Overview

overview

10

Static

static

3

776e97dad3...43.exe

windows7-x64

10

776e97dad3...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    776e97dad3071bc1fd1ac1365cf8c743.exe

  • Size

    3.3MB

  • MD5

    776e97dad3071bc1fd1ac1365cf8c743

  • SHA1

    8661945484491a1275f34acb663f5bbcb2eb8bad

  • SHA256

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a

  • SHA512

    1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e

  • SSDEEP

    49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\776e97dad3071bc1fd1ac1365cf8c743.exe
    "C:\Users\Admin\AppData\Local\Temp\776e97dad3071bc1fd1ac1365cf8c743.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      "C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        "C:\Users\Admin\AppData\Local\Temp\мой билд.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4328
            • C:\surrogateFontWin\surrogateRuntime.exe
              "C:\surrogateFontWin/surrogateRuntime.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3456
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:5056
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:1348
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    8⤵
                    • Runs ping.exe
                    PID:2256
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1596
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp48A2.tmp.bat
      Filesize

      171B

      MD5

      9a294a350ba40f7bec48f5f1a7e1c748

      SHA1

      0af2e2e567a5fa1e897b79d104ab7156c3870eca

      SHA256

      0ec650c14fcfd4fd89ae741250497170e92555f3b3d56c364f34ce46fc7dc5fc

      SHA512

      96944a8ed624e6514210b5e47efac492c85b79bbb713a07043c43bfa0722c7136503c59d11a0532ff702094017760449ff04f8acf7352b2b8fc1ad4cd6ebd138

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat
      Filesize

      172B

      MD5

      1ba6dd6f8ba42f5c4e85b9989b6dd8f3

      SHA1

      6f036c79359c1cb15663db07898551715aa20c09

      SHA256

      6bba1868a9786d76e242efb2bf7f3204e5ad05047f48d33ae71c7974257d5b53

      SHA512

      4a2f17ad5826b5b3c600f5a3589b16c4bf116c2cd415fe1c0b4c3f57b1dda4e904e83c7bc42ddf0a2f4ae87d2537463d7579690d2c31fb27c6e506116d9828c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      Filesize

      3.3MB

      MD5

      ea5beba042215b6e29432b37f6269a53

      SHA1

      b85803cfaa70f9ba75b8ec6b38c22a7322561909

      SHA256

      3a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96

      SHA512

      92c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
      Filesize

      3.8MB

      MD5

      c7579b5e1166c0739f8595afaa66d29b

      SHA1

      b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6

      SHA256

      2b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50

      SHA512

      0d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5

      Download Submit

    • C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe
      Filesize

      207B

      MD5

      b622102857a2b174415567293088eb1a

      SHA1

      50c10da6de8894ce5e5bca5eace088e57f9445d8

      SHA256

      bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91

      SHA512

      ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc

      Download Submit

    • C:\surrogateFontWin\eZnqBD8zv5t5.bat
      Filesize

      87B

      MD5

      87df721837805b4b316c6c91c33f3084

      SHA1

      d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5

      SHA256

      1e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1

      SHA512

      b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545

      Download Submit

    • C:\surrogateFontWin\surrogateRuntime.exe
      Filesize

      3.5MB

      MD5

      6ccd894282898ca369a424ff8f69427d

      SHA1

      d610cba5e272ac6de433301f558046ef4f611921

      SHA256

      4a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012

      SHA512

      40c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f

      Download Submit

    • memory/2680-16-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2680-17-0x0000000000170000-0x00000000004C8000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2680-18-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2680-30-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3456-50-0x000000001BC80000-0x000000001BC9C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3456-67-0x000000001CA70000-0x000000001CA86000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3456-131-0x000000001D510000-0x000000001D5B9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/3456-44-0x0000000000CC0000-0x000000000104E000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/3456-46-0x000000001C660000-0x000000001C686000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3456-48-0x000000001BC50000-0x000000001BC5E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-51-0x000000001C9E0000-0x000000001CA30000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3456-53-0x000000001BC60000-0x000000001BC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-55-0x000000001C9B0000-0x000000001C9C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3456-91-0x000000001D510000-0x000000001D5B9000-memory.dmp

      Filesize

      676KB

      Download

    • memory/3456-57-0x000000001BC70000-0x000000001BC80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-59-0x000000001C990000-0x000000001C9A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-61-0x000000001C9A0000-0x000000001C9AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-63-0x000000001CA50000-0x000000001CA62000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3456-65-0x000000001C9D0000-0x000000001C9E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-90-0x000000001CDF0000-0x000000001CE3E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3456-69-0x000000001CA90000-0x000000001CAA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3456-70-0x000000001CFE0000-0x000000001D508000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3456-72-0x000000001CA30000-0x000000001CA3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-74-0x000000001CA40000-0x000000001CA50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-76-0x000000001CAB0000-0x000000001CAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-78-0x000000001CB20000-0x000000001CB7A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/3456-80-0x000000001CAC0000-0x000000001CACE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-82-0x000000001CAD0000-0x000000001CAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3456-84-0x000000001CAE0000-0x000000001CAEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3456-86-0x000000001CD80000-0x000000001CD98000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3456-88-0x000000001CAF0000-0x000000001CAFC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3900-15-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3900-0-0x00007FFA54793000-0x00007FFA54795000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3900-3-0x00007FFA54790000-0x00007FFA55251000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3900-1-0x00000000009A0000-0x0000000000CF8000-memory.dmp

      Filesize

      3.3MB

      Download