Overview

overview

10

Static

static

3

5186cafa1e...aa.exe

windows7-x64

10

5186cafa1e...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5186cafa1e8ce4e242411acc52996aaa.exe

  • Size

    6.1MB

  • MD5

    5186cafa1e8ce4e242411acc52996aaa

  • SHA1

    c14b7773f62bb601e4f910ae595cbc8d1f641c32

  • SHA256

    a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a

  • SHA512

    a351d17942033364fe8e8e48673c25a1b7988c83432961e35a036d54ab08c9a3b095b5784de9d7442e31f42e41401aaec79b3facd96fcd9a9fa93afd283eb42b

  • SSDEEP

    196608:ZwHfJ12mWXFSrOyruZ1e1l+Sc6Z2Fd6GymVVdq:QIFSrOwk0m3a9hMA

Score
10/10
zgratevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5186cafa1e8ce4e242411acc52996aaa.exe
    "C:\Users\Admin\AppData\Local\Temp\5186cafa1e8ce4e242411acc52996aaa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:1200
          • C:\Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
            "C:\Users\Admin\AppData\Roaming\componentRuntimehost/BridgeChainportWebInto.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xlATJQQti8.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:948
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1652
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:1080
                • C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\cmd.exe
                  "C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\cmd.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
      Filesize

      3.9MB

      MD5

      2cf0a29383fd0b2054138434eed1b265

      SHA1

      84138a0182af9ef5c6b31255bd85707e0ad6a0c3

      SHA256

      e4011f2b2426a6fcb2f48317c8623a9d7583b782b2a4f10caee19f0df70b4185

      SHA512

      3977b288e3512184bed9ead0947f35cb6e3c95c83a517cadd8c63ed642fbb47a41e9ac30c43a0f877ed33bd13a482e082c308081b387e7d339f71c3582da91ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xlATJQQti8.bat
      Filesize

      219B

      MD5

      77b5371367601566dce885d259516d46

      SHA1

      33dd2a3b4cd09b7021a7149619e06a97d96ac481

      SHA256

      d9965d1b375b2a949ca4b7ca2cf8821cde57a56e65800003dd2e834b00474c71

      SHA512

      8d43941cadec9e67bbd93554aa9a8d183c0eb6572cdb799c558acbf0b5ff6f01cead2a95ad436a4fe5042be4672d1e79f106c6732a30bf1d2dfe856a5eecc903

      Download Submit

    • C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat
      Filesize

      212B

      MD5

      f4846b111f4c8ced35bf1ed60502270f

      SHA1

      625bb8296688ca9cde0c60c60cc17ed83383050c

      SHA256

      2b20a48f281b60176569332a9e56f5aa7911ba9793f87f9729aafc81aab5a6cd

      SHA512

      ef77a850b15f988754eb17c48ce84e15bcf824c4bcc64ac7f5f372f86fee5738de67417fd0cf56271d1701b5256edcf4ad8603b5fab28016af8e28359967df67

      Download Submit

    • C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe
      Filesize

      240B

      MD5

      cf441f15daf3339180706cf594e97131

      SHA1

      ca5663745d79bd9196fea24b51d6061f79355d3c

      SHA256

      9a2afde59f2326a4cfbc827e87c7270da20d4a6e19e8d00b5b3a479c26f8ad13

      SHA512

      37d2b08ca78ee06fbcc93577a31a243670fd4efce506449e2e4e3b33c2319081e1f905f8651a642112386620f6551c1a598cdc7f69e682ee252fddc2fa9cde74

      Download Submit

    • \Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
      Filesize

      3.4MB

      MD5

      51a33d556ce031ad0a5e752f10b00a13

      SHA1

      f05e11e3034481de8590ee4afd912628cacfde9a

      SHA256

      eab0d35dc956885b222e69fde419f3974db712c98bbb23f41325388bde0cc341

      SHA512

      c27a18ebee3e32854e4ad136c3af7de753764a9b44fc024487eb4a197a3f68b506f8578c4beab63e23c64b4e8ce10d63d2987b78175a9691e9aec9fc13887356

      Download Submit

    • memory/1204-37-0x00000000001E0000-0x00000000001F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-45-0x0000000000420000-0x0000000000430000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-63-0x0000000000D10000-0x0000000000D5E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1204-25-0x0000000000DC0000-0x000000000112A000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1204-27-0x0000000000170000-0x0000000000196000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1204-29-0x00000000001A0000-0x00000000001AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1204-31-0x00000000001B0000-0x00000000001CC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1204-33-0x00000000001D0000-0x00000000001E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-35-0x00000000005B0000-0x00000000005C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1204-61-0x0000000000B10000-0x0000000000B1C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1204-39-0x00000000003F0000-0x0000000000400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-41-0x0000000000410000-0x000000000041E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1204-43-0x00000000005F0000-0x0000000000602000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1204-59-0x0000000000B30000-0x0000000000B48000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1204-47-0x0000000000610000-0x0000000000626000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1204-49-0x0000000000630000-0x0000000000642000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1204-51-0x00000000005D0000-0x00000000005E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-53-0x00000000005E0000-0x00000000005F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1204-55-0x0000000000C30000-0x0000000000C8A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/1204-57-0x0000000000660000-0x000000000066E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1972-82-0x00000000012C0000-0x000000000162A000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2956-11-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2956-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2956-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2956-1-0x0000000000840000-0x0000000000E66000-memory.dmp

      Filesize

      6.1MB

      Download