Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-03-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe

  • Size

    2.2MB

  • MD5

    84c895e5e9d2e8a4a33bcc6ec7657b20

  • SHA1

    f7efe5f005597309a25ad8eeaba6c77dff827caf

  • SHA256

    eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5

  • SHA512

    423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff

  • SSDEEP

    24576:2TbBv5rUyXVgEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOL:IBJLj8ZbkNF0m/0vV1eKghUYFtML/sJU

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 6 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
    "C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1184
        • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
          "C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1340
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xLsQ6CeREu.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1124
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:932
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2260
                • C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe
                  "C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3024
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4780
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1648
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2732
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4800
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4724
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2996

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
        Filesize

        709KB

        MD5

        056aaebf0a03b1fb1fd10c075b969e56

        SHA1

        4eb093d2fe1b625ee0729986c8d2bb1dd74e63d6

        SHA256

        dd179eff8b1df7e04bf2a2f9eb5dddfd8144c7d676704474c133a066a848a5bc

        SHA512

        e3e1dcb73d1815fc9ad588a1822cc08b6950230e9a4100a4c890837c8b1e947c0487c4c912fd3c217abc1552e6f23f961604d4fd26aaaad90f32ad8423217a76

        Download Submit

      • C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
        Filesize

        704KB

        MD5

        148b2a4a5b913aeb9cdd9801f0fc79b4

        SHA1

        b42bc2e3e197f24e4333775a319af2fe0853c585

        SHA256

        f455ede740800bb368364f5b5bf996f5293e4217fc7c8fe6a027906528cdc6be

        SHA512

        bd5575100ca0e10f8db7c61ee1fabb57486ef9103ebda8702bcf61ae933245c59b67cfa7a9d465d23207e1d171ef0ba17bff7327dc164ab3a96adbef62a6b3b0

        Download Submit

      • C:\PortproviderwinMonitorSvc\dllhost.exe
        Filesize

        22KB

        MD5

        2f84d9b43c744df6dd5e964be014d4c8

        SHA1

        9005f6b7477ac63860bbdc07f814601c36cad6ff

        SHA256

        2f4da4241ac0ce8e819119fb93654c22ba51c39a769b39bf1cc9b1edb139e974

        SHA512

        1caf2504ef1b341bdf4b6fd0070fa97d1be774c2f82c14f72d456704b97335f6fcdfae189204e400e97233c69b28fec116ab31448c141b01cbc3c5781579aab6

        Download Submit

      • C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe
        Filesize

        251B

        MD5

        288ece3d2e1006c5fa8a526d2d0fab12

        SHA1

        b466938792d856b963788f55037be3893024169f

        SHA256

        47a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1

        SHA512

        f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7

        Download Submit

      • C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat
        Filesize

        101B

        MD5

        a1e10402205eb4379b696c320914eea5

        SHA1

        048575ccf93cf9d1e039b1b1bce5eb97d61e1048

        SHA256

        0861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5

        SHA512

        fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427

        Download Submit

      • C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe
        Filesize

        952KB

        MD5

        9b8a97a8011849334a421ffdb660446f

        SHA1

        a493c7003aa312dbf68750809b2fd0fb954deb02

        SHA256

        878a4f37d3d00a1b1b7f4ba51fb2660894f74655ba00bc67306d7383d88264aa

        SHA512

        777ad63fbbf6173cf4388d19bfac88fc0be654a156727e6d251f0c8b9658c2016b831a553c856c7447ff5aab7e9d54083f284d25945ecfa5e3d93d04ad3cab38

        Download Submit

      • C:\Program Files (x86)\Windows Sidebar\Gadgets\Idle.exe
        Filesize

        781KB

        MD5

        49597ac99979feb6afc2444c66dd5aba

        SHA1

        de067738407b14cfb50c55d5f379221d7634727b

        SHA256

        a3ed34e17fc14fee17246cf3d06eb3fe7e5b6b680ec375e44708b2a56ad2b83a

        SHA512

        f47b1599512d1826fe565ffc47f220821130455ec2eee51ed48b9636137cdfbad802dd087aa751584bf8043d8ce3104f4a83e55caad45b559448608e1094feb6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xLsQ6CeREu.bat
        Filesize

        231B

        MD5

        e65c3ad77630a81b82258f1a7a55a1c9

        SHA1

        81939ec1f647bcdb2a81cdd57265c8ebc82f1499

        SHA256

        c5f799c8a83cc2732b4025e70cb21b05d807ec8e11172374fb177e6e7f5f9b08

        SHA512

        b077d3eec72384b4f9dd0675e5239daeb362ae56c9b456655132dfe44fd35b2919654a028668943e74df0a73915ad2dd8bb857adc62e409442bf1fc6b971d3e8

        Download Submit

      • memory/1340-22-0x00007FFA39410000-0x00007FFA39411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-13-0x00007FFA185A0000-0x00007FFA19062000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1340-21-0x000000001B120000-0x000000001B13C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1340-17-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1340-26-0x00007FFA39400000-0x00007FFA39401000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-32-0x000000001B110000-0x000000001B11E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1340-35-0x00007FFA393D0000-0x00007FFA393D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-34-0x000000001B160000-0x000000001B16E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1340-30-0x00007FFA393E0000-0x00007FFA393E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-14-0x0000000002540000-0x0000000002541000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-28-0x000000001B100000-0x000000001B10E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1340-29-0x00007FFA393F0000-0x00007FFA393F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-25-0x000000001B140000-0x000000001B158000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1340-53-0x00007FFA185A0000-0x00007FFA19062000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1340-15-0x000000001B180000-0x000000001B190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1340-23-0x000000001B2E0000-0x000000001B330000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1340-18-0x00007FFA39420000-0x00007FFA39421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1340-19-0x000000001B180000-0x000000001B190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1340-12-0x0000000000290000-0x0000000000482000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4604-72-0x00007FFA393E0000-0x00007FFA393E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-61-0x00007FFA39420000-0x00007FFA39421000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-58-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4604-62-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4604-66-0x00007FFA39400000-0x00007FFA39401000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-64-0x00007FFA39410000-0x00007FFA39411000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-67-0x00007FFA393F0000-0x00007FFA393F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-73-0x00007FFA393D0000-0x00007FFA393D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-57-0x00007FFA18650000-0x00007FFA19112000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4604-59-0x00000000028C0000-0x00000000028C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4604-71-0x00007FFA18650000-0x00007FFA19112000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4604-74-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4604-75-0x000000001B620000-0x000000001B629000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4604-76-0x000000001B9A0000-0x000000001BA0F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/4604-77-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4604-108-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4604-113-0x000000001B450000-0x000000001B460000-memory.dmp

        Filesize

        64KB

        Download