Overview

overview

10

Static

static

3

Fzonsvup.exe

windows7-x64

10

Fzonsvup.exe

windows10-2004-x64

Analysis

  • max time kernel
    60s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 05:42

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T05:43:38Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_27-dirty.qcow2\"}"
Report Analysis Logs

General

  • Target

    Fzonsvup.exe

  • Size

    633KB

  • MD5

    1c762a2cd186f1cde4b9e5d743eca3b5

  • SHA1

    a0eff9fa7b5ada96c8acf483de9519a9e2548d80

  • SHA256

    a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

  • SHA512

    d43eec5905f9715c6b342232c2432ba1e91abe4ee514ccdc45706a7ffede2a1cf5589c0da7a0f5d6c70a8a26afad9394aa93222f475be4797607d7c0208d154a

  • SSDEEP

    12288:NgJ7AuurlRyI4mfcYmFlEBJo8S21j7YIwIPfZ3FjILSdAsBJWWZ8lz/:NgJ7ABrlCTBFlEBJNYpIZ3Fw0AEJWWZM

Score
10/10
zgratevasionpersistencerattrojanupx

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe
    "C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1020
  • C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
    C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\Temp\iylyvsu.exe
      "C:\Users\Admin\AppData\Local\Temp\iylyvsu.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2900
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2132
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • UAC bypass
          • Windows security bypass
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Windows security modification
          • Checks whether UAC is enabled
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3712
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3056
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4496
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5056
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
              6⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3704
            • C:\Windows\system32\powercfg.exe
              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
              6⤵
                PID:3408
              • C:\Windows\system32\conhost.exe
                conhost.exe
                6⤵
                  PID:3480

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      6
      T1012

      System Information Discovery

      5
      T1082

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0kcbyzu.jcf.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\iylyvsu.exe
        Filesize

        2.9MB

        MD5

        f561ee026ad652bed5d2dbca19b0f6da

        SHA1

        42a9d231a9c44331ac6f6327de9e3fa7d796c3d4

        SHA256

        c35d5fb22d47e276e38fde699fc3b1e88e60a708d85b6ebea69815dec5d4883e

        SHA512

        52de39805c40f30f2ab7aebd6f143cc1d5ecd6bb95b767a45d4c212f48ee16df6425309463d2cc8703dfa0cb796b42fafb75dfd7836f65ee09e13c9318c31e4e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.bat
        Filesize

        150B

        MD5

        3f2dffb42b58f63ef95f710af4d1ced4

        SHA1

        cbc28f8b55d0ad1a689a35d47786a188ef0194a9

        SHA256

        0d768070e049ee3476ad5dda05aa00bf6a140f54d31e9baf3e4d519413fa3e33

        SHA512

        19218a662db62c360f72220a5021f74c929748d3af7edd78d99d8d2179e761fa13b7efe0c849a24c34d62d1e531be7691a561ce1d2cf7eb287d981a65beefb26

        Download Submit
      • C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
        Filesize

        633KB

        MD5

        1c762a2cd186f1cde4b9e5d743eca3b5

        SHA1

        a0eff9fa7b5ada96c8acf483de9519a9e2548d80

        SHA256

        a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

        SHA512

        d43eec5905f9715c6b342232c2432ba1e91abe4ee514ccdc45706a7ffede2a1cf5589c0da7a0f5d6c70a8a26afad9394aa93222f475be4797607d7c0208d154a

        Download Submit
      • memory/1020-1-0x00000239D6DC0000-0x00000239D6EC4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1020-2-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1020-3-0x00000239D6F20000-0x00000239D6F30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1020-4-0x00000239D6EC0000-0x00000239D6F16000-memory.dmp
        Filesize

        344KB

        Download
      • memory/1020-5-0x00000239D6F30000-0x00000239D6F7C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1020-6-0x00000239D7080000-0x00000239D70D4000-memory.dmp
        Filesize

        336KB

        Download
      • memory/1020-10-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1020-0-0x00000239BC910000-0x00000239BC9B2000-memory.dmp
        Filesize

        648KB

        Download
      • memory/2236-23-0x000001BF5ACE0000-0x000001BF5AFBC000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2236-21-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2236-22-0x000001BF424D0000-0x000001BF424E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2236-28-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2236-20-0x000001BF40930000-0x000001BF40938000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2828-33-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2828-53-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3056-36-0x0000000140000000-0x0000000140285000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/3056-34-0x0000000140000000-0x0000000140285000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/3056-37-0x0000000140000000-0x0000000140285000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/3480-55-0x0000000140000000-0x0000000140848000-memory.dmp
        Filesize

        8.3MB

        Download
      • memory/3480-56-0x0000000140000000-0x0000000140848000-memory.dmp
        Filesize

        8.3MB

        Download
      • memory/3480-57-0x0000000140000000-0x0000000140848000-memory.dmp
        Filesize

        8.3MB

        Download
      • memory/3700-14-0x0000025114D70000-0x0000025114D80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3700-13-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3700-15-0x0000025114D70000-0x0000025114D80000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3712-47-0x000001AC7E070000-0x000001AC7E092000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3712-48-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3712-49-0x000001AC7D640000-0x000001AC7D650000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3712-52-0x00007FFBD4040000-0x00007FFBD4B01000-memory.dmp
        Filesize

        10.8MB

        Download