Overview

overview

10

Static

static

10

294cbb78a8...1e.exe

windows7-x64

10

294cbb78a8...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe

  • Size

    2.0MB

  • MD5

    2d05bc27aa2615cf6e2c9511234d8a66

  • SHA1

    4ae44f4c518302a51f745d6ca36e8f4c501bb9e3

  • SHA256

    294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e

  • SHA512

    c94077299b22dab65f60fca308dc074ade9262b256e693267b8dccbbd12ae702a63202c43854196b49b9f7de233614dc49a08d41dc98264970fffe4f8ea4fd62

  • SSDEEP

    24576:2TbBv5rUyXVWciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD53:IBJWsgB2yoQ4k/ECW5Gu5xdGjPIT99

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe
    "C:\Users\Admin\AppData\Local\Temp\294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\websvc\LegP3y2soeCNnL8HdRY.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\websvc\y9ztcmF5ctLA82LeTg.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\websvc\BlockDhcpCommon.exe
          "C:\websvc/BlockDhcpCommon.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19emZKS7QZ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3048
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:4292
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:112
                • C:\Users\Admin\Start Menu\dllhost.exe
                  "C:\Users\Admin\Start Menu\dllhost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1648

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\19emZKS7QZ.bat
        Filesize

        213B

        MD5

        c4bc37d3d86bba4e4c848e67d5ad6eca

        SHA1

        f9e07b6b45d56982fb83e5a467cc9c0ecb9d7e77

        SHA256

        f075c6510bb5892fba02f8edc31a5b6362b69bb0adad18b9041e30aff6810493

        SHA512

        71abc813278ae46826f92d11e8e17c25c7a30091873f5bd71a4b533c20e14fd181861eae8da72f092adae6c174b1efefdde76022b477ec7bc5dfbc53475aeb45

        Download Submit

      • C:\websvc\BlockDhcpCommon.exe
        Filesize

        1.7MB

        MD5

        7c12d48df8f08a95701197c514269a50

        SHA1

        4f99360c54ad2cce0afe14ddb37697f6777795c8

        SHA256

        6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

        SHA512

        37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

        Download Submit

      • C:\websvc\LegP3y2soeCNnL8HdRY.vbe
        Filesize

        203B

        MD5

        1e98c1f7a591cf59345967aceba3f2a6

        SHA1

        5a21ad8148646b4eb1caef820030a6c434ae5c83

        SHA256

        91161275b8ff2d123c7a002e69be6a08a32668e484d6435cbd2b5b392cbeb0f7

        SHA512

        37b23746d8d126a1a5066849b6fe8c23fc6a4a13863e0332505e7326278f3ee57cbc764f105fa2cd532a3530fa1e3da99c98c6394e61da3b7e9a1cbd4cd1fd06

        Download Submit

      • C:\websvc\y9ztcmF5ctLA82LeTg.bat
        Filesize

        72B

        MD5

        0cee51099cbfa8470b3b3a2ca45afeef

        SHA1

        1e010e1f08364ad45de1952105875aeaa099b217

        SHA256

        d091e51f562c2aee640cedb882f3c5f93bbb6df7a52887ae2b6ec26fcfd2e90d

        SHA512

        7b35d78e7e70a2cef4c9d85c542a37c855aed47f7dac84fc20710c936d76e72d00cb2b9dd62550eaf09fc91ea328c19bd5bc692166eade6691a9fee94b273573

        Download Submit

      • memory/1648-37-0x000000001CA90000-0x000000001CBA5000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1892-12-0x00007FF8DAA93000-0x00007FF8DAA95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1892-13-0x0000000000930000-0x0000000000AE2000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1892-15-0x0000000001300000-0x000000000131C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1892-16-0x000000001B780000-0x000000001B7D0000-memory.dmp

        Filesize

        320KB

        Download