Resubmissions
13-05-2024 22:03
240513-1yc9ysga66 1013-05-2024 21:55
240513-1svbaafb7s 1013-05-2024 21:49
240513-1pmf9sff48 1013-05-2024 07:47
240513-jmr6asga64 713-05-2024 07:44
240513-jksn2sch3w 712-05-2024 10:52
240512-myqy6abg9x 711-05-2024 13:06
240511-qcaxlaca29 311-05-2024 12:19
240511-phhzqaaf23 311-05-2024 12:07
240511-paandaab47 3Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
13-05-2024 22:03
General
-
Target
Loader.exe
-
Size
347KB
-
MD5
1cb742cb95699d994e1cc6810c6f7642
-
SHA1
103ea603322859742a3e51c5e517a927b9dcd40c
-
SHA256
c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
-
SHA512
79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
-
SSDEEP
6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Checker.exe"C:\Users\Admin\AppData\Roaming\Checker.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
-
C:\blockcontainerWincrtdll\Sessionperf.exe"C:\blockcontainerWincrtdll/Sessionperf.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqbym0tz\mqbym0tz.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB565.tmp" "c:\Windows\System32\CSC50C50C304CE24AFDBE6F258F9A6F2348.TMP"7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\csrss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\OfficeClickToRun.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\legal\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\sysmon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9RFiL1KRB6.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\blockcontainerWincrtdll\csrss.exe"C:\blockcontainerWincrtdll\csrss.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\blockcontainerWincrtdll\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\blockcontainerWincrtdll\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Documents\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk-1.8\legal\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\legal\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5437395ef86850fbff98c12dff89eb621
SHA19cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA2569c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
212B
MD530569074b8cdebc701bed7eb6649f648
SHA1ccd099dfcb690e83697df63dd2fdae0026d13941
SHA2567bd7d5da656800ceb966157ae1e35d09c875f1a9f0340d69de98523d6261288e
SHA51215ad50d78705a74144c165ca5c2989e1b74d096f747eb38de1c34cfae7163c30629a45c16a548c4051961d245087262d465f18e4ebb41cacb791282cfce267cb
-
Filesize
1KB
MD5d557e0b84b9236fccb952a94a515cac6
SHA1712f98d3ee76eef4b6074bbb2bbf42168628ab48
SHA256d5fe2f46bf1e771a79dc0b8060fe96ccb7f3ef0ea654800c988659f777b5c60f
SHA512cd7d5fa83a9874a62c99f7e10ca9f65668df8339f474b62d72ef5fd0cb74e3146c1d5b99ea9691d1386e8d2098fc27b82eda482921ae770f8036916869b8049d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.9MB
MD51003b37d9d942d41a38a83670eaa285c
SHA1a4ee7ef69fc681caf1116d59578667abb9080ad6
SHA256d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae
SHA5120c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a
-
Filesize
228B
MD54f702b152f4098393712e3fe99b04fbd
SHA1fec2f913e1fac5053127e175f1ba048c9d8dd25c
SHA256f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2
SHA5127c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf
-
Filesize
3.6MB
MD5bf0f63bb48eb95aaec6fc6a001c974ce
SHA119baab2b0c129ecbd6a1aa21bada3e2e5cdd1136
SHA256bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc
SHA512130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c
-
Filesize
201B
MD5159297f9e35114bf97d74622097780d8
SHA12aaaf993b9ecb9bae43ccd41585734512ff08355
SHA256650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81
SHA512a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69
-
Filesize
368B
MD5597078e7f2f6b312e26e1b388e9144f8
SHA11822584631d623218a95255385e09bcc2d9379bd
SHA256e8b291f42fe1090c67bc97fd7053f48a2eee6f49efb7dbfa32908c3eb5b1cd8f
SHA51202dd997ac5e455588ecb6f961f28ea322c98aa3a31806afc992366442304f5000633e0fe518c8a2d13ed1ac9aac449f223100c7a05c0a5ccfd788ddddd84bdbc
-
Filesize
235B
MD5757033546c5b7a1f03ba59e8c577ac37
SHA17f358a9c316f41c26cae2576f42f8eee17c05c36
SHA256d4a6b2044c3d6e9b825b38d5393e5fd17d8e6448b92f5ff7f9628900426520f2
SHA512428a934dfa0b4796374f28667929d7128aee9b319a46ca24404fc17060ad2ea1fb2eaa5a5130b9c09bcad465d1d0b3223553158db1e04765442a21b1c09bd88c
-
Filesize
1KB
MD51a502a1fc30970b31463301991b83663
SHA1e0bcd847edd6234a49ececfb30e2b72ba342937a
SHA256bb5f44725fee83456522fbbc02e8728cd273403428753bce8aedcc411f08fcc3
SHA512a583e7c099d0c1ccf0c7f005da315001dd35ae5a16ecc11a296da1bf9da25e0b595202b571a001b39bb7545cdf7e93d4d6d6883572ddb54b07ce1ea1572f5819
-
Filesize
320KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
312KB
-
Filesize
856KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
3.6MB
-
Filesize
856KB
-
Filesize
36KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
136KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
10.8MB
-
Filesize
376KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB