Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
08-05-2024 07:16
General
-
Target
5186cafa1e8ce4e242411acc52996aaa.exe
-
Size
6.1MB
-
MD5
5186cafa1e8ce4e242411acc52996aaa
-
SHA1
c14b7773f62bb601e4f910ae595cbc8d1f641c32
-
SHA256
a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a
-
SHA512
a351d17942033364fe8e8e48673c25a1b7988c83432961e35a036d54ab08c9a3b095b5784de9d7442e31f42e41401aaec79b3facd96fcd9a9fa93afd283eb42b
-
SSDEEP
196608:ZwHfJ12mWXFSrOyruZ1e1l+Sc6Z2Fd6GymVVdq:QIFSrOwk0m3a9hMA
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5186cafa1e8ce4e242411acc52996aaa.exe"C:\Users\Admin\AppData\Local\Temp\5186cafa1e8ce4e242411acc52996aaa.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe"C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
-
C:\Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe"C:\Users\Admin\AppData\Roaming\componentRuntimehost/BridgeChainportWebInto.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8GrgZnUaQS.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
-
C:\Users\Default\SendTo\SearchApp.exe"C:\Users\Default\SendTo\SearchApp.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165B
MD5ede4ccd6ed1a967f67917bb39914c14f
SHA1741baefb370040cfffb85cb380e75aaf9b5f4e64
SHA256e497ad671fc67ec464d6fa34069e6d87367a4aa3af82a6e1eb68526789563b5a
SHA5128f57a4dff49280491013f3e2888fcce79e5556f893fe44638c762e9ad13f5e21ba140f6f395da81005dc85bfd9062fd698eeae57b5ef828fe33bc3b6699df990
-
Filesize
3.9MB
MD52cf0a29383fd0b2054138434eed1b265
SHA184138a0182af9ef5c6b31255bd85707e0ad6a0c3
SHA256e4011f2b2426a6fcb2f48317c8623a9d7583b782b2a4f10caee19f0df70b4185
SHA5123977b288e3512184bed9ead0947f35cb6e3c95c83a517cadd8c63ed642fbb47a41e9ac30c43a0f877ed33bd13a482e082c308081b387e7d339f71c3582da91ca
-
Filesize
11.4MB
MD5af3137e67eabdae073fdc900f863f6a8
SHA153d956673d51d05f17374a778fa08c70f3d33372
SHA256659517254a9b0f0478c4f601326dd9d9afd8f86308179e202fe6b89184b9a0c9
SHA5124edbdcee2328256a7fa01c0b4aaa18f24a4c392269cefdcdad34bf2b222edd4332b654da36223925dd1769eb463e5163344342da30f1dd2f7fd54fa64c9bb4ad
-
Filesize
3.4MB
MD551a33d556ce031ad0a5e752f10b00a13
SHA1f05e11e3034481de8590ee4afd912628cacfde9a
SHA256eab0d35dc956885b222e69fde419f3974db712c98bbb23f41325388bde0cc341
SHA512c27a18ebee3e32854e4ad136c3af7de753764a9b44fc024487eb4a197a3f68b506f8578c4beab63e23c64b4e8ce10d63d2987b78175a9691e9aec9fc13887356
-
Filesize
212B
MD5f4846b111f4c8ced35bf1ed60502270f
SHA1625bb8296688ca9cde0c60c60cc17ed83383050c
SHA2562b20a48f281b60176569332a9e56f5aa7911ba9793f87f9729aafc81aab5a6cd
SHA512ef77a850b15f988754eb17c48ce84e15bcf824c4bcc64ac7f5f372f86fee5738de67417fd0cf56271d1701b5256edcf4ad8603b5fab28016af8e28359967df67
-
Filesize
240B
MD5cf441f15daf3339180706cf594e97131
SHA1ca5663745d79bd9196fea24b51d6061f79355d3c
SHA2569a2afde59f2326a4cfbc827e87c7270da20d4a6e19e8d00b5b3a479c26f8ad13
SHA51237d2b08ca78ee06fbcc93577a31a243670fd4efce506449e2e4e3b33c2319081e1f905f8651a642112386620f6551c1a598cdc7f69e682ee252fddc2fa9cde74
-
Filesize
820KB
-
Filesize
8KB
-
Filesize
6.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
820KB
-
Filesize
152KB
-
Filesize
3.4MB