Overview

overview

10

Static

static

3

6b69c673ff...b9.exe

windows7-x64

10

6b69c673ff...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe

  • Size

    2.0MB

  • MD5

    438a23a191cf5958c016de195fcc3597

  • SHA1

    8552671019aea770bc716371f1db26c3ca39db6c

  • SHA256

    6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9

  • SHA512

    42eeb7ec3ae7712da2ed6a8dc4bfa365272a1a29dd42d61dc1ac7135e4872357f135984b58fa2c77f2bc9a3c5e2ade28126b1681781ac32835fd7a5e0dc37ba1

  • SSDEEP

    49152:wZB1G8YhJpbR8cVlfYkvzOzu0tL21idgbysLBZU:+3GXF8glfJSz1tYidgmWHU

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe
    "C:\Users\Admin\AppData\Local\Temp\6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\ProviderPerf.sfx.exe
        ProviderPerf.sfx.exe -p1234
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2776
        • C:\ProviderPerf.exe
          "C:\ProviderPerf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4niumak\n4niumak.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C8C.tmp" "c:\Windows\System32\CSCD129147D927D4C839F3CA7FFDE36FB8C.TMP"
              6⤵
                PID:2332
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7OS66bxU3.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1680
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2364
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:2372
                  • C:\Users\Default\Links\sppsvc.exe
                    "C:\Users\Default\Links\sppsvc.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\ProviderPerf.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2856
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerf" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\ProviderPerf.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\ProviderPerf.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1516
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2080
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2500
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:484
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 13 /tr "'C:\ProviderPerf.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:964
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerf" /sc ONLOGON /tr "'C:\ProviderPerf.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 7 /tr "'C:\ProviderPerf.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:836

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\1.bat
          Filesize

          46B

          MD5

          4a82bcf7b6100bf4e84950f3a9cb1ca6

          SHA1

          5ae4fe9bc40591550a44f7c54acecbe97417ff59

          SHA256

          a075150117326b1ee78ac14416d6c7eacfed225100f5f461387870603548e6b2

          SHA512

          c1581ba25e1fc564c74cab8c3c97543dfbfbfa8184324e53498828d3092043cd94fdf675eaa19dc624cf5433ab91699d0221cbc44b502b291aebbc3ce20daf96

          Download Submit

        • C:\ProviderPerf.exe
          Filesize

          1.8MB

          MD5

          1fd088a7f2c6f661dc836b4aa3e1976e

          SHA1

          50a75e1e812e940495981459647571bffe3e5faf

          SHA256

          23872df970dd5e6083ef487079900895702fe7df2a46cbe6430415ebb0bf9410

          SHA512

          c8335402994883be80fa9b2ef2f8d066231690755f105f23fbec9f3f2cbb1038bc512b7440f04fff91718622847874cac7846ee4fe2ddcbd8fa6a3b9283b7d9e

          Download Submit

        • C:\ProviderPerf.sfx.exe
          Filesize

          1.8MB

          MD5

          631a8ac7656c77990054cf73c147ad8f

          SHA1

          7a40b43a5c17a73774351d4b24e5a1a7cb32ac56

          SHA256

          ef72c67a9135d49e2caf7ce6e8bfbfbd5cd2e63a80ed36703bb5070ab4c21f81

          SHA512

          ec3887ffcb478e5fd1f03a32ad079c59a44e141df0501d4e9931160561e8908bd27e30e51efd42f828a15036780162128e5362ebd82880c8543664f4f2b21960

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES2C8C.tmp
          Filesize

          1KB

          MD5

          b96b034eee3bbe6fca2554edb1118d96

          SHA1

          bf050c07ea7319a3f5679f0a9824fb946192e2f9

          SHA256

          5b7cf861dd11e6c1e91c3e4dd3b4ce48a49d981581909d6d3207d70789bf830b

          SHA512

          4075f6fa3869b90eae975f4679b7ce65eca0134cc5357994084905dcddf4703610df984d995fd94506a9138e76b0211fd18f4c350c7f451e37bad68155538654

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\r7OS66bxU3.bat
          Filesize

          209B

          MD5

          e1ef7759c5a5ba56fe6e9d2a24bc4068

          SHA1

          24851c2127a590b6f0e03929680166aac6e7177f

          SHA256

          af538f30239ba242db23d893d6cab647e9264417c99426fe004fb498e17daf54

          SHA512

          f84abea07e2b3e80c9b925f0b3f7a5c7655b2f83f2843a62803ab42e499d41ab846cbaca3a014486fb30f272323e10bfeb138324da127d3d26a06fdd2a8a74bf

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\n4niumak\n4niumak.0.cs
          Filesize

          391B

          MD5

          b485d5da84ad391628733282ee4f89ab

          SHA1

          74117924375191dbe08aa2facc332d3167068083

          SHA256

          5b3dbaf847f01b6b591a2922f9e5b51500f28a70ef4c7e261d3e3a1e1112564a

          SHA512

          ccd9358e44ccbc9aac5cefb8956d938306d29da6e2602eb1aba4e3c868c3e40371b3b6a823b55d6eafad6d2b94854552f2825639d4585db46654cc9b6693c1ec

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\n4niumak\n4niumak.cmdline
          Filesize

          235B

          MD5

          694877d8bc11ab277fbe1cb8f9e68e48

          SHA1

          de4f0a89ee50f2070a9096c2dc8921e2b1bfd98a

          SHA256

          43a006f9f11827c71eb4d4a4fbecefb20872eec2410bf1156451b05d8e5d7119

          SHA512

          dd6fa74da4317849cb6b1d1a8166d12dcbdb879dbde94e35e3eb0829b61d9f8a1139db0a6f6c8a3d920d5568284d03a1d3067481c4dcf1c5028be7b7a39cfd2d

          Download Submit

        • \??\c:\Windows\System32\CSCD129147D927D4C839F3CA7FFDE36FB8C.TMP
          Filesize

          1KB

          MD5

          bfb5195b3f3a87a55924d32b25f58821

          SHA1

          20a15b7e5c1f8626a991b0018ecff1e0f9bbdd55

          SHA256

          27fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241

          SHA512

          137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b

          Download Submit

        • memory/2492-75-0x0000000000360000-0x0000000000532000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2788-35-0x00000000013D0000-0x00000000015A2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2788-43-0x0000000000760000-0x0000000000778000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2788-41-0x0000000000530000-0x000000000054C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2788-39-0x00000000003F0000-0x00000000003FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2788-37-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2788-36-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2788-72-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2788-34-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

          Filesize

          4KB

          Download