Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
06-05-2024 19:31
General
-
Target
15b75648ad8160565cfd4008ae223ce0.exe
-
Size
1.8MB
-
MD5
15b75648ad8160565cfd4008ae223ce0
-
SHA1
2800a25191362b57c9762c74fc668960f11937bc
-
SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
-
SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
-
SSDEEP
24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0.exe"C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0h3eyuss\0h3eyuss.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EBE.tmp" "c:\Windows\System32\CSC6BCCD7C08435416D8E47131E6C86CA93.TMP"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zxrt9fY3QQ.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
-
-
C:\Windows\Migration\WTR\Idle.exe"C:\Windows\Migration\WTR\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce01" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce0" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce01" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD515b75648ad8160565cfd4008ae223ce0
SHA12800a25191362b57c9762c74fc668960f11937bc
SHA25681e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA51225eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
-
Filesize
1KB
MD5621c988ecfe2c3c5ec16dfccb61c6fc9
SHA1457c840b632011daf28f8fe84889c9cf20d9b4f8
SHA256afd257d7455d475036d19e141f6768628984a54e66c5ef6c9f984f4792cde110
SHA51270ca21b95aff8a1ee900b60701a3ebbda82e128b3d4270075595d1209f9bf18f1ae88c05832a3d7947e8e0267d5ec2bfecfde5b48e3c16de74aedde208d1115c
-
Filesize
161B
MD538f864a77c1f27b01c884d547c15f733
SHA1f8db4473572eb11bcab6363a8b046a75a91dcbe8
SHA256261889fcb59b0c5588482e3f18ace23a0e39888b0f87696eb6013aed2d48ca35
SHA5127285477cdddf9b2d04d11c7a0fc9f4445f2613b334ca2acc413ccbef83ae1f564361bdff67d3edb85b6c4b27467be0c70e09bdea92270e73dfcb0a01049c87c7
-
Filesize
389B
MD55af43db4b68ca5aa4ef9aa4e4f7d9457
SHA159cb79ebc1e63e0f8d1a36825d010a17545bb619
SHA2567397c32f32023391e3563ca3483e90445c7fa423238a76c61c2d4c9225fdb7d8
SHA5122bfac92b297287054d0b19fde573da4c8d78643a8efe8d8420fb4ed1fdcc227a11a5562dc5e319a498cfb309eff3f164345cb00a57a9b34e5a2578cd56374efd
-
Filesize
235B
MD5b9584ade48b65adda073b4b06062d9f8
SHA141e11a7a1fdf86c561214ff5ef8732133a35da06
SHA256324b873656fba3bdbb4a86131c0a0506be6fb9c24c8d75c5e314cb29b0c8db08
SHA512abd8c4e4d159c70af81f6e290feaec80515900d503df457a9300b882c5919d9d4fe30e2ab5399d7d26128906ffb786bdca9966c8ffa25a17ab910f844009c296
-
Filesize
1KB
MD5984924caf6574026769de34f35c2358e
SHA16dd41e492235d812252231912aa025f47fa7a9e7
SHA2562bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986
SHA5125918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
96KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
1.9MB