Overview

overview

10

Static

static

3

6b69c673ff...b9.exe

windows7-x64

10

6b69c673ff...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe

  • Size

    2.0MB

  • MD5

    438a23a191cf5958c016de195fcc3597

  • SHA1

    8552671019aea770bc716371f1db26c3ca39db6c

  • SHA256

    6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9

  • SHA512

    42eeb7ec3ae7712da2ed6a8dc4bfa365272a1a29dd42d61dc1ac7135e4872357f135984b58fa2c77f2bc9a3c5e2ade28126b1681781ac32835fd7a5e0dc37ba1

  • SSDEEP

    49152:wZB1G8YhJpbR8cVlfYkvzOzu0tL21idgbysLBZU:+3GXF8glfJSz1tYidgmWHU

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe
    "C:\Users\Admin\AppData\Local\Temp\6b69c673ff9e603d005dd5cb70c85c9734a674e1199b352d9ed6c6b556301bb9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\ProviderPerf.sfx.exe
        ProviderPerf.sfx.exe -p1234
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4648
        • C:\ProviderPerf.exe
          "C:\ProviderPerf.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4488
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptmshh1a\ptmshh1a.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp" "c:\Windows\System32\CSC79E26FE8A6764791B4C08EB93549F21A.TMP"
              6⤵
                PID:4716
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ajHGejFINX.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1476
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4852
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:4912
                • C:\ProviderPerf.exe
                  "C:\ProviderPerf.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3756
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2752
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2492
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1520
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2572
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 12 /tr "'C:\ProviderPerf.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3096
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ProviderPerf" /sc ONLOGON /tr "'C:\ProviderPerf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ProviderPerfP" /sc MINUTE /mo 13 /tr "'C:\ProviderPerf.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\1.bat
        Filesize

        46B

        MD5

        4a82bcf7b6100bf4e84950f3a9cb1ca6

        SHA1

        5ae4fe9bc40591550a44f7c54acecbe97417ff59

        SHA256

        a075150117326b1ee78ac14416d6c7eacfed225100f5f461387870603548e6b2

        SHA512

        c1581ba25e1fc564c74cab8c3c97543dfbfbfa8184324e53498828d3092043cd94fdf675eaa19dc624cf5433ab91699d0221cbc44b502b291aebbc3ce20daf96

        Download Submit

      • C:\ProviderPerf.exe
        Filesize

        1.8MB

        MD5

        1fd088a7f2c6f661dc836b4aa3e1976e

        SHA1

        50a75e1e812e940495981459647571bffe3e5faf

        SHA256

        23872df970dd5e6083ef487079900895702fe7df2a46cbe6430415ebb0bf9410

        SHA512

        c8335402994883be80fa9b2ef2f8d066231690755f105f23fbec9f3f2cbb1038bc512b7440f04fff91718622847874cac7846ee4fe2ddcbd8fa6a3b9283b7d9e

        Download Submit

      • C:\ProviderPerf.sfx.exe
        Filesize

        1.8MB

        MD5

        631a8ac7656c77990054cf73c147ad8f

        SHA1

        7a40b43a5c17a73774351d4b24e5a1a7cb32ac56

        SHA256

        ef72c67a9135d49e2caf7ce6e8bfbfbd5cd2e63a80ed36703bb5070ab4c21f81

        SHA512

        ec3887ffcb478e5fd1f03a32ad079c59a44e141df0501d4e9931160561e8908bd27e30e51efd42f828a15036780162128e5362ebd82880c8543664f4f2b21960

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ProviderPerf.exe.log
        Filesize

        1KB

        MD5

        af6acd95d59de87c04642509c30e81c1

        SHA1

        f9549ae93fdb0a5861a79a08f60aa81c4b32377b

        SHA256

        7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

        SHA512

        93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES5EAA.tmp
        Filesize

        1KB

        MD5

        e97c2781f82241770282488f40322d20

        SHA1

        8626fd14095f0ce9e8b3d48f5587e3492d1d1232

        SHA256

        1e4eeab30c3423ad40ad5b70ac2b339e9d5ad785ffb9c5f88b6bf9b0737f305a

        SHA512

        e9d1e1d23a0a0e82767b8ba4ee0073f9a906ba4914395b65944986b51a94b16592f0416790b9a76b976dbc0678ad8bb11b7978ec804f1e726ae36dbbef7efc08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ajHGejFINX.bat
        Filesize

        147B

        MD5

        0f71dee8838f344f8f9958afb1977cfe

        SHA1

        1bb251af8c3bdc228d4f5ed4555cc24b6e3d20e9

        SHA256

        bac5e1f9d9283fca0d9b2950a50d92cd264261eaf5c44e3059240688afca1594

        SHA512

        55f27ad2feac24b5e2017e208120eeb1bcbb8973e0c02230f682325d2b14a539fba47288818519f53ab91b164f4d3bff3e8604db991a38266811dc3e53d03cda

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ptmshh1a\ptmshh1a.0.cs
        Filesize

        357B

        MD5

        8741ede1edc697ba4d4189d5eb25f52e

        SHA1

        5de67cce9c16582d46d007f7a9ef08233b63da9e

        SHA256

        a488a41f06bc415ddedbcc799c3deb02aa8305479ae216639101efccf2da3947

        SHA512

        9b3c19ebc29fa0738de3f117cb60462de583ec387adcdc034382b9bf6d4415c49ff6e80a43c3e959fadd6f0a6570e5c22051a0f41c7e0235e9d5213e745088be

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ptmshh1a\ptmshh1a.cmdline
        Filesize

        235B

        MD5

        fddeff28dd18f0cb22504bb0506f9f8a

        SHA1

        f95e0e9126bcbfa33c158b78c666af8e91c242a0

        SHA256

        07dfe498ba5d0a00feda86b43d67c0876013ac4e6c2e1d58d06c093d7f9e68ba

        SHA512

        f9bd1422b7e0a0092b52034207182ac430253de553e779ee8ee4e0c9fe667ee77087b569f6990e6ad287eb5a012050bc00fe5a1141504fa191cd7641cbc90936

        Download Submit

      • \??\c:\Windows\System32\CSC79E26FE8A6764791B4C08EB93549F21A.TMP
        Filesize

        1KB

        MD5

        d52087709e2274a5a9381789082a9d03

        SHA1

        e1f693bc2b4cd35e7abdea93dc0bb77ef6ddce59

        SHA256

        f4091edfc561d6d16cdb8f686a10ebade8c6a9239730fddb9c652a1c005790c2

        SHA512

        5e448e07b49f301dd1d815818527f88d32cac7e869cd8120651b940783a29a18c2b4ec87ad18ce3a85c6973e4b676d9499068e3b805c972b6a95660a3c7dae12

        Download Submit

      • memory/4488-22-0x0000000000810000-0x00000000009E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4488-29-0x000000001B570000-0x000000001B588000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4488-27-0x000000001BA10000-0x000000001BA60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4488-26-0x0000000002BC0000-0x0000000002BDC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4488-24-0x00000000012C0000-0x00000000012CE000-memory.dmp

        Filesize

        56KB

        Download