Overview

overview

10

Static

static

3

GTA 6 Buil...ll.exe

windows7-x64

10

GTA 6 Buil...ll.exe

windows10-2004-x64

10

NL7Data0404.dll

windows7-x64

1

NL7Data0404.dll

windows10-2004-x64

1

NL7Models0804.dll

windows7-x64

1

NL7Models0804.dll

windows10-2004-x64

1

NlsData004a.dll

windows7-x64

1

NlsData004a.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    111s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GTA 6 Builder-Install.exe

  • Size

    13.1MB

  • MD5

    95f7a7d1658b372cbcbd6cc1ef91bef9

  • SHA1

    180182eef4ac2baaa0d773aeb59aec022a3d34cc

  • SHA256

    841d63d65e18b16579ff539e49ea437ef27c488d52d463b0105cdd4b19d2ea37

  • SHA512

    26bc67b7665bb2423e765249caf7ab7a0634af699335568d5b19732a149560d9b77bc586477c12bacc66cf382a1e80b9846e6fe05d9e9315e66f88e438d4c095

  • SSDEEP

    196608:Ya4hESrp12vabgVvjce8pPZHjSOZlrMUjJi2QSdI/K2RZPvn3J+sL378BZnybgbo:Ya+HoRHe5V/rDjJfNqvZXn3J+DZyBd

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe
    "C:\Users\Admin\AppData\Local\Temp\GTA 6 Builder-Install.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Roaming\ms_tool.exe
      "C:\Users\Admin\AppData\Roaming\ms_tool.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      PID:4784
    • C:\Users\Admin\AppData\Roaming\ms_updater.exe
      "C:\Users\Admin\AppData\Roaming\ms_updater.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:5020
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat
      Filesize

      177B

      MD5

      d3eec34b852f600734fc7dcd791c473b

      SHA1

      c6d0ebaefb13e1352b59659706e7e54d0e53ca01

      SHA256

      cedddd5a348361031d2859c9631897054cd1d7b51035a129c591b3ebb5803558

      SHA512

      e340a186a389866eda06eb0239bb86654d1509868b69f934fc568471da4efe8e6df7437ed2dbbfb7a51d5e2257c8b78c23a8b0b12bed3e80df988f2e30ea40d0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ms_tool.exe
      Filesize

      11KB

      MD5

      f8701952b62a7e52652271a20b824128

      SHA1

      82292b1cd54afa277116b42f4b1c43c8933478f0

      SHA256

      5b0b886143ffe9f5c5750c9b171656783668b655e559ea95d002a265586e3413

      SHA512

      5acde46db767cf11ea5183007542fd67e1512ccfbcc37efdec685e2db369840a767981b0996dbace0f40602ada0a5c0aed39019ce06590151cd59f0dfa5d68e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ms_updater.exe
      Filesize

      2.0MB

      MD5

      31e5e3ac5a03d60d67188b6b0c3d152b

      SHA1

      41e831bc8b0c314a46d17492ded7b6b587d66db2

      SHA256

      dc73ce51066fdcd5f0c7c88fd6fdfb9a4a3722ebe3d2def1dc593fbc1af9e467

      SHA512

      64837c66af3f63c214ff8f466266f3dea1cf135d54ccaaf5c06fa13763045d79220f88d09ca49a36668d7e1f506bc74c9a2b8de0ec77aac272b0e1466aa168c2

      Download Submit

    • memory/4548-0-0x0000000003890000-0x0000000003891000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4548-1-0x0000000000B80000-0x00000000020DA000-memory.dmp

      Filesize

      21.4MB

      Download

    • memory/4548-4-0x0000000000B80000-0x00000000020DA000-memory.dmp

      Filesize

      21.4MB

      Download

    • memory/4548-31-0x0000000000B80000-0x00000000020DA000-memory.dmp

      Filesize

      21.4MB

      Download

    • memory/4784-27-0x000001E715A40000-0x000001E715A48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4784-30-0x00007FFE0D5B0000-0x00007FFE0E071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4784-50-0x00007FFE0D5B0000-0x00007FFE0E071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5052-34-0x00000000019F0000-0x0000000001A0C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/5052-35-0x000000001BD40000-0x000000001BD90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/5052-37-0x00000000032D0000-0x00000000032E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5052-39-0x0000000001990000-0x000000000199E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5052-41-0x0000000001A10000-0x0000000001A1E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5052-43-0x0000000003310000-0x0000000003322000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5052-45-0x00000000032F0000-0x00000000032FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5052-47-0x0000000003300000-0x000000000330E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5052-49-0x0000000003330000-0x000000000333C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/5052-32-0x00007FFE0D5B0000-0x00007FFE0E071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5052-51-0x00007FFE0D5B0000-0x00007FFE0E071000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5052-28-0x0000000000F70000-0x0000000001176000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5052-84-0x00007FFE0D5B0000-0x00007FFE0E071000-memory.dmp

      Filesize

      10.8MB

      Download