Overview

overview

10

Static

static

3

8eb6ed0139...6a.exe

windows7-x64

10

8eb6ed0139...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 08:08 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8eb6ed01392a5cbba283febd7c9aa16a.exe

  • Size

    791KB

  • MD5

    8eb6ed01392a5cbba283febd7c9aa16a

  • SHA1

    d472f8b50f8a9a6e583262f326a57927d9df940c

  • SHA256

    b2e85f5907f28c7c9bfc0370be2567494e0fd11887dfc80ca62958d4f5fbf8a0

  • SHA512

    e6f08c9036df0f8c7f38895f4bbf240d796b8da9838ac87c67c56122361675462844a99fed386856a09744d4beaba7f81431619696cea959f93dc0de1962151a

  • SSDEEP

    12288:SaEg+LSgoEJHE6QxTZbZQIPqeEMbZO6MGomMRPArytpfoA:SaEgVrEJCTZlQISeEoq1J3pfx

Score
10/10
zgratexecutionrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
    "C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe'
      2⤵
      • Drops startup file
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
      C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2472

Network

  • flag-us
    DNS
    relay-01-static.cloud
    8eb6ed01392a5cbba283febd7c9aa16a.exe
    Remote address:
    8.8.8.8:53
    Request
    relay-01-static.cloud
    IN A
    Response
    relay-01-static.cloud
    IN A
    111.90.159.210
  • 111.90.159.210:39001
    relay-01-static.cloud
    8eb6ed01392a5cbba283febd7c9aa16a.exe
    500 B
     292 B
     8
    7
  • 8.8.8.8:53
    relay-01-static.cloud
    dns
    8eb6ed01392a5cbba283febd7c9aa16a.exe
    67 B
     83 B
     1
    1

    DNS Request

    relay-01-static.cloud

    DNS Response

    111.90.159.210

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1660-0-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-1-0x000000013FEA0000-0x000000013FF6A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1660-2-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1660-3-0x000000001BDB0000-0x000000001BE64000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1660-26-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2472-17-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2472-18-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2472-28-0x0000000000550000-0x000000000059C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2472-27-0x00000000007A0000-0x00000000007F6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2472-19-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2472-20-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-25-0x000000001B8A0000-0x000000001B9A4000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2472-22-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2556-9-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2556-11-0x000007FEED3B0000-0x000007FEEDD4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-14-0x000007FEED3B0000-0x000007FEEDD4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-15-0x0000000002D64000-0x0000000002D67000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2556-16-0x000007FEED3B0000-0x000007FEEDD4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-12-0x000007FEED3B0000-0x000007FEEDD4D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2556-10-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2556-8-0x000007FEED66E000-0x000007FEED66F000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.