Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe
Resource
win7-20240221-en
General
-
Target
94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe
-
Size
3.3MB
-
MD5
776e97dad3071bc1fd1ac1365cf8c743
-
SHA1
8661945484491a1275f34acb663f5bbcb2eb8bad
-
SHA256
94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a
-
SHA512
1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e
-
SSDEEP
49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/files/0x002d000000014665-16.dat family_zgrat_v1 behavioral1/files/0x0008000000014c25-38.dat family_zgrat_v1 behavioral1/memory/2812-40-0x00000000011A0000-0x000000000152E000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 3 IoCs
pid Process 3056 мой билд (2).exe 2884 мой билд.exe 2812 surrogateRuntime.exe -
Loads dropped DLL 2 IoCs
pid Process 3004 cmd.exe 3004 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2472 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3056 мой билд (2).exe 3056 мой билд (2).exe 3056 мой билд (2).exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe 2812 surrogateRuntime.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3056 мой билд (2).exe Token: SeDebugPrivilege 2812 surrogateRuntime.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2928 wrote to memory of 3056 2928 94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe 28 PID 2928 wrote to memory of 3056 2928 94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe 28 PID 2928 wrote to memory of 3056 2928 94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe 28 PID 3056 wrote to memory of 2884 3056 мой билд (2).exe 30 PID 3056 wrote to memory of 2884 3056 мой билд (2).exe 30 PID 3056 wrote to memory of 2884 3056 мой билд (2).exe 30 PID 3056 wrote to memory of 2884 3056 мой билд (2).exe 30 PID 3056 wrote to memory of 2668 3056 мой билд (2).exe 31 PID 3056 wrote to memory of 2668 3056 мой билд (2).exe 31 PID 3056 wrote to memory of 2668 3056 мой билд (2).exe 31 PID 2668 wrote to memory of 2472 2668 cmd.exe 33 PID 2668 wrote to memory of 2472 2668 cmd.exe 33 PID 2668 wrote to memory of 2472 2668 cmd.exe 33 PID 2884 wrote to memory of 2492 2884 мой билд.exe 34 PID 2884 wrote to memory of 2492 2884 мой билд.exe 34 PID 2884 wrote to memory of 2492 2884 мой билд.exe 34 PID 2884 wrote to memory of 2492 2884 мой билд.exe 34 PID 2492 wrote to memory of 3004 2492 WScript.exe 35 PID 2492 wrote to memory of 3004 2492 WScript.exe 35 PID 2492 wrote to memory of 3004 2492 WScript.exe 35 PID 2492 wrote to memory of 3004 2492 WScript.exe 35 PID 3004 wrote to memory of 2812 3004 cmd.exe 37 PID 3004 wrote to memory of 2812 3004 cmd.exe 37 PID 3004 wrote to memory of 2812 3004 cmd.exe 37 PID 3004 wrote to memory of 2812 3004 cmd.exe 37 PID 2812 wrote to memory of 2220 2812 surrogateRuntime.exe 40 PID 2812 wrote to memory of 2220 2812 surrogateRuntime.exe 40 PID 2812 wrote to memory of 2220 2812 surrogateRuntime.exe 40 PID 2220 wrote to memory of 1596 2220 cmd.exe 42 PID 2220 wrote to memory of 1596 2220 cmd.exe 42 PID 2220 wrote to memory of 1596 2220 cmd.exe 42 PID 2220 wrote to memory of 1696 2220 cmd.exe 43 PID 2220 wrote to memory of 1696 2220 cmd.exe 43 PID 2220 wrote to memory of 1696 2220 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\мой билд.exe"C:\Users\Admin\AppData\Local\Temp\мой билд.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"4⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\surrogateFontWin\surrogateRuntime.exe"C:\surrogateFontWin/surrogateRuntime.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1596
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1696
-
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2472
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD510bf3523ef34de3e55ef4be77ad692d2
SHA1317dc7f4973ddc805a74366ce77a3ca2f4c26de3
SHA2561e3fa06c1c70fdc6ea202627182f40944c480c9d11682b2baf3b12eae5bca920
SHA5123af93c3ab6851e2d43495851236026d60576911ae15901b72712448e2426e8bb9ce0b1a104c2815eeb71cf50c0456b0148a23acc8dec11c33989eab1c2909fc7
-
Filesize
171B
MD5e9a5dda09c16a5fa40978c207630390d
SHA1c063bbd171b86938e33f1d77e5c5e8080b9aed91
SHA256f3ee111d88343a1b94d6ba63554a134170f98f6ea914f43c58bc303030c658f9
SHA51288534922fbe975f04ccdbf26bab90bb3ea6f601547649477863c20ca354f03e95a6825311f8ff6301c4da6d19b004b3b913583ecd19a9f9d8bbbfcd2170c0159
-
Filesize
3.3MB
MD5ea5beba042215b6e29432b37f6269a53
SHA1b85803cfaa70f9ba75b8ec6b38c22a7322561909
SHA2563a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96
SHA51292c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997
-
Filesize
3.8MB
MD5c7579b5e1166c0739f8595afaa66d29b
SHA1b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6
SHA2562b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50
SHA5120d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5
-
Filesize
207B
MD5b622102857a2b174415567293088eb1a
SHA150c10da6de8894ce5e5bca5eace088e57f9445d8
SHA256bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91
SHA512ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc
-
Filesize
87B
MD587df721837805b4b316c6c91c33f3084
SHA1d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5
SHA2561e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1
SHA512b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545
-
Filesize
3.5MB
MD56ccd894282898ca369a424ff8f69427d
SHA1d610cba5e272ac6de433301f558046ef4f611921
SHA2564a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012
SHA51240c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f