Overview

overview

10

Static

static

10

437a180db4...44.exe

windows7-x64

10

437a180db4...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    437a180db44c659505d08da56b1c5344.exe

  • Size

    1.8MB

  • MD5

    437a180db44c659505d08da56b1c5344

  • SHA1

    63dcc88fc8ca4dc2c25028695b72fc48f9978df2

  • SHA256

    d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

  • SHA512

    fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

  • SSDEEP

    24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe
    "C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5qs2vxpg\5qs2vxpg.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98E5.tmp" "c:\Windows\System32\CSC276878DBFD8C4D49A981ABDF7692B7E5.TMP"
        3⤵
          PID:2604
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qNPNO6kghB.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1500
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:2364
          • C:\Program Files (x86)\Windows Mail\winlogon.exe
            "C:\Program Files (x86)\Windows Mail\winlogon.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\reports\lsass.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2508
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\lsass.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\audiodg.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\audiodg.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2796
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:788
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:936
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\winlogon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1992
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\lsm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2320
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Cursors\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\lsm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1968
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "437a180db44c659505d08da56b1c5344" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1824
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1668

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES98E5.tmp
        Filesize

        1KB

        MD5

        29755968e8537286bf14a0fdaef34390

        SHA1

        f9954e6f489b6089710ee5313a44b11dddbe6871

        SHA256

        1e9cc014f7d08457ceb640f34d668cd193dbb817b9ba7894befc80a6a05c27d0

        SHA512

        03924e15dc4e8c188d2d4627e8ebace5bf53309d43f5af3592e1df3b43883979ce491165d97f59b9b859007fe2dc5a53f8219e5e026c44245de0d033bda6de0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qNPNO6kghB.bat
        Filesize

        176B

        MD5

        6a90e82895f95c8a1cb0168cfb9742ed

        SHA1

        b53f39330a02e9ce6c0384c0134a4b6bb29b0746

        SHA256

        a389eeceb2c5cee3b5aa56f2eef5209a5fada04c9ff41906e472bf6c41403f66

        SHA512

        9cd2500491922461e4e60be12407fa2478c7c75a370299c0949f470268367775fa46a8873b3b9bf8ff850408a3d3a35ea5142d2add250b89fb369198c7118a7f

        Download Submit

      • C:\Windows\Temp\Crashpad\reports\lsass.exe
        Filesize

        1.8MB

        MD5

        437a180db44c659505d08da56b1c5344

        SHA1

        63dcc88fc8ca4dc2c25028695b72fc48f9978df2

        SHA256

        d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

        SHA512

        fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5qs2vxpg\5qs2vxpg.0.cs
        Filesize

        374B

        MD5

        de673ea995b1571a14295fdedf91426d

        SHA1

        da0c9de4e69286906bb480c7e6293d596b928a9b

        SHA256

        c0a7a330df6a3dceda91b96e00ca7d7487b22828a07fc4c47b429de50b428c45

        SHA512

        d677bedc423e95d112b36e60e5168889a7c13612d180633346b81545e4b226c0765164a8631a4a7669538db5de2e6b65ae50928b7608e43ae10ff5c4f9057b38

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\5qs2vxpg\5qs2vxpg.cmdline
        Filesize

        235B

        MD5

        d26df6ec8e1ab05349f7e2885a01561a

        SHA1

        b9e1c6f23af6d6ec545e2be71e0c2e51910bdf01

        SHA256

        f211ea1232484dce32f33036ff132fdf1352308eb2dd18fa95c649b281fefdea

        SHA512

        3c65e311480f6b71dd582ea0d8a29e8745df2ee42a0442d7fdbf259a4ba23146114cc913892b187b4881d2216868f367e62cdc0d5d2f22254541fea7eb9a96d3

        Download Submit

      • \??\c:\Windows\System32\CSC276878DBFD8C4D49A981ABDF7692B7E5.TMP
        Filesize

        1KB

        MD5

        8520d952d96303e0f8a259972c09583d

        SHA1

        c6425e72597d55ad2a3cee1e3d321d8b3712c3b9

        SHA256

        f9849247b878573d5341c81a0a0e86d847df757f114504854ec9a55a63b790a0

        SHA512

        cdf94448c3a5e94fbc260d2cdd813f30976fe55165e30447cc0e2ae3ab2d6254619494b482b62f4875c419ecb21efefeadefb7d369560cb2e64a83c16735149e

        Download Submit

      • memory/2020-6-0x0000000000460000-0x000000000046E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2020-18-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-9-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-11-0x0000000000520000-0x000000000053C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2020-13-0x0000000000540000-0x0000000000558000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2020-15-0x0000000000470000-0x000000000047C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2020-16-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-8-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-7-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2020-4-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-3-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-46-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2020-1-0x0000000000070000-0x000000000024A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2472-49-0x0000000001190000-0x000000000136A000-memory.dmp

        Filesize

        1.9MB

        Download