Overview

overview

10

Static

static

1

5c004c361f...ad.exe

windows7-x64

10

5c004c361f...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe

  • Size

    2.2MB

  • MD5

    08cee68cb913dd71800f0283c49af6d3

  • SHA1

    eb4058134cd74c681445a1a81c31ef729c80a7ec

  • SHA256

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

  • SHA512

    1052130474915e5256c1bcc95636489535e38ca23cfb615e6b0e8b6c37c6c6ba89aa793a9aac9321d843d0cd0c6f10c85a30b2b689531c457638ce26555276fc

  • SSDEEP

    49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Extracted

Path

C:\bQ8ODxIi2.README.txt

Ransom Note
~~~ AlphaCat ~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment. >>>> You need contact us via email with srenshot of btc transaction and your personal DECRYPTION ID Contact via Email with your personal Decryption id !: [email protected] Send 400$ (0.006 BTC) at this address --> bc1qkr7wxuqwet9w6920vk94p7npkxh33fc7prv55q >>>> Your personal DECRYPTION ID: D53F15BF767167BCE76F1A7030FFAFDE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack repeatedly again!

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
    "C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
      "C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"
      2⤵
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\ProgramData\3830.tmp
        "C:\ProgramData\3830.tmp"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:768
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\3830.tmp >> NUL
          4⤵
            PID:1652
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\FFFFFFFFFFF
        Filesize

        129B

        MD5

        859205728036aa5651adab9f174cd860

        SHA1

        0678d8c223569297193e406faf2cecf41bcad135

        SHA256

        93feae591ca01462ccc80942346cf1275a6db44d2ae7ffe8298b5a0df44eccd3

        SHA512

        dd240c7d860eff3d16bb1e94faaa6e4f340095294b6cd76fc8a84895759d96cfae6632e359ee9b651abc683f30d187829b9630216c13106bef2d4f3863e427bd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        2.2MB

        MD5

        f4941b9be2501883d4faccfed948a521

        SHA1

        a0f49ceb7524e645efbca9023c12e3a59566174a

        SHA256

        4dcce39717556f3154baedeb977603aee7e06ba94f75ccc560e93c0c9f7a118a

        SHA512

        7c470a1138391f3c0eeb83ac92da789a2c4cd2d16b54f9f43b35c22f1d6dd68371002ca8753e553ae985a82e48964e23d977964b2feade3d704c09e3b32b74b8

        Download Submit

      • C:\bQ8ODxIi2.README.txt
        Filesize

        1KB

        MD5

        f0b697934348467f5b9753ca4d3ee446

        SHA1

        3fd375edf5370c8a0d1ca865184acbac4e6e5434

        SHA256

        4436693db457d1c68ab9f97c250f23be14b1cc7d1d1967a3aa0cc2720b78256a

        SHA512

        f224d30241efacab7cad91d259c50504537417e4eb4257f64c6de95bc9c0bc5a3ac490c6ff663d96b7b64945dd0a05f37abb2ce419e937837e9de7389617dd1c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        88015909e011fd080d724e71ad5d2173

        SHA1

        7655b997c550898b367965e2997ec2d8c96ac308

        SHA256

        fd0cd26988c668f7750e265a3884b85d03e4dccca44cf64b7bca877308de9d92

        SHA512

        beaacc2ad4ba4ef882140f70c42dab5cac13b1d72e819612efac2acf6b98a05efb9a46427f9229d0ceb5ec2217d22afc14f8532ac793e85ffa97b33d878a0ce3

        Download Submit

      • \ProgramData\3830.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/768-5764-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-5793-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-5794-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-5761-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-5762-0x0000000002160000-0x00000000021A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/768-5763-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1072-38-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-58-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-10-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-14-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-16-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-18-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-20-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-22-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-26-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-30-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-34-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-32-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-28-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-24-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-36-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-12-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-60-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-40-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-66-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-64-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-62-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-8-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-56-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-54-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-52-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-50-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-48-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-46-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-44-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-42-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-4883-0x00000000742C0000-0x00000000749AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1072-4-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-3-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-6-0x0000000004B00000-0x0000000004D2C000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-2-0x0000000004B00000-0x0000000004D32000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-1-0x0000000000140000-0x000000000037A000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1072-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1072-4884-0x0000000002280000-0x00000000022EE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/1072-4885-0x00000000022F0000-0x000000000233C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1072-4886-0x00000000023A0000-0x00000000023F4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1072-4910-0x00000000742C0000-0x00000000749AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1720-4911-0x0000000002620000-0x0000000002660000-memory.dmp

        Filesize

        256KB

        Download