Analysis
-
max time kernel
138s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
14-05-2024 02:21
General
-
Target
94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe
-
Size
3.3MB
-
MD5
776e97dad3071bc1fd1ac1365cf8c743
-
SHA1
8661945484491a1275f34acb663f5bbcb2eb8bad
-
SHA256
94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a
-
SHA512
1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e
-
SSDEEP
49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\мой билд.exe"C:\Users\Admin\AppData\Local\Temp\мой билд.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\surrogateFontWin\surrogateRuntime.exe"C:\surrogateFontWin/surrogateRuntime.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.batFilesize
220B
MD510bf3523ef34de3e55ef4be77ad692d2
SHA1317dc7f4973ddc805a74366ce77a3ca2f4c26de3
SHA2561e3fa06c1c70fdc6ea202627182f40944c480c9d11682b2baf3b12eae5bca920
SHA5123af93c3ab6851e2d43495851236026d60576911ae15901b72712448e2426e8bb9ce0b1a104c2815eeb71cf50c0456b0148a23acc8dec11c33989eab1c2909fc7
-
C:\Users\Admin\AppData\Local\Temp\tmp37E2.tmp.batFilesize
171B
MD5e9a5dda09c16a5fa40978c207630390d
SHA1c063bbd171b86938e33f1d77e5c5e8080b9aed91
SHA256f3ee111d88343a1b94d6ba63554a134170f98f6ea914f43c58bc303030c658f9
SHA51288534922fbe975f04ccdbf26bab90bb3ea6f601547649477863c20ca354f03e95a6825311f8ff6301c4da6d19b004b3b913583ecd19a9f9d8bbbfcd2170c0159
-
C:\Users\Admin\AppData\Local\Temp\мой билд (2).exeFilesize
3.3MB
MD5ea5beba042215b6e29432b37f6269a53
SHA1b85803cfaa70f9ba75b8ec6b38c22a7322561909
SHA2563a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96
SHA51292c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997
-
C:\Users\Admin\AppData\Local\Temp\мой билд.exeFilesize
3.8MB
MD5c7579b5e1166c0739f8595afaa66d29b
SHA1b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6
SHA2562b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50
SHA5120d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5
-
C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbeFilesize
207B
MD5b622102857a2b174415567293088eb1a
SHA150c10da6de8894ce5e5bca5eace088e57f9445d8
SHA256bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91
SHA512ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc
-
C:\surrogateFontWin\eZnqBD8zv5t5.batFilesize
87B
MD587df721837805b4b316c6c91c33f3084
SHA1d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5
SHA2561e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1
SHA512b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545
-
\surrogateFontWin\surrogateRuntime.exeFilesize
3.5MB
MD56ccd894282898ca369a424ff8f69427d
SHA1d610cba5e272ac6de433301f558046ef4f611921
SHA2564a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012
SHA51240c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f
-
memory/2812-48-0x00000000005A0000-0x00000000005B0000-memory.dmpFilesize
64KB
-
memory/2812-56-0x0000000000BB0000-0x0000000000BBE000-memory.dmpFilesize
56KB
-
memory/2812-84-0x000000001B850000-0x000000001B89E000-memory.dmpFilesize
312KB
-
memory/2812-82-0x0000000001140000-0x000000000114C000-memory.dmpFilesize
48KB
-
memory/2812-80-0x0000000001160000-0x0000000001178000-memory.dmpFilesize
96KB
-
memory/2812-78-0x0000000001130000-0x000000000113E000-memory.dmpFilesize
56KB
-
memory/2812-76-0x0000000001120000-0x0000000001130000-memory.dmpFilesize
64KB
-
memory/2812-40-0x00000000011A0000-0x000000000152E000-memory.dmpFilesize
3.6MB
-
memory/2812-42-0x0000000000D40000-0x0000000000D66000-memory.dmpFilesize
152KB
-
memory/2812-44-0x0000000000410000-0x000000000041E000-memory.dmpFilesize
56KB
-
memory/2812-46-0x0000000000B90000-0x0000000000BAC000-memory.dmpFilesize
112KB
-
memory/2812-74-0x0000000001110000-0x000000000111E000-memory.dmpFilesize
56KB
-
memory/2812-50-0x0000000000F50000-0x0000000000F68000-memory.dmpFilesize
96KB
-
memory/2812-52-0x00000000009E0000-0x00000000009F0000-memory.dmpFilesize
64KB
-
memory/2812-54-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/2812-72-0x000000001AF80000-0x000000001AFDA000-memory.dmpFilesize
360KB
-
memory/2812-58-0x0000000001090000-0x00000000010A2000-memory.dmpFilesize
72KB
-
memory/2812-60-0x0000000001070000-0x0000000001080000-memory.dmpFilesize
64KB
-
memory/2812-62-0x00000000010D0000-0x00000000010E6000-memory.dmpFilesize
88KB
-
memory/2812-64-0x00000000010F0000-0x0000000001102000-memory.dmpFilesize
72KB
-
memory/2812-66-0x0000000001080000-0x000000000108E000-memory.dmpFilesize
56KB
-
memory/2812-68-0x00000000010B0000-0x00000000010C0000-memory.dmpFilesize
64KB
-
memory/2812-70-0x00000000010C0000-0x00000000010D0000-memory.dmpFilesize
64KB
-
memory/2928-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmpFilesize
4KB
-
memory/2928-4-0x000007FEF5680000-0x000007FEF606C000-memory.dmpFilesize
9.9MB
-
memory/2928-10-0x000007FEF5680000-0x000007FEF606C000-memory.dmpFilesize
9.9MB
-
memory/2928-1-0x00000000003E0000-0x0000000000738000-memory.dmpFilesize
3.3MB
-
memory/3056-11-0x000007FEF5680000-0x000007FEF606C000-memory.dmpFilesize
9.9MB
-
memory/3056-8-0x0000000000850000-0x0000000000BA8000-memory.dmpFilesize
3.3MB
-
memory/3056-9-0x000007FEF5680000-0x000007FEF606C000-memory.dmpFilesize
9.9MB
-
memory/3056-32-0x000007FEF5680000-0x000007FEF606C000-memory.dmpFilesize
9.9MB