Overview

overview

10

Static

static

10

PSDUPE2024.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PSDUPE2024.exe

  • Size

    2.0MB

  • MD5

    2d05bc27aa2615cf6e2c9511234d8a66

  • SHA1

    4ae44f4c518302a51f745d6ca36e8f4c501bb9e3

  • SHA256

    294cbb78a81c7e183d683023389ef164c44b018bb5c033082fffd37e5ff1a71e

  • SHA512

    c94077299b22dab65f60fca308dc074ade9262b256e693267b8dccbbd12ae702a63202c43854196b49b9f7de233614dc49a08d41dc98264970fffe4f8ea4fd62

  • SSDEEP

    24576:2TbBv5rUyXVWciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD53:IBJWsgB2yoQ4k/ECW5Gu5xdGjPIT99

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PSDUPE2024.exe
    "C:\Users\Admin\AppData\Local\Temp\PSDUPE2024.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\websvc\LegP3y2soeCNnL8HdRY.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\websvc\y9ztcmF5ctLA82LeTg.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\websvc\BlockDhcpCommon.exe
          "C:\websvc/BlockDhcpCommon.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bc4mkOKCT6.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4188
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:968
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:5008
                • C:\Program Files\7-Zip\msedge.exe
                  "C:\Program Files\7-Zip\msedge.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1276
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3668,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
        1⤵
          PID:3748
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\gandon.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:1520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Bc4mkOKCT6.bat
          Filesize

          209B

          MD5

          e2d5655f8542b0fdbff84ced0da07048

          SHA1

          3f12ead48d42ad2fd8d79aba4f2d3b471e8508fa

          SHA256

          8ef7701cea917f752d8232048095c76ea284c72e52fd56c1891e70b979fec7ee

          SHA512

          970f0a21a986a45eac0e5ca55361b5c7ef5741f3c42f66a9ae1788d696e69dab9ac2e1885675a77efa3589522fa6373a601c87bedb3e93a5496fbe9572b37aaa

          Download Submit

        • C:\websvc\BlockDhcpCommon.exe
          Filesize

          1.7MB

          MD5

          7c12d48df8f08a95701197c514269a50

          SHA1

          4f99360c54ad2cce0afe14ddb37697f6777795c8

          SHA256

          6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

          SHA512

          37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

          Download Submit

        • C:\websvc\LegP3y2soeCNnL8HdRY.vbe
          Filesize

          203B

          MD5

          1e98c1f7a591cf59345967aceba3f2a6

          SHA1

          5a21ad8148646b4eb1caef820030a6c434ae5c83

          SHA256

          91161275b8ff2d123c7a002e69be6a08a32668e484d6435cbd2b5b392cbeb0f7

          SHA512

          37b23746d8d126a1a5066849b6fe8c23fc6a4a13863e0332505e7326278f3ee57cbc764f105fa2cd532a3530fa1e3da99c98c6394e61da3b7e9a1cbd4cd1fd06

          Download Submit

        • C:\websvc\y9ztcmF5ctLA82LeTg.bat
          Filesize

          72B

          MD5

          0cee51099cbfa8470b3b3a2ca45afeef

          SHA1

          1e010e1f08364ad45de1952105875aeaa099b217

          SHA256

          d091e51f562c2aee640cedb882f3c5f93bbb6df7a52887ae2b6ec26fcfd2e90d

          SHA512

          7b35d78e7e70a2cef4c9d85c542a37c855aed47f7dac84fc20710c936d76e72d00cb2b9dd62550eaf09fc91ea328c19bd5bc692166eade6691a9fee94b273573

          Download Submit

        • memory/1400-12-0x00007FFBF8973000-0x00007FFBF8975000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1400-13-0x0000000000DA0000-0x0000000000F52000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1400-15-0x000000001BB60000-0x000000001BB7C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1400-16-0x000000001BD00000-0x000000001BD50000-memory.dmp

          Filesize

          320KB

          Download