Overview

overview

10

Static

static

3

776e97dad3...43.exe

windows7-x64

10

776e97dad3...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    776e97dad3071bc1fd1ac1365cf8c743.exe

  • Size

    3.3MB

  • MD5

    776e97dad3071bc1fd1ac1365cf8c743

  • SHA1

    8661945484491a1275f34acb663f5bbcb2eb8bad

  • SHA256

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a

  • SHA512

    1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e

  • SSDEEP

    49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\776e97dad3071bc1fd1ac1365cf8c743.exe
    "C:\Users\Admin\AppData\Local\Temp\776e97dad3071bc1fd1ac1365cf8c743.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      "C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        "C:\Users\Admin\AppData\Local\Temp\мой билд.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2612
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2480
            • C:\surrogateFontWin\surrogateRuntime.exe
              "C:\surrogateFontWin/surrogateRuntime.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1936
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:2888
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:1572
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F42.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat
      Filesize

      172B

      MD5

      3c80a2f72594a1aaad3eb9f3326fa018

      SHA1

      d8c2871205a7fbabadbd93bde2ca2ba6c5984fed

      SHA256

      4499cdabf1dfdfad772c0adabdac341f697366570b0b3c0ea7f4d5280641368c

      SHA512

      104f4efa9f01abfd6568c695298c8144cc1e4f92bc65475f58484d896956b08eadd3c956dd570c53ffa87f99a599c24cdcef7cc3b6eac309ad9805f895d2850f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp3F42.tmp.bat
      Filesize

      171B

      MD5

      c36fb8a920e36a4dc8cc8823e7bd2854

      SHA1

      76f71bb98209d46abb2ef20517a5e67ffd72e688

      SHA256

      32cbcd9faed1efd9a46947d9ee8e575592ef9e53fcd14386eb883fec93678721

      SHA512

      c6a76bdf94ad738c3468d151ecfdc447bdfe6ac0192c1b019060a8f074d5ff0fa3adcf07b514b2c66987c3b507669bf6ba33dbb3282fe1e0810d7b33937e754c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      Filesize

      3.3MB

      MD5

      ea5beba042215b6e29432b37f6269a53

      SHA1

      b85803cfaa70f9ba75b8ec6b38c22a7322561909

      SHA256

      3a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96

      SHA512

      92c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
      Filesize

      3.8MB

      MD5

      c7579b5e1166c0739f8595afaa66d29b

      SHA1

      b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6

      SHA256

      2b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50

      SHA512

      0d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5

      Download Submit

    • C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe
      Filesize

      207B

      MD5

      b622102857a2b174415567293088eb1a

      SHA1

      50c10da6de8894ce5e5bca5eace088e57f9445d8

      SHA256

      bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91

      SHA512

      ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc

      Download Submit

    • C:\surrogateFontWin\eZnqBD8zv5t5.bat
      Filesize

      87B

      MD5

      87df721837805b4b316c6c91c33f3084

      SHA1

      d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5

      SHA256

      1e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1

      SHA512

      b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545

      Download Submit

    • C:\surrogateFontWin\surrogateRuntime.exe
      Filesize

      3.5MB

      MD5

      6ccd894282898ca369a424ff8f69427d

      SHA1

      d610cba5e272ac6de433301f558046ef4f611921

      SHA256

      4a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012

      SHA512

      40c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f

      Download Submit

    • memory/1488-67-0x0000000001150000-0x0000000001160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-57-0x0000000001130000-0x0000000001142000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1488-83-0x000000001B4F0000-0x000000001B53E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1488-81-0x000000001A9F0000-0x000000001A9FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1488-79-0x000000001AA10000-0x000000001AA28000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1488-77-0x000000001A9E0000-0x000000001A9EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-39-0x0000000001220000-0x00000000015AE000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1488-41-0x0000000000C10000-0x0000000000C36000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1488-43-0x0000000000A40000-0x0000000000A4E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-45-0x0000000000C40000-0x0000000000C5C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1488-47-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-49-0x0000000000C60000-0x0000000000C78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1488-51-0x0000000000BF0000-0x0000000000C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-53-0x0000000000C00000-0x0000000000C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-55-0x0000000000C80000-0x0000000000C8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-75-0x000000001A9D0000-0x000000001A9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-59-0x0000000001110000-0x0000000001120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-61-0x0000000001200000-0x0000000001216000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1488-63-0x000000001A9B0000-0x000000001A9C2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1488-65-0x0000000001120000-0x000000000112E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-73-0x0000000001170000-0x000000000117E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1488-69-0x0000000001160000-0x0000000001170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1488-71-0x000000001B440000-0x000000001B49A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/2236-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2236-8-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2236-1-0x0000000000080000-0x00000000003D8000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3004-10-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3004-7-0x0000000001340000-0x0000000001698000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3004-9-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3004-24-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

      Filesize

      9.9MB

      Download