Analysis
-
max time kernel
142s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
09-05-2024 03:11
General
-
Target
b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
-
Size
3.6MB
-
MD5
ae6fa9bafb66f9f7abef04452e02bc1c
-
SHA1
9ef051f253f58a97df773d3ab14654320191a08d
-
SHA256
b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f
-
SHA512
098dd73c9f75fd90ceb897f487d80c556456246ced0880057a317dd07c96900ab217cff500e363aa27e2debdde639f0be492ae84eabfd55846cbbf2b8cbd238c
-
SSDEEP
49152:IBJ7Cz5hm/qbhLLVAaM0+aSp0a+utgmvaIQLk7vsFMT2QbZCsL5A+rTpeZicE:ypCz5hvLqa3fSp0a+u6mt6cZnFDeEf
Malware Config
Signatures
-
Detect ZGRat V1 6 IoCs
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detects executables packed with unregistered version of .NET Reactor 6 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ChainProvider\Ue6DPbuBmrgvvM.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ChainProvider\BridgeWin.exe"C:\ChainProvider/BridgeWin.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wecdgk2q\wecdgk2q.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59D3.tmp" "c:\Windows\System32\CSCEDB5FC9FC77B459ABBA87BD8A62AF982.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gjbg6SrjC.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
-
C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
-
C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L3SaAS0x6v.bat"13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD508efce1648b0191ab668a92693f404d2
SHA18e0e2293ac8a05c4ead1db9f35131814af0f0838
SHA2564a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191
SHA51286a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186
-
Filesize
65B
MD56c93675d5528de536918490f2a030831
SHA1ea764eee1b3bde0450319ef30b2433a9a46d4186
SHA2560fef681907e2cf1e93b3ed1f68439901833d5ada3c70aa374e024560bfc86d64
SHA512c935abd4d5390841784dee4edb8941b26a7fb5091b6d38e329959e70626fa19bb600d957456f079a95ab6ff2ba2f5059ae4ecfebe360d18aaf1ad61edccd6679
-
Filesize
206B
MD555e5be814935518dd671f62280d31bf7
SHA15b2fe2c2bc5b928a1225cf5b01c05dba98384812
SHA2564e6b3324992136821adcecafa68aa60e1ec41664737ed1a75e96de82c3abd979
SHA512873f644b249cebdf2a666e30eb1c06b8e276a5311d72f7c17af7fdad5ff767577c1a1cc2b9d9d84bfee28898e179356aa334aa29596a57549770f737c3d555b0
-
Filesize
180B
MD57892eeadec314a82b0f45ce5b30fe4a0
SHA16ba1ac82b73d6775f07fbae26b2a03f12f26a32a
SHA2567424d52ee356f1a12bf28d774670c9e689015513dcfd46c8c4c5436cde589b73
SHA5128266671c5e92f9d9de45b5959495f32d8d4824416ea3032f2e7cd1dff3d79f84be879b7365950633ba51ab87c730e750f2feb032a4664a57b7dc39b83e5f9ecb
-
Filesize
180B
MD5cf4195e782bc4413323733d3f95e7969
SHA12bb31f6d7c6dc493bf9b043bae12a00b395bb3e0
SHA256de2946b5aa55831c7e68c161d3e99389fb2dabf3a740a7bf6454ef509fa5c221
SHA5125563b97f5c3bfe5229f62b8a235d1572b0ea513cd2feaa8107af574e6ba0c21a771a30839dacd3ecea2a971b4a0b3aee5db687eb0800054e26350233d7ba8df5
-
Filesize
228B
MD52243f87f2d0ed0491232578e913cc321
SHA101b7fa38d052c01fd439c03e8a37477f57e54322
SHA25655791bd34a6625f880d09aabd4499945f5e28e37077a71a595d4989c98d3b232
SHA512152abc04793e72382108c30a131057b00a5cbacdecc2eba4caf45818f8943e1e85a5a6b858df315857e133be15a24e0037efe9723b70675f2b56acdf48763249
-
Filesize
180B
MD5b7051b4e80a227534529c9206df4dd45
SHA186535922177bd967b160be840cf5d490c54b82ff
SHA256061be9cb196ff370e9fbd799484eaed80d7041ec389223e64d23168f331038dd
SHA5127147f256c3cc98691e65071750597cf80bdaed4d7e2a7408171db4ba07d43665d17a50eee0c835a17909b3eca86c019983cf1cc01276fd1baaccf568abe013de
-
Filesize
1KB
MD575a445e119178f427996f0fae9d52e35
SHA120ebbe97dea871e81114dd4e4d63868b20ec5cde
SHA2564f857562993092c249f943d972c402971069c9b19fdb90b6952287039fb439a9
SHA5127ee0bf147100682a60820dd8345a5f00b56e10f82c07c247950ff498cae08f4a94d04812a9a906281f332bcf8c94ce234d0463235dc77295b5268ac2ac5126b0
-
Filesize
228B
MD5fd02e30ba2f0c4df62ba55d4872e669c
SHA1bbb1d95f50ed93d12a09d3b36dce8e8bbdaef412
SHA25632f195505e3835260d78b82d39bfb1f504dc109cc4eaef03495edebb0dd74ac8
SHA512baf20030ccb27151c4dda92ee6728d84acaa01f0c9abed28f3cb648b0d9465e4bcd1747d92c9fc5a58fc298e144109f224e6f596256cc40efab25c2c013cfe2b
-
Filesize
396B
MD505c05e646bdc37c948a053bd3fd6c91a
SHA1fe536465bae1847e6f5ff4460ddf5ceff6ae29f0
SHA2569db53cd239fee24147c2994efe5e6528726e115f0fe3e4c3b141c51c0d91dc6b
SHA51288712dd341414535f3928eabb8c8e0eab9764383578a9a80a5efe1983e0800a6d3f2dc4e769f299c5e29eaac6d3e05a53890d3fd23807ab18467cabada8517e5
-
Filesize
235B
MD5000685f8fdba1068a2d74ff18ad04024
SHA1b3da3bd64e75e70019419efe0b70dc17c6396854
SHA256751792f5da05ceb99cf0d19c18ed9440d6fc42ce30f3636f6e1392f6c32c54a4
SHA5126a837a8701eec9ae5f42208915fcc93d7b92e406c0ebcd4d6a27686778eaf3a22b18719f8f87a5885e2342552ebb4b4ea1cb775a2db666d38640ef384b5c308d
-
Filesize
1KB
MD5dc62d02b56d310e294d158c225b91f50
SHA1844e69b5ff0328e80441c54dbdff39d82c3263ba
SHA256be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8
SHA51223e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
3.3MB