Overview

overview

10

Static

static

3

8eb6ed0139...6a.exe

windows7-x64

10

8eb6ed0139...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8eb6ed01392a5cbba283febd7c9aa16a.exe

  • Size

    791KB

  • MD5

    8eb6ed01392a5cbba283febd7c9aa16a

  • SHA1

    d472f8b50f8a9a6e583262f326a57927d9df940c

  • SHA256

    b2e85f5907f28c7c9bfc0370be2567494e0fd11887dfc80ca62958d4f5fbf8a0

  • SHA512

    e6f08c9036df0f8c7f38895f4bbf240d796b8da9838ac87c67c56122361675462844a99fed386856a09744d4beaba7f81431619696cea959f93dc0de1962151a

  • SSDEEP

    12288:SaEg+LSgoEJHE6QxTZbZQIPqeEMbZO6MGomMRPArytpfoA:SaEgVrEJCTZlQISeEoq1J3pfx

Score
10/10
zgratexecutionrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
    "C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe'
      2⤵
      • Drops startup file
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1876
    • C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
      C:\Users\Admin\AppData\Local\Temp\8eb6ed01392a5cbba283febd7c9aa16a.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8eb6ed01392a5cbba283febd7c9aa16a.exe.log
    Filesize

    1KB

    MD5

    1ffb6c38353a8d7a11fd1b0a3480ac5d

    SHA1

    32d622aae7c022fe9fa7d22efb9c8a184ae3032c

    SHA256

    3d7b67a6de3a663d825fc385677fcd577498a582ed616c899765392f191ddb13

    SHA512

    b8b781ea9222a86087e63ad70732b3921f85ecbbf6facb940b2f8ab797b5624534af48a4eeae4b35ecb6bcc7cea5a42bb090e6d7041bd6d065044a81e1ea8395

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otrhurhs.5xp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1876-21-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1876-17-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1876-16-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1876-11-0x0000024727DF0000-0x0000024727E12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2228-4-0x000000001C440000-0x000000001C4F4000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2228-5-0x00000000032C0000-0x00000000032DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2228-0-0x00007FFA71593000-0x00007FFA71595000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2228-3-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2228-2-0x0000000003310000-0x0000000003386000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2228-1-0x00000000006D0000-0x000000000079A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2228-27-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3708-22-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/3708-25-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3708-26-0x000000001C870000-0x000000001C974000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3708-28-0x000000001C970000-0x000000001C9C6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3708-29-0x000000001C9D0000-0x000000001CA1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3708-30-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

    Filesize

    10.8MB

    Download