Overview

overview

10

Static

static

10

132ef1a933...c3.exe

windows7-x64

10

132ef1a933...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3.exe

  • Size

    2.6MB

  • MD5

    71f0e2645d9051c3a8f5cf2dbce9d074

  • SHA1

    a303632965f9fdc3b7cb4c532831c0b38f24df90

  • SHA256

    132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3

  • SHA512

    14625c8fe238a41c0a45579731a15a705f153681a0f4e212b8315e3f5643542c57e17f82c247552b21417aa92dce36fd40fbcaaf85b4fb462182c2814f4f8077

  • SSDEEP

    49152:Til/s9YkCKuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9u:OVsGkClzsG1tQRjdih8rwc

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3.exe
    "C:\Users\Admin\AppData\Local\Temp\132ef1a933f9d26fb0bb46b0a970dbfe05ad8fe0859ece8eb973b5584a580cc3.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1600
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:268
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:840
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:2064

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        5c34f7418fbb7f5a59653bd66a4a2c5b

        SHA1

        0186796bf64a6e685b653dae5624df6ab68414f6

        SHA256

        f0e1b497b0f6ab47fbee7fcd8beb654747b57e5ad43b30698ecd7b9f7fa591a6

        SHA512

        3b1abb3f0c0da3f09c500eb45ac892b48928bad6d7f894a372f74475cf87f16e43bce049a890c7eca085f2a9f2674452f2f3e52986c5e97db967c989742356fb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • memory/1600-11-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1600-1-0x0000000000EE0000-0x000000000117A000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1600-10-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1600-12-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-13-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-14-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-15-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-68-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-9-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-45-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1600-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2064-67-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2064-66-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/2576-18-0x000000007151D000-0x0000000071528000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2576-17-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2576-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2576-65-0x000000007151D000-0x0000000071528000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2576-16-0x000000002F291000-0x000000002F292000-memory.dmp

        Filesize

        4KB

        Download