521a795d18e707f92d880d28f541bf
-
SSDEEP
49152:wd1k+vecp3VHOr38IHn60Mel24xLxMPS1Abr8GsFTULqrfAOtf:wdpGcp3Qr8IHn44xIJbnef
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53cef565077e1ba82825cd96017ff7e5d43ab9ba1ab9885d70fd129ec1f57020.exe"C:\Users\Admin\AppData\Local\Temp\53cef565077e1ba82825cd96017ff7e5d43ab9ba1ab9885d70fd129ec1f57020.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
5.2MB
-
Filesize
608KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
3.3MB
-
Filesize
3.4MB
-
Filesize
1024KB
-
Filesize
7.7MB
-
Filesize
6.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB