Overview

overview

10

Static

static

10

294cbb78a8...1e.exe

windows7-x64

10

294cbb78a8...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe

  • Size

    2.0MB

  • MD5

    2d05bc27aa2615cf6e2c9511234d8a66

  • SHA1

    4ae44f4c518302a51f745d6ca36e8f4c501bb9e3

  • SHA256

    294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e

  • SHA512

    c94077299b22dab65f60fca308dc074ade9262b256e693267b8dccbbd12ae702a63202c43854196b49b9f7de233614dc49a08d41dc98264970fffe4f8ea4fd62

  • SSDEEP

    24576:2TbBv5rUyXVWciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD53:IBJWsgB2yoQ4k/ECW5Gu5xdGjPIT99

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe
    "C:\Users\Admin\AppData\Local\Temp\294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\websvc\LegP3y2soeCNnL8HdRY.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\websvc\y9ztcmF5ctLA82LeTg.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\websvc\BlockDhcpCommon.exe
          "C:\websvc/BlockDhcpCommon.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2616
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GVacvjJViC.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2444
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2856
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:2668
              • C:\Windows\es-ES\System.exe
                "C:\Windows\es-ES\System.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GVacvjJViC.bat
      Filesize

      155B

      MD5

      aaec773ed5558a766beb789f62ce7f3b

      SHA1

      d6dc87b41157bc5e80ceb60da38979e38a6ae392

      SHA256

      54050f4b35e823fc4de30b9a5a8bb05e2efefdaacca8059fc097740c39ef7306

      SHA512

      e4f8e0fe9a3e6667c14911bb482710aaa87c77aefeb5a6f1e4d9afcdc607f76e7e747f31b7f38124c344f9c120a553a570fa7c9c35d80024894685fde3b1dce2

      Download Submit

    • C:\websvc\LegP3y2soeCNnL8HdRY.vbe
      Filesize

      203B

      MD5

      1e98c1f7a591cf59345967aceba3f2a6

      SHA1

      5a21ad8148646b4eb1caef820030a6c434ae5c83

      SHA256

      91161275b8ff2d123c7a002e69be6a08a32668e484d6435cbd2b5b392cbeb0f7

      SHA512

      37b23746d8d126a1a5066849b6fe8c23fc6a4a13863e0332505e7326278f3ee57cbc764f105fa2cd532a3530fa1e3da99c98c6394e61da3b7e9a1cbd4cd1fd06

      Download Submit

    • C:\websvc\y9ztcmF5ctLA82LeTg.bat
      Filesize

      72B

      MD5

      0cee51099cbfa8470b3b3a2ca45afeef

      SHA1

      1e010e1f08364ad45de1952105875aeaa099b217

      SHA256

      d091e51f562c2aee640cedb882f3c5f93bbb6df7a52887ae2b6ec26fcfd2e90d

      SHA512

      7b35d78e7e70a2cef4c9d85c542a37c855aed47f7dac84fc20710c936d76e72d00cb2b9dd62550eaf09fc91ea328c19bd5bc692166eade6691a9fee94b273573

      Download Submit

    • \websvc\BlockDhcpCommon.exe
      Filesize

      1.7MB

      MD5

      7c12d48df8f08a95701197c514269a50

      SHA1

      4f99360c54ad2cce0afe14ddb37697f6777795c8

      SHA256

      6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

      SHA512

      37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

      Download Submit

    • memory/1516-33-0x00000000012F0000-0x00000000014A2000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2616-13-0x00000000003C0000-0x0000000000572000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2616-15-0x0000000000330000-0x000000000034C000-memory.dmp

      Filesize

      112KB

      Download