Overview

overview

10

Static

static

3

94e42c4fee...7a.exe

windows7-x64

10

94e42c4fee...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe

  • Size

    3.3MB

  • MD5

    776e97dad3071bc1fd1ac1365cf8c743

  • SHA1

    8661945484491a1275f34acb663f5bbcb2eb8bad

  • SHA256

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a

  • SHA512

    1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e

  • SSDEEP

    49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe
    "C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      "C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        "C:\Users\Admin\AppData\Local\Temp\мой билд.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2884
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2492
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\surrogateFontWin\surrogateRuntime.exe
              "C:\surrogateFontWin/surrogateRuntime.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2812
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2220
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:1596
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1696
          • C:\Windows\system32\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\system32\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:2472

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat
        Filesize

        220B

        MD5

        10bf3523ef34de3e55ef4be77ad692d2

        SHA1

        317dc7f4973ddc805a74366ce77a3ca2f4c26de3

        SHA256

        1e3fa06c1c70fdc6ea202627182f40944c480c9d11682b2baf3b12eae5bca920

        SHA512

        3af93c3ab6851e2d43495851236026d60576911ae15901b72712448e2426e8bb9ce0b1a104c2815eeb71cf50c0456b0148a23acc8dec11c33989eab1c2909fc7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat
        Filesize

        171B

        MD5

        e9a5dda09c16a5fa40978c207630390d

        SHA1

        c063bbd171b86938e33f1d77e5c5e8080b9aed91

        SHA256

        f3ee111d88343a1b94d6ba63554a134170f98f6ea914f43c58bc303030c658f9

        SHA512

        88534922fbe975f04ccdbf26bab90bb3ea6f601547649477863c20ca354f03e95a6825311f8ff6301c4da6d19b004b3b913583ecd19a9f9d8bbbfcd2170c0159

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
        Filesize

        3.3MB

        MD5

        ea5beba042215b6e29432b37f6269a53

        SHA1

        b85803cfaa70f9ba75b8ec6b38c22a7322561909

        SHA256

        3a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96

        SHA512

        92c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        Filesize

        3.8MB

        MD5

        c7579b5e1166c0739f8595afaa66d29b

        SHA1

        b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6

        SHA256

        2b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50

        SHA512

        0d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5

        Download Submit

      • C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe
        Filesize

        207B

        MD5

        b622102857a2b174415567293088eb1a

        SHA1

        50c10da6de8894ce5e5bca5eace088e57f9445d8

        SHA256

        bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91

        SHA512

        ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc

        Download Submit

      • C:\surrogateFontWin\eZnqBD8zv5t5.bat
        Filesize

        87B

        MD5

        87df721837805b4b316c6c91c33f3084

        SHA1

        d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5

        SHA256

        1e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1

        SHA512

        b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545

        Download Submit

      • \surrogateFontWin\surrogateRuntime.exe
        Filesize

        3.5MB

        MD5

        6ccd894282898ca369a424ff8f69427d

        SHA1

        d610cba5e272ac6de433301f558046ef4f611921

        SHA256

        4a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012

        SHA512

        40c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f

        Download Submit

      • memory/2812-48-0x00000000005A0000-0x00000000005B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-56-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2812-84-0x000000001B850000-0x000000001B89E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2812-82-0x0000000001140000-0x000000000114C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2812-80-0x0000000001160000-0x0000000001178000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2812-78-0x0000000001130000-0x000000000113E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2812-76-0x0000000001120000-0x0000000001130000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-40-0x00000000011A0000-0x000000000152E000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/2812-42-0x0000000000D40000-0x0000000000D66000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2812-44-0x0000000000410000-0x000000000041E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2812-46-0x0000000000B90000-0x0000000000BAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2812-74-0x0000000001110000-0x000000000111E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2812-50-0x0000000000F50000-0x0000000000F68000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2812-52-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-54-0x00000000009F0000-0x0000000000A00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-72-0x000000001AF80000-0x000000001AFDA000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2812-58-0x0000000001090000-0x00000000010A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2812-60-0x0000000001070000-0x0000000001080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-62-0x00000000010D0000-0x00000000010E6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2812-64-0x00000000010F0000-0x0000000001102000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2812-66-0x0000000001080000-0x000000000108E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2812-68-0x00000000010B0000-0x00000000010C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2812-70-0x00000000010C0000-0x00000000010D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2928-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2928-4-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2928-10-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2928-1-0x00000000003E0000-0x0000000000738000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3056-11-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3056-8-0x0000000000850000-0x0000000000BA8000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3056-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3056-32-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

        Filesize

        9.9MB

        Download