Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows10-2004-x64

Resubmissions

12-05-2024 21:19

240512-z6dd9aga9w 10

12-05-2024 21:19

240512-z55gcabc33 10

12-05-2024 20:53

240512-zpcrdsad49 10

12-05-2024 17:09

240512-vn594afe9s 10

Analysis

  • max time kernel
    24s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 21:19

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1484
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39d3055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\metadata.CashRansomware
    Filesize

    16B

    MD5

    79853e83c872257de36cf748e27bfb69

    SHA1

    26036c5b92cdf768e09f5244217f4cddf151a002

    SHA256

    e5a2231886c69f85a2598b676343ca6a0626689ca8ef2373750057cf30616a2d

    SHA512

    df855c85a02b022c5fec21f4aa177dbfb383ecae511125126171bfd824ad3c26e6b58278d91e4a3e8c83e12e5430508cae3039d072d8516662361fdeb93bc1f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.CashRansomware
    Filesize

    32B

    MD5

    9c835a60221d734447ed46ee429aa132

    SHA1

    6b5b582316b7d41ddaf23150e73d7ed9cf3cd5e2

    SHA256

    ce776195adb1e1f71a1ae7dfadcdced31a607892c1663d7497f02b38de4bc1ad

    SHA512

    793abec67bc451bb79d29d5d4d58e3f49edc7fbd11c10e5db68715b413658a24f667f6c546032972702779b42065de6e53c716a710540e4f57a5498eeac69d18

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.CashRansomware
    Filesize

    48B

    MD5

    f3cea99c523125da7003813d4cdade20

    SHA1

    6a3ad7280effa568e686088ae39e70097357e4ec

    SHA256

    2403d0de053761b95f4546f30f33e20b26f5b51ad0e38134f779861d45bc59fe

    SHA512

    8482ade10ffd602d3bcd9b106a75afec65558095a4707bed973aa7bc73f1c4c5712da20b47ad356b602cba46a7ca34af9985080e36cf3bf72988d77e056620b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2.CashRansomware
    Filesize

    8KB

    MD5

    b9c5c452ba72a40cd172ee9c4f40863b

    SHA1

    541369a7c9e64d25c2b721c0d2123051ff434aed

    SHA256

    8b1e3a20690e2c0f00c1a30f349fa5fc2acabf5a74ede13408570c721ed29df3

    SHA512

    d431b275f8b15d84ba98d526c19a791a25dfaca8acf502cd6a9b4fb296d8fd627d81a964dfcf1b31c71ed5dccbd57e7d4c204f2e23464b44d8ad9eb3e928019c

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0.CashRansomware
    Filesize

    8KB

    MD5

    22383d247764037f74389d83d124b282

    SHA1

    270becc78fc3174d17055f18595a36f1dda0dc40

    SHA256

    305fe0b4a8890d6768b10405b9bf684f894c62ffd9931e809345ad3af76bac03

    SHA512

    a46a0a04ce295e0b6e9cce3a890930dfc7cf1012233e1a7168c9508b321c2da61b1264259c521876637d04a48e0a21c42cb71ecffb7576c4100ec713f5ceaba0

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.CashRansomware
    Filesize

    264KB

    MD5

    e27d3024affe499ce85bb6d6692175ad

    SHA1

    a11c4e562992f83f448f5528dbf6c4d81a617012

    SHA256

    c36d86248abb179c5b46a1b80931c8b4d328bdf39126f47827c9280babc5fcba

    SHA512

    e1a35a954f622530490e96d07edb823ce9e1728da51ee1ddfab70df6d0cb2579f405f9eaf42b3b136b71de65cf4be8b044836c4b06cd3923460f4c856d1c1884

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3.CashRansomware
    Filesize

    8KB

    MD5

    f80955f82c2fdfcee515fc79ed9ee55f

    SHA1

    b392578ee421a63778f111a6c1f697427ba7d77c

    SHA256

    35a3ac4907570d9759214a700fab6ba6125159ccc7ccabf3d215c4a09c9f1931

    SHA512

    48c839880645d97ab31e3569d771d1c127021d28b9f7f8cdcafa0cf1c69d34875bdc7a059fde99c5f57034c6a2a989c0a2770074aaec8c8699e53dc7dcc568c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.CashRansomware
    Filesize

    8KB

    MD5

    a916a2ed5296cbb5bc88f768c61c4077

    SHA1

    c293eb7b55ef2a795fdfa49d2a9e7016963c6a48

    SHA256

    070ba16cc4c6015f0aa391d8fc994d15a7068e25c98da5d29b5a1eeba0282a08

    SHA512

    39f50febb94936a433528ef460ac3575b2408c464bae514f853e303efe6f77730f407866760ae2943fad9e930f3a0765ae4e9c77a61f8ab21840592c272ba155

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.CashRansomware
    Filesize

    36KB

    MD5

    67edb120dbe1f8432119f9aee73232ee

    SHA1

    75c63d650da267a538b0c20bcd45967dd61a6a31

    SHA256

    d34b795b3bd4342774e2e999d2cd50e953172ee23f40dc3eaa9089f14f22571f

    SHA512

    38a65ef6de396129ba2bdd705729d181534756dfcf6aef29dfa96759e7b9dc5a03fd7c05ee5060da50b9a85f860651adb3cbb3e83304a6d88ddfbd8be26017da

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.CashRansomware
    Filesize

    36KB

    MD5

    75dabcdb574ef135b9aa9f9668a0882a

    SHA1

    400fb4cf5821f46ebcb0a6f6eb149f6f899e23bf

    SHA256

    9875912a0856e5a1716b3783be4786f0e910c6b2b09e3a9eda77fa24cdaf1d29

    SHA512

    89339fc1b05460295d392e84122d9957903d60ef3ccb285561fd7ba23555e6334f3fa78dca0d8a987041b103cadc9a72620ea11933ab4cb5967e1c785f18e561

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.1.filtertrie.intermediate.txt.CashRansomware
    Filesize

    16B

    MD5

    169b715b0adbd0a28f46b8014453d0db

    SHA1

    28120ebbfd421c011ea975ee597e3141b022c233

    SHA256

    783479b76139ed7743621de2cd125084030947c34714c70286b5f82acece14f8

    SHA512

    fa655bb69effa3def75e9fbab2d3127f800a95369abfe7ef6117973dd2da74cb5ac624c45b047c29c6e0d02b0c8c62c5cb628a285e33b43d0ba8e3d2b15f78d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{4f7bbdca-2df1-4113-a6c2-26f2463e08c2}\0.2.filtertrie.intermediate.txt.CashRansomware
    Filesize

    16B

    MD5

    9b866b70036bd7ec803dbffacd5e99cc

    SHA1

    f79eb9f935e297a3e83d156aad097d21d2efd5e4

    SHA256

    182db389f70ca1c46bd8c38987494507e1e971def08aca0a58239219afb55b73

    SHA512

    f249428b62bfcbb409e942f6a035fa9d0866a49c41259c68fa66642cd0797a88d8a5b949e2dc58cec7ee6939a6e5447d4e9b25ffd970f1215463e753cd858147

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596439082960180.txt.CashRansomware
    Filesize

    77KB

    MD5

    6bed26731019518f947e26072384e4cb

    SHA1

    1bc966cb77d858704b3cb02e5d6f1f4c4314e241

    SHA256

    accbe5dfb383add584501cad1a752e946712a3c2b36f6b0a48a6f3883c3db61c

    SHA512

    b52293754cc41409e11971e7e8ed77ff01c6e8afdd18283f95ccb0edfb56313d76faae39c2cf2b80ae2157aea5c94402f4140752f59ea0815ca86cb6e12889a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596440369039129.txt.CashRansomware
    Filesize

    47KB

    MD5

    60ac401466953c8d56c1a93f06278e83

    SHA1

    92bc15bccbc42e89397e1455bccc8cfc2402f524

    SHA256

    23da61408b3df7f77c682d58eb38ab55cb2c05c3042e57a3cc96b9950be8fd47

    SHA512

    a01e6ed09fa626d35451cd9656425ac57a9d3f68cd50277461d64109a2c91a19618127711566bb6f3e6cffc70a61aa474eb218c97c8f74c9f69a7d73c7096fa5

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596447416703473.txt.CashRansomware
    Filesize

    66KB

    MD5

    eb4d3a44983c1756a1507a306ab9bf5d

    SHA1

    96706cbe742095681e800abace0c12978968458e

    SHA256

    98cca166ef678686800fd01268063772cb35457dcf892a320f2b5d590e0b7b6f

    SHA512

    4911a1b2f5ddff00eb57fbb6461cc61b9eaaddef262e8d12cdacdd8248fa4e8dc752aed9f2613906c5ef6cbd7be9f9cd5415411fc8787f8855e54bcca28fe106

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133596472244321448.txt.CashRansomware
    Filesize

    75KB

    MD5

    e13fdced92ffa82bdd4acaacbace68dc

    SHA1

    94a6dce51d2f78a0baa0c635186a0e7904640fe6

    SHA256

    1cd6e7da78d7b92c2b6b15af27292929e58af31946d3bfb10830913ad1ddbbb9

    SHA512

    85dc433df757078a9968f423e138649d5caa28960c24d0a3d292efa3a7bbb599e4edf3c688f5b7dc8237e42c0489e7bbfc7b8ab4c2a7060bed7109716765f916

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\e6zhegwu.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
    Filesize

    48KB

    MD5

    b47cecc022848f402d237064f7f2d191

    SHA1

    82bbce601b20fec9b1bb550f2f1ecc0508952d7b

    SHA256

    770438733ebeda96b72b99b44035b1d460452b9de9f2549a1688983dccad64bc

    SHA512

    32e7b96fa3370ae1b6ebb0e34e140a0e59497ff55fff585af4b9eb858364d0a9b93d7bb2c0aac039fb6b40a1f77815b6f9706dd58d32f9d84355113c10316c32

    Download Submit

  • memory/4624-1674-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-2-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-0-0x000002681B410000-0x000002681B6BE000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/4624-1-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4624-1675-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-1676-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-1677-0x000002683C780000-0x000002683C942000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4624-1678-0x000002683CE80000-0x000002683D3A8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4624-1679-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4624-1680-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

    Filesize

    10.8MB

    Download