Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe

  • Size

    2.2MB

  • MD5

    84c895e5e9d2e8a4a33bcc6ec7657b20

  • SHA1

    f7efe5f005597309a25ad8eeaba6c77dff827caf

  • SHA256

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5

  • SHA512

    423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff

  • SSDEEP

    24576:2TbBv5rUyXVgEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOL:IBJLj8ZbkNF0m/0vV1eKghUYFtML/sJU

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
    "C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
          "C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4776
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RrcrWkKDyR.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4432
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:4760
                • C:\Recovery\WindowsRE\csrss.exe
                  "C:\Recovery\WindowsRE\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2848
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2248
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3264
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2056
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1816

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
        Filesize

        1.9MB

        MD5

        d67f722b73a3cbef568a2e3124a4bc04

        SHA1

        27e0a75a646fb2869b31eab2f34f1de4db7e35e6

        SHA256

        b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

        SHA512

        c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

        Download Submit

      • C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe
        Filesize

        251B

        MD5

        288ece3d2e1006c5fa8a526d2d0fab12

        SHA1

        b466938792d856b963788f55037be3893024169f

        SHA256

        47a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1

        SHA512

        f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7

        Download Submit

      • C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat
        Filesize

        101B

        MD5

        a1e10402205eb4379b696c320914eea5

        SHA1

        048575ccf93cf9d1e039b1b1bce5eb97d61e1048

        SHA256

        0861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5

        SHA512

        fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RrcrWkKDyR.bat
        Filesize

        207B

        MD5

        bd9d9591cc3372e40fe27237a1149cfc

        SHA1

        975877a06325967d4e4af83c6bb5606aec9106fc

        SHA256

        fd388880f967cfde5ea98034a1fcd3c6953541c5920a507a726531c9b34b8428

        SHA512

        ef122cba67d1bfa551ac24f54ffe12e3130251d2f7b09a2e880ab84fda143dc7a2451205e5ceaef6f872bf680cf8495e1d0969a486f14454aa1d4a6f942557f8

        Download Submit

      • memory/4140-78-0x00007FFDFA2B0000-0x00007FFDFAD71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4140-75-0x00007FFE18FB0000-0x00007FFE18FB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-73-0x00007FFE18FC0000-0x00007FFE18FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-71-0x00007FFE18FD0000-0x00007FFE18FD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-69-0x00007FFE18FE0000-0x00007FFE18FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-77-0x00007FFE18FA0000-0x00007FFE18FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-67-0x00007FFE19030000-0x00007FFE190EE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4140-65-0x00007FFE18FF0000-0x00007FFE18FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-64-0x00007FFE19030000-0x00007FFE190EE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4140-63-0x000000001BA20000-0x000000001BA21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4140-62-0x00007FFDFA2B0000-0x00007FFDFAD71000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-19-0x00007FFE19030000-0x00007FFE190EE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4776-57-0x00007FFE19030000-0x00007FFE190EE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4776-29-0x000000001AEC0000-0x000000001AED8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4776-30-0x00007FFE18FC0000-0x00007FFE18FC1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-32-0x0000000002580000-0x000000000258E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4776-33-0x00007FFE18FB0000-0x00007FFE18FB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-35-0x000000001AE80000-0x000000001AE8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4776-37-0x000000001AE90000-0x000000001AE9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4776-38-0x00007FFDFA190000-0x00007FFDFAC51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-39-0x00007FFE18FA0000-0x00007FFE18FA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-56-0x00007FFDFA190000-0x00007FFDFAC51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-27-0x00007FFE18FD0000-0x00007FFE18FD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-26-0x000000001AF10000-0x000000001AF60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4776-23-0x00007FFE18FE0000-0x00007FFE18FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-25-0x000000001AEA0000-0x000000001AEBC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4776-22-0x00007FFE19030000-0x00007FFE190EE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4776-21-0x000000001AF60000-0x000000001AF70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4776-20-0x00007FFE18FF0000-0x00007FFE18FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-18-0x00000000023E0000-0x00000000023EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4776-16-0x000000001AF60000-0x000000001AF70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4776-15-0x00000000023A0000-0x00000000023A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4776-14-0x000000001AF60000-0x000000001AF70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4776-13-0x00007FFDFA190000-0x00007FFDFAC51000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-12-0x0000000000160000-0x0000000000352000-memory.dmp

        Filesize

        1.9MB

        Download