Overview

overview

10

Static

static

1

5c004c361f...ad.exe

windows7-x64

10

5c004c361f...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe

  • Size

    2.2MB

  • MD5

    08cee68cb913dd71800f0283c49af6d3

  • SHA1

    eb4058134cd74c681445a1a81c31ef729c80a7ec

  • SHA256

    5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad

  • SHA512

    1052130474915e5256c1bcc95636489535e38ca23cfb615e6b0e8b6c37c6c6ba89aa793a9aac9321d843d0cd0c6f10c85a30b2b689531c457638ce26555276fc

  • SSDEEP

    49152:+8cRU4kwcctnR19Y1Iqdwc2EyEvh6Re14IIQ+cUznT9PuYXVWXCxzhm:+TXkw5RWlifE3vwVIB+cnYXkgm

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Extracted

Path

C:\bQ8ODxIi2.README.txt

Ransom Note
~~~ AlphaCat ~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack worldwide and there is no dissatisfied victim after payment. >>>> You need contact us via email with srenshot of btc transaction and your personal DECRYPTION ID Contact via Email with your personal Decryption id !: [email protected] Send 400$ (0.006 BTC) at this address --> bc1qkr7wxuqwet9w6920vk94p7npkxh33fc7prv55q >>>> Your personal DECRYPTION ID: D53F15BF767167BC50E9A194162EAA2F >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack repeatedly again!

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Renames multiple (592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
    "C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe
      "C:\Users\Admin\AppData\Local\Temp\5c004c361f19687d6c34c6d49c81b4736e8223f183b63aafec635613daae89ad.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Drops file in System32 directory
        PID:2012
      • C:\ProgramData\DC86.tmp
        "C:\ProgramData\DC86.tmp"
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DC86.tmp >> NUL
          4⤵
            PID:4936
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:1320
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FC13ADB0-BC73-4082-9AF2-331835EC1CFA}.xps" 133594308795860000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:3980

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\YYYYYYYYYYY
        Filesize

        129B

        MD5

        69c26ca9fd7dc7794ea3c7117b0d66f4

        SHA1

        c5fec14f78aea4e8e92b2a6f34b123be6785fe45

        SHA256

        3af789765f67b156a76d8fb33fd89b334ed4a04c939635fe17af52dd99594be1

        SHA512

        8bfbbadbd0b702a539dbc4e37f79dac5d96e45bb8ac4cfa38f48ddac5525cd7e15de48c49d7f014c37bfa238868a29cb8535e62f37d32779de6d41db91fa39cf

        Download Submit

      • C:\ProgramData\DC86.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
        Filesize

        2.2MB

        MD5

        9a859e04178dffb16a07b1c359d54d5e

        SHA1

        5ee088d5c4b4c4263d08c1cc96cb3ffb4a83f018

        SHA256

        c09f3473bd1197957f7d4e3b2e6abb21ebe4c78a2f6bf82040e72caba3f8272d

        SHA512

        c8d85c6bf9b798f86097a8f8c3e25f7e4bc89687044318e605720bcf1248ab311a908b9c80f94a317bf770331bcaa4e99ae9b79ed1648df14df58cb2db7c07f7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{84CBFB84-FD27-476D-95B2-44872758122A}
        Filesize

        4KB

        MD5

        0a6cec680a7f1edfc01b2b904109de4a

        SHA1

        6ed1e95cce6c491dd9d321e06310bc9a9c637d5d

        SHA256

        797488944a456b5a9685b6b4a9d660d852ee42263188854b1d2fe4736ddd35bd

        SHA512

        f9b104d024a018a3606e3fe5c11bed2e9f8950eb22da9a8c75b481ad003f01ca28f935efa21e34eebfed3421042ca9122a09042e3df7b7c61f97c2ef69ade468

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        3d9889c63b57dfc12072b697c12edb9f

        SHA1

        46c18c86140c3c6d32c90726e63858becba562cd

        SHA256

        13bb5853520fa63c42df0d6bf83a207115960dfd3bb326a4ef5a76c2c08bf284

        SHA512

        a12bed6c0d7b7e99b9cee43933a671270c5edf67f62563878ed6f1401e2a2e6af13313ee6bc22cf8c557aa4ba2c121e01b9652f81bf478b30f0f926a337b8134

        Download Submit

      • C:\bQ8ODxIi2.README.txt
        Filesize

        1KB

        MD5

        4cb6b76b04d22143e3b389c98721d837

        SHA1

        afb40928bf77d3e526c7e4b20ec36124e822e19b

        SHA256

        dfe1dbe31b3e2a8f86a98d3b93094dadc5af07331c6e852617070073175cc14e

        SHA512

        c2b9704c47aa5a27618e438fb62d755c0fac28a6f47acc2a55b1ad05254a751803b78f2cdcee7df5ecafc3fe1c908b5d1280d74822c8bd85fef201b37e8203a9

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        397b2b7a4e2fd076cbb4c4801211aa7f

        SHA1

        404a4ab75ace1ee767c3ada9862aff1594cc2a7d

        SHA256

        ce878b498d42406bfae9c6d96eda01bd760e110afc59211e26989a9ff7d4eccd

        SHA512

        0e58c1c1b675388f9fd192755de62098f7f8c0e4f0bc07af1232934f31c815bf1bfec9c8b5f0ca7588f5eda06f651d8f1bc92855e224081dfc58c873c68d4548

        Download Submit

      • memory/4852-30-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-26-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-12-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-18-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-50-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-68-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-66-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-64-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-62-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-60-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-58-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-56-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-54-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-52-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-48-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-46-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-42-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-40-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-38-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-36-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-35-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-3-0x00000000062A0000-0x0000000006844000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4852-28-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-44-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-32-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-4-0x0000000005CF0000-0x0000000005D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4852-24-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-22-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-20-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-16-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-14-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-10-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-8-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-6-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-5-0x0000000005AC0000-0x0000000005CEC000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-4885-0x0000000074670000-0x0000000074E20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4852-4886-0x0000000074670000-0x0000000074E20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4852-4887-0x0000000005F70000-0x0000000005FDE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/4852-4888-0x0000000006020000-0x000000000606C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4852-4889-0x00000000061D0000-0x0000000006224000-memory.dmp

        Filesize

        336KB

        Download

      • memory/4852-4895-0x0000000074670000-0x0000000074E20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4852-0-0x000000007467E000-0x000000007467F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4852-1-0x0000000000DE0000-0x000000000101A000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4852-2-0x0000000005AC0000-0x0000000005CF2000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4984-4896-0x0000000002EF0000-0x0000000002F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-7668-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4984-4897-0x0000000002EF0000-0x0000000002F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-4898-0x0000000002EF0000-0x0000000002F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4984-4894-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download