Overview

overview

10

Static

static

3

872a2f4dec...38.exe

windows7-x64

10

872a2f4dec...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe

  • Size

    8.7MB

  • MD5

    57ec49d438753f3bdfec6a616258b370

  • SHA1

    a34f757f5f2bd4763f04206c0d0cd32ab4491117

  • SHA256

    872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638

  • SHA512

    88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a

  • SSDEEP

    196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu

Score
10/10
zgratpersistenceratspywarestealerupx

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
    "C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"
      2⤵
      • Executes dropped EXE
      PID:4684
    • C:\Users\Admin\AppData\Local\Temp\leetcrack.exe
      "C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe
        "C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"
        3⤵
        • Executes dropped EXE
        PID:1172
      • C:\Users\Admin\AppData\Local\Temp\portmonitor.exe
        "C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Webnet\x9qTsv13UFeYw.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3160
            • C:\Webnet\portmonitor.exe
              "C:\Webnet/portmonitor.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:668
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n50rkfh2\n50rkfh2.cmdline"
                7⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2888
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB621.tmp" "c:\Windows\System32\CSC9FD4BB9A656348E2B17D4BBDBBBF140.TMP"
                  8⤵
                    PID:212
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W4jR1NG9FD.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5020
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    8⤵
                      PID:2808
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2608
                      • C:\Recovery\WindowsRE\backgroundTaskHost.exe
                        "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5060
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Videos\portmonitor.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3520
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3432
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5040
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3564
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\it-IT\cmd.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\it-IT\cmd.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 11 /tr "'C:\Webnet\portmonitor.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 14 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe
          Filesize

          5.2MB

          MD5

          b86bbb42b26e72a601087f68cda89208

          SHA1

          baca49e35da3b83cd56ba579d61f98e9b137debe

          SHA256

          320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

          SHA512

          e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe
          Filesize

          8KB

          MD5

          068a3a015a2821ab745a03dbae612233

          SHA1

          91c358a556d51466918c76c01ead079a484ce35a

          SHA256

          d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67

          SHA512

          d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESB621.tmp
          Filesize

          1KB

          MD5

          10f5254695da0ce2d559cf3fd3ea97d8

          SHA1

          f6e9858d36244cce59a7cca3cda12b288649ac35

          SHA256

          3a96dca311bac0a5c6bb9e16ffa177fa28455bbefe9fa346438c4f1f73591212

          SHA512

          423f652504d54b9778b920c777d830e7f8c7ff0c9bfba4128f686dd0710a2ed0cb59afeee5ee2824429b1c3b31869633be0feabd318d638c97c2f1f5b78f4ad5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\W4jR1NG9FD.bat
          Filesize

          220B

          MD5

          c0ed47c5717bc7da8718082dffb3b42e

          SHA1

          fb7678f100b7e38b15c5e5ee11d35a1ad1f47aa9

          SHA256

          dad18f0547420046a91f932ee84049558c5561447b59d73c2f686581014cf134

          SHA512

          7c65d2be79d63c4f5d2cb906dc6f7f230051b1e974421ed2539fdf95ff9053602b42735c87b6d6901bcb8eaf1fec090d5dcc7df2bb698620f2c6895b112566af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\leetcrack.exe
          Filesize

          8.7MB

          MD5

          93144ffd83e528ff8651605be2d2c1a4

          SHA1

          6c661ce690ecd3ecd21c8953e410543fcf8a69ad

          SHA256

          4ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60

          SHA512

          5236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\portmonitor.exe
          Filesize

          3.8MB

          MD5

          3d686dda8f890bef092779bc682dec10

          SHA1

          2e6f12de7a5d4febe798a63b2f8914458741bf7f

          SHA256

          af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4

          SHA512

          cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58

          Download Submit

        • C:\Webnet\portmonitor.exe
          Filesize

          3.5MB

          MD5

          aa6c98cd853bf585a410394fd10817dc

          SHA1

          ceab1865997ae2c6e070a9c6adf6b129cf2ad383

          SHA256

          fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b

          SHA512

          2ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562

          Download Submit

        • C:\Webnet\x9qTsv13UFeYw.bat
          Filesize

          84B

          MD5

          5bcb417bd38f4db1936b88b262c0f7ad

          SHA1

          d724fa06c67a7740497576d08b2c9b5b77c7eca4

          SHA256

          f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07

          SHA512

          9706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c

          Download Submit

        • C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe
          Filesize

          209B

          MD5

          1fefc5b72cd89c9f83dcf8a47b254f58

          SHA1

          909c965e493baab2203bac16be714cfb88a75f0d

          SHA256

          7f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c

          SHA512

          5bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\n50rkfh2\n50rkfh2.0.cs
          Filesize

          383B

          MD5

          35aa015744c850ee71a7550d613a4ae9

          SHA1

          b545aecaedc8aeaddf7149b56d0b2062d510b5a2

          SHA256

          ef475599eb0699e48cfc312c404caf4f6cb86ba0295cb0a7fcf14fd380af5bc2

          SHA512

          5baa132e8842a954bb3338340a34b0d89b824d4493981ac523769679c0f10fd7c435dcb592944fc1b7396b265728cf426194f095f91dc275ae050fefc669dcd6

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\n50rkfh2\n50rkfh2.cmdline
          Filesize

          235B

          MD5

          633f22c8b70803523370a8bc6665da8c

          SHA1

          c72e952be72eb845ed48266b875a585cbf681ff5

          SHA256

          66f25fcbd27880e0aa4f105f799bdcf747e6490bb85fc62790bb9dca046f152e

          SHA512

          1748b46705c28d22c1bc1615f3572908857b1f2830081742dc9d270308c90ea4f8136bd7f684fe4d42a536e53ff9511429b795ee095ea78494ad69504e0c8154

          Download Submit

        • \??\c:\Windows\System32\CSC9FD4BB9A656348E2B17D4BBDBBBF140.TMP
          Filesize

          1KB

          MD5

          af7c030393a1aa241dbd66ac9c612687

          SHA1

          7700f60d2b4b2730d78f792fd920a19f2df08853

          SHA256

          f7577c92c7a0e06a106d26fe5e9953f1db17612e65844fa4d1098ea7151bfdb3

          SHA512

          aefb89b99596423c7b732165d02f8a020eeecec7cea2bc6ee29966a39e739775f7f7f151bef74b4b83742d3b5ada120d4a9ad65738887b3bf5481afa4ee58d67

          Download Submit

        • memory/668-72-0x000000001D500000-0x000000001D516000-memory.dmp

          Filesize

          88KB

          Download

        • memory/668-81-0x000000001D4E0000-0x000000001D4F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-60-0x000000001BF80000-0x000000001BF98000-memory.dmp

          Filesize

          96KB

          Download

        • memory/668-62-0x00000000033F0000-0x0000000003400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-64-0x0000000003420000-0x0000000003430000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-66-0x000000001BF10000-0x000000001BF1E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/668-68-0x000000001D4C0000-0x000000001D4D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/668-70-0x000000001BF60000-0x000000001BF70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-56-0x000000001BFB0000-0x000000001C000000-memory.dmp

          Filesize

          320KB

          Download

        • memory/668-74-0x000000001D520000-0x000000001D532000-memory.dmp

          Filesize

          72KB

          Download

        • memory/668-75-0x000000001DA70000-0x000000001DF98000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/668-77-0x000000001BF70000-0x000000001BF7E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/668-79-0x000000001BFA0000-0x000000001BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-58-0x00000000033E0000-0x00000000033F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-83-0x000000001D5A0000-0x000000001D5FA000-memory.dmp

          Filesize

          360KB

          Download

        • memory/668-85-0x000000001D4F0000-0x000000001D4FE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/668-87-0x000000001D540000-0x000000001D550000-memory.dmp

          Filesize

          64KB

          Download

        • memory/668-89-0x000000001D550000-0x000000001D55E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/668-91-0x000000001D580000-0x000000001D598000-memory.dmp

          Filesize

          96KB

          Download

        • memory/668-93-0x000000001D560000-0x000000001D56C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/668-95-0x000000001D650000-0x000000001D69E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/668-55-0x0000000003400000-0x000000000341C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/668-53-0x0000000003390000-0x000000000339E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/668-51-0x000000001BF30000-0x000000001BF56000-memory.dmp

          Filesize

          152KB

          Download

        • memory/668-49-0x0000000000F30000-0x00000000012BE000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/668-124-0x000000001D9E0000-0x000000001DA2E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/1172-42-0x00007FF7A9A30000-0x00007FF7AA65A000-memory.dmp

          Filesize

          12.2MB

          Download

        • memory/5060-151-0x000000001E600000-0x000000001E64E000-memory.dmp

          Filesize

          312KB

          Download