Overview

overview

10

Static

static

10

0a0df93ba3...ab.exe

windows7-x64

10

0a0df93ba3...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a0df93ba37270e35a35daaf3c1b1eab.exe

  • Size

    1.6MB

  • MD5

    0a0df93ba37270e35a35daaf3c1b1eab

  • SHA1

    20dfdfae4e2caab0c7baf06769de0b5ab8f3bc8d

  • SHA256

    74d236fe36375d9089df6ecc439bf91f291c89e241e1158e4752dc1dca4b1f66

  • SHA512

    6c1dcba5b35ae2da76bb4b9b77cfdafce9f6a2255165f30f53927f5aac1dc4647d2d96becd930a6d9ac6c3fb205b48baf48b6e80feb7f29b4806c28f559b2ec8

  • SSDEEP

    24576:1tHAOAiXfNN3gP1PLIaf+z21zQsr1z+JC+fBb1y9VAuhz43U:/gOpN41zXZ1N8JCIb09VAuV4

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0df93ba37270e35a35daaf3c1b1eab.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0df93ba37270e35a35daaf3c1b1eab.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2BRLEUy1G.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2244
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1300
          • C:\Recovery\WindowsRE\wininit.exe
            "C:\Recovery\WindowsRE\wininit.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\O2BRLEUy1G.bat
        Filesize

        209B

        MD5

        0def5d8f63eb0db05beb84bba473c911

        SHA1

        1af3fb9dccdaeb9cf4de3db409f7d739174470c6

        SHA256

        e938f52a7ec9ef02023d5b7d5c22a9afcb2a54723947595744820557ac718dbc

        SHA512

        0396e2eda295bd3f8f6fdc4ca7408fac8db758fbfbe3434819711fcc18bb2634b4900d638ec5725c133356ad5945c2a924d6c8c6052c6f8abd72e43ba8d3bdfb

        Download Submit

      • C:\odt\lsass.exe
        Filesize

        1.6MB

        MD5

        0a0df93ba37270e35a35daaf3c1b1eab

        SHA1

        20dfdfae4e2caab0c7baf06769de0b5ab8f3bc8d

        SHA256

        74d236fe36375d9089df6ecc439bf91f291c89e241e1158e4752dc1dca4b1f66

        SHA512

        6c1dcba5b35ae2da76bb4b9b77cfdafce9f6a2255165f30f53927f5aac1dc4647d2d96becd930a6d9ac6c3fb205b48baf48b6e80feb7f29b4806c28f559b2ec8

        Download Submit

      • memory/744-20-0x00007FF8499F0000-0x00007FF84A4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/744-2-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/744-3-0x000000001B800000-0x000000001B810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/744-1-0x00007FF8499F0000-0x00007FF84A4B1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/744-0-0x00000000009E0000-0x0000000000B7A000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4952-24-0x00007FF8477E0000-0x00007FF8482A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4952-25-0x00000000028C0000-0x00000000028C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4952-26-0x000000001B580000-0x000000001B590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4952-27-0x000000001B580000-0x000000001B590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4952-28-0x00007FF8477E0000-0x00007FF8482A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4952-29-0x000000001B580000-0x000000001B590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4952-30-0x000000001B580000-0x000000001B590000-memory.dmp

        Filesize

        64KB

        Download