Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows7-x64

10

958ccd8e8d...24.exe

windows10-2004-x64

10

Resubmissions

12-05-2024 21:19

240512-z6dd9aga9w 10

12-05-2024 21:19

240512-z55gcabc33 10

12-05-2024 20:53

240512-zpcrdsad49 10

12-05-2024 17:09

240512-vn594afe9s 10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1460
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.CashRansomware
    Filesize

    32B

    MD5

    bd3eca1558182c3e0d2bf1545c9b0911

    SHA1

    c9374a9c56858efa4aa07fc18d3f1f8b3805b844

    SHA256

    9560a42d610f1ef33281ccc7949b06a0e434ed4f0912baef87a7ba0d2122ae7d

    SHA512

    bebb064124c47a8104abc61db58bffceb27d70d40fbfcf6801838d4137ab01410b0532b28ef33753736bb898540407fd3887bf9c7691a1f2d0d74d2f1c859fb6

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.CashRansomware
    Filesize

    8KB

    MD5

    a74358620388ce84ed747837b5628d56

    SHA1

    f9d7844e20c9ffc1aef1b2e8641ae82a101975b3

    SHA256

    135b37a8f2b98c85068825f0c540a2d6365d52fd09653f5296ea5e363ac9be25

    SHA512

    43912e99eeba61ee83e71791fef11daff14ce0f0967d551ff2198e6b94c8b8ded2abb04d7af82470c47b7080b98c97eaeb54fe57f25cb4b5820ed4666d12e7bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini.CashRansomware
    Filesize

    80B

    MD5

    fd2ae099cb8cca0420796d87f3bbb383

    SHA1

    1584f5af9e965621c6e6ed07b75c21279c137461

    SHA256

    510cf224b690ac7ba4d9cb27bc46615c2549c1ee0bf1ff3b830dcca581dcef95

    SHA512

    ee86b26dcb79a3ca7c3f9b6e6d844d5656cc85ac6fb9746ab9b1ba7c627e06489a949308e02b0c2b981c4efd29d034934e4a328c9d20fff230e8fc1bcea9c1f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.CashRansomware
    Filesize

    28KB

    MD5

    3a1aee5dfd0569a9455a249920bc809b

    SHA1

    dd1d7de32e9896a3f3270c647ef6475189df5a5c

    SHA256

    3e48cd0fc246cbfcb6b988fad30a710d27d47e1cd545a7f50dd7e424b399e20f

    SHA512

    391187492e108b7a9e3c19894cfa36934094dc30b682df3d24d6af3d76f30bec1fa17939d1d71a252f7f00feda5698477caac8c557ef9647b8f510e5193eb465

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat.CashRansomware
    Filesize

    16B

    MD5

    56afdd0f57cb37aa709d588c3a636e8c

    SHA1

    cdd487836ca1753d2845a83bc72bef071d945393

    SHA256

    2524b5377dcebf395f8a74fcc5819a7829192afbb828d9ce1e078cd6977ced21

    SHA512

    4f9531ec57cb156ad0b06274c9068ded2d9ffa4014c1d5992a412cc48bd364ab9d924c332e391be3e3f06f960ed40cd1e7ee1c28e0e73e615a964f780dea7af2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
    Filesize

    48KB

    MD5

    f3c6eed8bb23ce316d84e68929e4fb96

    SHA1

    acd15418795cd5f115e27e7b54444f63e4d08e0e

    SHA256

    2a993d0819e18bf334932b7b7a79b1454660e9c273e3f5364c22fae489742a3a

    SHA512

    519f9b88b185d058b8453577a1a259e61c5e39f991977b14b435ce97ef4d0b978ed567dd1173d69c0e462f09ad5c0bd78234caed3d9898962356795f0465a37c

    Download Submit

  • memory/1460-0-0x000007FEF5773000-0x000007FEF5774000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-2-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1460-1-0x00000000011D0000-0x000000000147E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1460-1234-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1460-1235-0x000007FEF5773000-0x000007FEF5774000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1460-1236-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1460-1237-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1460-1238-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1460-1239-0x000007FEF5770000-0x000007FEF615C000-memory.dmp

    Filesize

    9.9MB

    Download