Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
13-05-2024 23:06
General
-
Target
437a180db44c659505d08da56b1c5344.exe
-
Size
1.8MB
-
MD5
437a180db44c659505d08da56b1c5344
-
SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2
-
SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
-
SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
-
SSDEEP
24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe"C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jggmdjap\jggmdjap.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A4A.tmp" "c:\Windows\System32\CSC622F2953DFF473F8EEF86FE3AA5C.TMP"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKFet18XkD.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\437a180db44c659505d08da56b1c5344.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c5344" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c5344" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "437a180db44c659505d08da56b1c53444" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\437a180db44c659505d08da56b1c5344.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5437a180db44c659505d08da56b1c5344
SHA163dcc88fc8ca4dc2c25028695b72fc48f9978df2
SHA256d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
SHA512fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
-
Filesize
209B
MD5cd6dcf0c54c6f30059c07656b58b2337
SHA1e22f3d6e80122ffea99f83b54024c91bf15e9697
SHA2563ad50abdd3d0e47ead514606487c105738e536a5d64844028453ce8328c58df8
SHA512a3dd5dd8cdca887bdbe09c9db505a0a30f11ac74dc0d5357def14ba658d560028534056f1661016b5110daee318b6ecdd88001b22b8a06edb5afabe34e0c1a14
-
Filesize
1KB
MD5c68447f884c945a76d104d4b528bf0eb
SHA1d0f0f1b3b44428d57fe89ac177553a14de1890f4
SHA256e193ad24899c5f56454dce0f10bb545f54ab91ffc356f2262c21d7083d9d2bb0
SHA5120a1f3c7e008526a8dd05fe4e20865e4fa250bcbbfce04ebd192832082eca5c00b580f8c57f083304fd0ef9db70140599a95ee393f91f61ee4c04a847524f5f9e
-
Filesize
366B
MD54e1a10f31157621a4f851807428086e1
SHA149485736703c4c04026ac6bd6ff700c5f32952be
SHA2568d6f2bfa3d55d36d3de91d3ed1a50f5a785566defdecb43399550129d1d05310
SHA512d5e60d8247b60d91336a39af0b25c5d3f687f68928d72ca24423c8e42b5736fd4ceb3684e5d41bd1364f6171326425a24155b1e74157e9198a4e2dff511ce269
-
Filesize
235B
MD50710caaa1daf11ec017043998013eaaf
SHA1cd022bb47482f34e7193f15340f771f061c055d8
SHA256c006a3e7c6a94bbc4b521a6baafdaceffd646048a9f258d6b8c6004b67c736b7
SHA512d160efbcedb099b2910f4416326c5e039352fc9c67f06778cdfd2839c4b246ba3d9746cb8a1f9accbd484dd1a777f63b369811a699415261c2d3cd74e36bcd3b
-
Filesize
1KB
MD5dbd9f08fe1204b55edd7689f0ff86d2f
SHA193a0995d1e07ebd10d10d7dd36e7fa021b2b3637
SHA256300e4915ed524682a79eda6cdd246098e05bb3b84380c692fe50ed7f41177e56
SHA512aaa1769baabc4858021e071d89a6012a3e5c3f36fab0a93c4160e6265f8e7ad9203c1940fa8f1def91239c68b5e274cccfa14aba75c517bbe341c4c70588f0d8
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
1.9MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB