Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

DCRatBuild.exe

windows10-1703-x64

10

DCRatBuild.exe

windows10-2004-x64

10

DCRatBuild.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    446s
  • max time network
    452s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    3.8MB

  • MD5

    3da1cda32190d9ba346889a7df20c952

  • SHA1

    f26a7f5ece93071f40b8cf3c5cf74af1e7589797

  • SHA256

    84d18110d3087cb912cc8cdcc3dae4e4ed4d0a4d20b514291eb7958590960607

  • SHA512

    540a4c0372ce6a8e6b651b7aaad62d9a119cf8a6589a50cab1a83c2eec6c52ac9e662f789e06ab196bbac82766cfc74b0a177fc94fe944de206c7100b2d929c6

  • SSDEEP

    98304:yQ8b58R7g9ksxqxTqIlyOBYFF+2hvc8Tf:58b5gc6TqjFFL

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\fonthostdll\ChainSurrogateAgentSaves.exe
          "C:\fonthostdll/ChainSurrogateAgentSaves.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gedlnlxk\gedlnlxk.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E9F.tmp" "c:\Windows\System32\CSC36DEE845FEB14D9181B20FDCD36E86.TMP"
              6⤵
                PID:3472
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4aHiaViwNS.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4420
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4360
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:1916
                • C:\Recovery\WindowsRE\csrss.exe
                  "C:\Recovery\WindowsRE\csrss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fr-FR\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2316
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4812
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2760
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3196
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\4aHiaViwNS.bat
        Filesize

        159B

        MD5

        bb84fad9d2d50ae60d4faaa903ec9b8e

        SHA1

        a8dfef78ba6c37235321298eeb04da7e61e735c1

        SHA256

        6e1389cca29e570ed2c6d267362b9a58ae46699648056d912d472657dad5d1bd

        SHA512

        36ffcfc1c5e5e71b1a932e0055eb0dfca7845364d87201e771340e6feb465de340dce71d9cf761843e8673eb5594d998b5b2b8f8d1f998d781819764e74e93bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES3E9F.tmp
        Filesize

        1KB

        MD5

        96a7a2f74cdfed58328a6ea522cf83b5

        SHA1

        1f9001858e261695490263ecbc35aecafd2ad4ae

        SHA256

        a40dfb0b99004702e10d2932aef3f04870d0d654571ac6c2d347adfc22aaed51

        SHA512

        4acec47f396878806563833481f85449774248ddc7bb9633daaaff99ef627c176e618e191080d434ab7b0989e35e78d2d2d20ffe2b7ac2fa48b764df3ff00d2a

        Download Submit

      • C:\fonthostdll\ChainSurrogateAgentSaves.exe
        Filesize

        3.5MB

        MD5

        fbcc1d265e960f799d44f2b41f494b63

        SHA1

        89a7cb2b74d65cadf96e18af1f317c296eea6261

        SHA256

        6fb0005df41defdc5866dd4ff3c590925d2ea1ad51176412a905f1e850698318

        SHA512

        ca3cd33aa7746b4d9372c7f6d919da3605bf84f6fb86f9a57dcad71731ddac570ba7a0505b7b435d58e75596ec96ebddae5124b566924802756a9e298ce64632

        Download Submit

      • C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe
        Filesize

        220B

        MD5

        f5975f5e04426d677d03382c3d5f9f65

        SHA1

        40a2df9165257acacffdecb7d1cdfe6ee09bb57b

        SHA256

        43e307995b3688d72c71bf0d3715178d944a6560dac01925d35df847cff05163

        SHA512

        c221fe1e51eceffaab0bb46209f0368a62d8ba1e983c78dd0f9f8f0f482a59432e543f9a836fc0f33d92e2ef2bb49c088e868563f6dfea4a5af22ce57862a390

        Download Submit

      • C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat
        Filesize

        106B

        MD5

        9ff96846900e41d5f9f9c291b8efea33

        SHA1

        b581cd1d80e5a6eb01e062d438435ade5c6ed22a

        SHA256

        0a8dcc94b789d4a5f442701f4842935d83e9e14e9bd42b60d1ac221b21f5c13c

        SHA512

        a3f4ce62d1cadeb3b4e6f5467d661d82430a7c98bc8c3eef8b208a0703ad03206120a367a7f2783a49b30f4db4679025a1de0ed10aefcf408d4012e991e5f368

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\gedlnlxk\gedlnlxk.0.cs
        Filesize

        369B

        MD5

        d213106a31ca287bc1c39dd925d4aafc

        SHA1

        59f6d64bc3dd2d967b5fe8208b6e3414d2547373

        SHA256

        5fb3091a1da2eb9e040ec18dc2f71fb148bfa99da0c321b1731f53ab20ccd570

        SHA512

        41f407a56556c108e14020db9aea8b99c7aaf03258c23acc56940ff04a7696c1e41d4e3c53f1bc34f5b0e58ed62520174494a991cd4f73d183cf6274a589f422

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\gedlnlxk\gedlnlxk.cmdline
        Filesize

        235B

        MD5

        181029b21f7dde3bbfc2a72c9a20e8dc

        SHA1

        f079c1e9c96b570d82ef6b3703ce91052daf7d60

        SHA256

        c1ceacb0632032e3bb59a062b884c936a654b7474300ecaa03f6d5500fad2c38

        SHA512

        eee66e9087ed67159f497b78389a9053e50e488daeb7f758f83bd73000d7cbffd39658cb83ef329d827e49b956af5f28f3daaf24a23b51bf921dba925b084c7d

        Download Submit

      • \??\c:\Windows\System32\CSC36DEE845FEB14D9181B20FDCD36E86.TMP
        Filesize

        1KB

        MD5

        9cfa5e15dc4ed124c8bdfe18f72a350a

        SHA1

        6a5cbdd955e1a692ef9fa61e97a5cfdac0577424

        SHA256

        c7674c323df2fe7503fd386f137d954e7749fe3d2be1492fe5bc528dfa01951c

        SHA512

        46600797ee2edc13fde586cdd0c44cfd03323c91b3250564d0c5277fc2e28173c96d8b37dd6e341164b6fdb41a89316fb47a0c2721d80a06395ba4bf2117b2ff

        Download Submit

      • memory/1640-112-0x000000001DD80000-0x000000001DDCE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1912-39-0x000000001BF90000-0x000000001C4B8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1912-47-0x000000001BA60000-0x000000001BABA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1912-26-0x00000000012B0000-0x00000000012C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-28-0x00000000012C0000-0x00000000012D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-30-0x0000000002AF0000-0x0000000002AFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1912-32-0x000000001B760000-0x000000001B772000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1912-34-0x0000000002B00000-0x0000000002B10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-36-0x000000001B7A0000-0x000000001B7B6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1912-38-0x000000001B7C0000-0x000000001B7D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1912-22-0x00000000012A0000-0x00000000012B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-41-0x0000000002B10000-0x0000000002B1E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1912-43-0x0000000002B70000-0x0000000002B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-45-0x000000001B780000-0x000000001B790000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-24-0x0000000002AD0000-0x0000000002AE8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1912-49-0x000000001B790000-0x000000001B79E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1912-51-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1912-53-0x000000001B7F0000-0x000000001B7FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1912-55-0x000000001B820000-0x000000001B838000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1912-57-0x000000001BD10000-0x000000001BD5E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1912-20-0x0000000002B20000-0x0000000002B70000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1912-19-0x0000000002AB0000-0x0000000002ACC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1912-17-0x0000000001280000-0x000000000128E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1912-15-0x00000000012D0000-0x00000000012F6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/1912-85-0x000000001CB10000-0x000000001CB5E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/1912-86-0x00007FF87DF10000-0x00007FF87E9D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1912-13-0x00007FF87DF10000-0x00007FF87E9D1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1912-12-0x00000000006A0000-0x0000000000A28000-memory.dmp

        Filesize

        3.5MB

        Download