Overview

overview

10

Static

static

3

a10d2a2335...3a.exe

windows7-x64

10

a10d2a2335...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe

  • Size

    6.1MB

  • MD5

    5186cafa1e8ce4e242411acc52996aaa

  • SHA1

    c14b7773f62bb601e4f910ae595cbc8d1f641c32

  • SHA256

    a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a

  • SHA512

    a351d17942033364fe8e8e48673c25a1b7988c83432961e35a036d54ab08c9a3b095b5784de9d7442e31f42e41401aaec79b3facd96fcd9a9fa93afd283eb42b

  • SSDEEP

    196608:ZwHfJ12mWXFSrOyruZ1e1l+Sc6Z2Fd6GymVVdq:QIFSrOwk0m3a9hMA

Score
10/10
zgratevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe
    "C:\Users\Admin\AppData\Local\Temp\a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:4720
          • C:\Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
            "C:\Users\Admin\AppData\Roaming\componentRuntimehost/BridgeChainportWebInto.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3800
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VTwnNdY7rx.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4868
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:3268
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:660
                • C:\Program Files\WindowsPowerShell\Modules\OfficeClickToRun.exe
                  "C:\Program Files\WindowsPowerShell\Modules\OfficeClickToRun.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:456

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
        Filesize

        3.9MB

        MD5

        2cf0a29383fd0b2054138434eed1b265

        SHA1

        84138a0182af9ef5c6b31255bd85707e0ad6a0c3

        SHA256

        e4011f2b2426a6fcb2f48317c8623a9d7583b782b2a4f10caee19f0df70b4185

        SHA512

        3977b288e3512184bed9ead0947f35cb6e3c95c83a517cadd8c63ed642fbb47a41e9ac30c43a0f877ed33bd13a482e082c308081b387e7d339f71c3582da91ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\VTwnNdY7rx.bat
        Filesize

        191B

        MD5

        f7a6ca7702ccaa7ac5ccc64985be19f8

        SHA1

        eeb4bdb404e63c0fd458715d11dd8a61cccc74d6

        SHA256

        61ee11ffe5e1401fe083e7fc5d59f92f9e12afc669ad9b8f850da2ff3770c408

        SHA512

        e5b799c4087892b913b2a5e8c7b3b8de56914d2fa0c12759e34029433e6762ac68de7346d334b6b62e45400bfbecc3785c54211193925fc21fa358d1210b46af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\injector.exe
        Filesize

        11.4MB

        MD5

        af3137e67eabdae073fdc900f863f6a8

        SHA1

        53d956673d51d05f17374a778fa08c70f3d33372

        SHA256

        659517254a9b0f0478c4f601326dd9d9afd8f86308179e202fe6b89184b9a0c9

        SHA512

        4edbdcee2328256a7fa01c0b4aaa18f24a4c392269cefdcdad34bf2b222edd4332b654da36223925dd1769eb463e5163344342da30f1dd2f7fd54fa64c9bb4ad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
        Filesize

        3.4MB

        MD5

        51a33d556ce031ad0a5e752f10b00a13

        SHA1

        f05e11e3034481de8590ee4afd912628cacfde9a

        SHA256

        eab0d35dc956885b222e69fde419f3974db712c98bbb23f41325388bde0cc341

        SHA512

        c27a18ebee3e32854e4ad136c3af7de753764a9b44fc024487eb4a197a3f68b506f8578c4beab63e23c64b4e8ce10d63d2987b78175a9691e9aec9fc13887356

        Download Submit

      • C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat
        Filesize

        212B

        MD5

        f4846b111f4c8ced35bf1ed60502270f

        SHA1

        625bb8296688ca9cde0c60c60cc17ed83383050c

        SHA256

        2b20a48f281b60176569332a9e56f5aa7911ba9793f87f9729aafc81aab5a6cd

        SHA512

        ef77a850b15f988754eb17c48ce84e15bcf824c4bcc64ac7f5f372f86fee5738de67417fd0cf56271d1701b5256edcf4ad8603b5fab28016af8e28359967df67

        Download Submit

      • C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe
        Filesize

        240B

        MD5

        cf441f15daf3339180706cf594e97131

        SHA1

        ca5663745d79bd9196fea24b51d6061f79355d3c

        SHA256

        9a2afde59f2326a4cfbc827e87c7270da20d4a6e19e8d00b5b3a479c26f8ad13

        SHA512

        37d2b08ca78ee06fbcc93577a31a243670fd4efce506449e2e4e3b33c2319081e1f905f8651a642112386620f6551c1a598cdc7f69e682ee252fddc2fa9cde74

        Download Submit

      • memory/3488-0-0x00007FFC22ED3000-0x00007FFC22ED5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3488-1-0x0000000000010000-0x0000000000636000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3488-10-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3488-16-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3800-43-0x000000001B930000-0x000000001B940000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-53-0x000000001CA30000-0x000000001CA46000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3800-36-0x000000001B940000-0x000000001B95C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3800-37-0x000000001C9C0000-0x000000001CA10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3800-39-0x000000001B920000-0x000000001B930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-41-0x000000001C970000-0x000000001C988000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3800-32-0x000000001BA80000-0x000000001BAA6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3800-45-0x000000001B960000-0x000000001B970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-47-0x000000001BAB0000-0x000000001BABE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3800-49-0x000000001C990000-0x000000001C9A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3800-51-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-34-0x000000001B8D0000-0x000000001B8DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3800-55-0x000000001CA50000-0x000000001CA62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3800-56-0x000000001D1A0000-0x000000001D6C8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3800-58-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-60-0x000000001C9B0000-0x000000001C9C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3800-62-0x000000001CCD0000-0x000000001CD2A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3800-64-0x000000001CA10000-0x000000001CA1E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3800-66-0x000000001CC90000-0x000000001CCA8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3800-70-0x000000001CD80000-0x000000001CDCE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3800-68-0x000000001CA20000-0x000000001CA2C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3800-30-0x0000000000AB0000-0x0000000000E1A000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/4500-110-0x000000001D990000-0x000000001DAA5000-memory.dmp

        Filesize

        1.1MB

        Download