Overview

overview

10

Static

static

10

DCRatBuild.exe

windows10-1703-x64

10

DCRatBuild.exe

windows10-2004-x64

10

DCRatBuild.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    564s
  • max time network
    570s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-04-2024 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    3.8MB

  • MD5

    3da1cda32190d9ba346889a7df20c952

  • SHA1

    f26a7f5ece93071f40b8cf3c5cf74af1e7589797

  • SHA256

    84d18110d3087cb912cc8cdcc3dae4e4ed4d0a4d20b514291eb7958590960607

  • SHA512

    540a4c0372ce6a8e6b651b7aaad62d9a119cf8a6589a50cab1a83c2eec6c52ac9e662f789e06ab196bbac82766cfc74b0a177fc94fe944de206c7100b2d929c6

  • SSDEEP

    98304:yQ8b58R7g9ksxqxTqIlyOBYFF+2hvc8Tf:58b5gc6TqjFFL

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\fonthostdll\ChainSurrogateAgentSaves.exe
          "C:\fonthostdll/ChainSurrogateAgentSaves.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wvpllo2g\wvpllo2g.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2544
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EB1.tmp" "c:\Windows\System32\CSCD4E06EFA696848CC8E36535CE1F8235.TMP"
              6⤵
                PID:764
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kFh7VuseYV.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3696
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:5008
                • C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe
                  "C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2412
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4372
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3816
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4892
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:72
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4916
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\sihost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ChainSurrogateAgentSavesC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ChainSurrogateAgentSaves.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2288
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ChainSurrogateAgentSaves" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ChainSurrogateAgentSaves.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3168
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ChainSurrogateAgentSavesC" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ChainSurrogateAgentSaves.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5028
      • C:\Recovery\WindowsRE\dwm.exe
        C:\Recovery\WindowsRE\dwm.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
      • C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ChainSurrogateAgentSaves.exe
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ChainSurrogateAgentSaves.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3476
      • C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\smss.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Recovery\WindowsRE\dllhost.exe
        C:\Recovery\WindowsRE\dllhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ChainSurrogateAgentSaves.exe.log
        Filesize

        1KB

        MD5

        414f17760f659439ddcf856dda59d73f

        SHA1

        316d067ce41711fb7de69860b825b75e5a5bf85d

        SHA256

        1c6fe319a14c2b776bbb1ef5189ea7c66875ea8e09d7c870b492d9635c9b3a50

        SHA512

        2f194ac30446c8dd668b94ba3955cb16fd9093a348aa7dc5a6303b8eae2859e6f607b366ff87e152f1f7d1c019d4cb96610b20537d6873efb5038787737a3e06

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES9EB1.tmp
        Filesize

        1KB

        MD5

        e4dc0c54721fe74ecae744935cef421c

        SHA1

        1e5d345c28a50c659e30dd9d70bd3b3314290e97

        SHA256

        be11e4b998cf3443122027d92fde3de366b91f11e6f1debcd7f2fa7668c33e28

        SHA512

        af65880d427748e8f05ba67c35a62be29210a7b84e97c740f53d387a0643867709c6660e5621eabcfa499015ea97d0f1dcd049e6214a51335b9e418ac71ac157

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kFh7VuseYV.bat
        Filesize

        183B

        MD5

        99ed282cc9844c9f1ffc3ff07370eea3

        SHA1

        61536188fa8ceb5aad9c719e19bfcfc9b77ac5b6

        SHA256

        1d04526003c80fdf963d35747480b25e6e0a56a4e330bfcf7e6b982494dc131e

        SHA512

        bea459356dfe3419337b7b0d7cb9e87128c0e90f094b52877b6ae8a76084d0702a0c21102aa5eac68aa1dd6a51fea6665277c007b62920cb5c13c09215332117

        Download Submit

      • C:\fonthostdll\ChainSurrogateAgentSaves.exe
        Filesize

        3.5MB

        MD5

        fbcc1d265e960f799d44f2b41f494b63

        SHA1

        89a7cb2b74d65cadf96e18af1f317c296eea6261

        SHA256

        6fb0005df41defdc5866dd4ff3c590925d2ea1ad51176412a905f1e850698318

        SHA512

        ca3cd33aa7746b4d9372c7f6d919da3605bf84f6fb86f9a57dcad71731ddac570ba7a0505b7b435d58e75596ec96ebddae5124b566924802756a9e298ce64632

        Download Submit

      • C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe
        Filesize

        220B

        MD5

        f5975f5e04426d677d03382c3d5f9f65

        SHA1

        40a2df9165257acacffdecb7d1cdfe6ee09bb57b

        SHA256

        43e307995b3688d72c71bf0d3715178d944a6560dac01925d35df847cff05163

        SHA512

        c221fe1e51eceffaab0bb46209f0368a62d8ba1e983c78dd0f9f8f0f482a59432e543f9a836fc0f33d92e2ef2bb49c088e868563f6dfea4a5af22ce57862a390

        Download Submit

      • C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat
        Filesize

        106B

        MD5

        9ff96846900e41d5f9f9c291b8efea33

        SHA1

        b581cd1d80e5a6eb01e062d438435ade5c6ed22a

        SHA256

        0a8dcc94b789d4a5f442701f4842935d83e9e14e9bd42b60d1ac221b21f5c13c

        SHA512

        a3f4ce62d1cadeb3b4e6f5467d661d82430a7c98bc8c3eef8b208a0703ad03206120a367a7f2783a49b30f4db4679025a1de0ed10aefcf408d4012e991e5f368

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\wvpllo2g\wvpllo2g.0.cs
        Filesize

        387B

        MD5

        80e54b12d9723f737ea4800c0d0ddde4

        SHA1

        318b85aa0bf5b600c9381d38ede3010d37443ddf

        SHA256

        2cc1b4a357aa21472c22794e2754a54eef179a8f3ac15087595747a035d5a25a

        SHA512

        65672e6c00c4a2d90b5074ffa28a6bf1d90baba0b16a7746599c86c2033261764b05a8af744a1d9087daed0591806be1ecef877e0ea8c91452a2b926af1e6749

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\wvpllo2g\wvpllo2g.cmdline
        Filesize

        235B

        MD5

        9673bdad5a6079ce1cdabcd46baa5585

        SHA1

        9153a44763cf1fa936df68ee6cc28d266d5c45b3

        SHA256

        ab360c02163b6ae2854eaacd078c35c511b35144fa932ddfc6c73b74fc1f5375

        SHA512

        309748eb40f91fbd073f1e01e916fb74108ddad9eef53b7a50242525127d312bdc5cf95d6c3991367bd773de02cfae8682fc36a14c89c0967a99b7bc46857888

        Download Submit

      • \??\c:\Windows\System32\CSCD4E06EFA696848CC8E36535CE1F8235.TMP
        Filesize

        1KB

        MD5

        1131e33bfceb471c776ec5e8c4fc49bb

        SHA1

        e44f71c90cd3df2de5c0df42aeeb24a1971b7323

        SHA256

        4d622c05b6ab12346a08bc9754c36c3cef68722d408cd44838e73d556cc748b8

        SHA512

        88131afe64e563d6d67a7af0275ccf369df4d70234658c994c80d6075d0c38be57734ff513152b87ec3dda0ae0d62920ae5b09dc355a211138c1461c52224f14

        Download Submit

      • memory/4280-111-0x000000001EE00000-0x000000001EF1E000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4532-39-0x000000001C520000-0x000000001CA48000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4532-49-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4532-28-0x000000001BB80000-0x000000001BB90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-30-0x000000001BB90000-0x000000001BB9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4532-32-0x000000001BF10000-0x000000001BF22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-34-0x000000001BEF0000-0x000000001BF00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-36-0x000000001BFB0000-0x000000001BFC6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4532-38-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-24-0x000000001BBC0000-0x000000001BBD8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4532-41-0x000000001BF00000-0x000000001BF0E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4532-43-0x000000001BF30000-0x000000001BF40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-45-0x000000001BF90000-0x000000001BFA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-47-0x000000001C050000-0x000000001C0AA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/4532-26-0x0000000003110000-0x0000000003120000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-51-0x000000001BFF0000-0x000000001C000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-53-0x000000001C000000-0x000000001C00E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4532-55-0x000000001C030000-0x000000001C048000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4532-57-0x000000001C100000-0x000000001C14E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4532-22-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-20-0x000000001BF40000-0x000000001BF90000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4532-19-0x000000001BBA0000-0x000000001BBBC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4532-17-0x0000000002FA0000-0x0000000002FAE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4532-85-0x00007FFA67AD0000-0x00007FFA68592000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4532-15-0x000000001BB50000-0x000000001BB76000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4532-13-0x00007FFA67AD0000-0x00007FFA68592000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4532-12-0x0000000000C20000-0x0000000000FA8000-memory.dmp

        Filesize

        3.5MB

        Download