Overview

overview

10

Static

static

3

94e42c4fee...7a.exe

windows7-x64

10

94e42c4fee...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe

  • Size

    3.3MB

  • MD5

    776e97dad3071bc1fd1ac1365cf8c743

  • SHA1

    8661945484491a1275f34acb663f5bbcb2eb8bad

  • SHA256

    94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a

  • SHA512

    1bc6ea4cc03bb52df6c2ad119cddc78a9c35135e6449340fd16262e6940f82f587931c668431253f2c94d41daac0171e8674a450c4d47bc9da23f2f10f2aab7e

  • SSDEEP

    49152:2J/vzMuPb1xYthdEnupRPapi78CPOLldtp0ISpBRKXgifKLxoguTms/bQNJNQMdO:svzXPsbnwIOLlLBSpBK2u7GQMxoQ

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe
    "C:\Users\Admin\AppData\Local\Temp\94e42c4fee044a71b982054b06a77bc335aaf1e542f66422a75de3ea207dd77a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
      "C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        "C:\Users\Admin\AppData\Local\Temp\мой билд.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\surrogateFontWin\eZnqBD8zv5t5.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3200
            • C:\surrogateFontWin\surrogateRuntime.exe
              "C:\surrogateFontWin/surrogateRuntime.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3988
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2740
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  8⤵
                    PID:4936
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3936
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6DCD.tmp.bat""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Windows\system32\timeout.exe
              timeout 3
              4⤵
              • Delays execution with timeout.exe
              PID:1124

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\r7gOBUt9HL.bat
        Filesize

        220B

        MD5

        94105ca0a8d9ed41f6b9b8bee994d8d4

        SHA1

        2403ab268cbd6210ba1adf054bcd4d0d362f94a3

        SHA256

        d76a4b7a4e538cbef0a7ee89c6e058f092db9a1737f1274039db5b03d0168ae1

        SHA512

        23bd23545897810616cd53556ce52e513462adf09593d9252e0792ea3f8884e3eba62416f346922d54df958ce74ad56bd39b5854e4ba0e46a61aa4667ecf5d43

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp6DCD.tmp.bat
        Filesize

        171B

        MD5

        523d6a89b7d2f40bb52b03ea40ed1c3d

        SHA1

        8e08aa83cfe64ef60046dd89b97941bf09b7aaff

        SHA256

        6184ae43f90d01601118850b2a560990ec146828f6cd4293fd3a4229a27ed13c

        SHA512

        f6554fde99646b0dc53e6e6d59f706ec4cdf8df1d0d51f080ff2e8a151d72c352ee89ddd67af02f1416967ceb19804854519d1899af20858964f074d43b35db0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\мой билд (2).exe
        Filesize

        3.3MB

        MD5

        ea5beba042215b6e29432b37f6269a53

        SHA1

        b85803cfaa70f9ba75b8ec6b38c22a7322561909

        SHA256

        3a2445fac1e43838a0164e12ad98eb327f4441e0709f262858f54da828401d96

        SHA512

        92c7032e8c04ab33a1b1d0261a90f0a9416659967e94673297058ae58e0304ba6007ca224ec346d951c3cf058ded1617b1788d8662cdeefe10ef6cfdbfa8c997

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\мой билд.exe
        Filesize

        3.8MB

        MD5

        c7579b5e1166c0739f8595afaa66d29b

        SHA1

        b5f959fbe2a6c75deeb5a56cd585a0ccfdeacee6

        SHA256

        2b2e9731f7ef4f76d1c692afe23cd7f97d4da7652a37707455afb34b71559a50

        SHA512

        0d648ad038437a24f92962694fa9a26c3966f7b5a9f5f4b0ef8246526bb07e0d51931b0a27354529bb81f659eb2bbb12aed144969ef941c2ecdc38447c3887c5

        Download Submit

      • C:\surrogateFontWin\FxEsHofdY3CkZxo9NE8wRbgFeALKgU47U7PRpcYvRm.vbe
        Filesize

        207B

        MD5

        b622102857a2b174415567293088eb1a

        SHA1

        50c10da6de8894ce5e5bca5eace088e57f9445d8

        SHA256

        bc1c46785a1ed27d6b9850f641a63e27e2f7614b9b243a3781a3d6c4a6458b91

        SHA512

        ce72597fa7ff246ec205e8f4da30e8849a1793bd81fe95f36fd992245ef5077e97ae854a1cee0d9eff53383208d57572f74d0da3e1ce858aeaf033800d82c9fc

        Download Submit

      • C:\surrogateFontWin\eZnqBD8zv5t5.bat
        Filesize

        87B

        MD5

        87df721837805b4b316c6c91c33f3084

        SHA1

        d4c49ec3c7a3530f85f96442bb21fb5a3506c6d5

        SHA256

        1e2015066d2a71a19bdd1c4612a9bce1e8b6d56fdcf7c41b1a31a03a94f63cd1

        SHA512

        b8f1e4dc22215394b2d695dec46f08110c4e2a4d7ad002dc3b2ceb1cae8a1219b22f4b81b7da3daf83906b67510a2d9946ded01a6b6fa8a17f039dd83d0fb545

        Download Submit

      • C:\surrogateFontWin\surrogateRuntime.exe
        Filesize

        3.5MB

        MD5

        6ccd894282898ca369a424ff8f69427d

        SHA1

        d610cba5e272ac6de433301f558046ef4f611921

        SHA256

        4a76d24957664dfef3e7653fcbcd55da1e93b5f50344903d1ac31e49bbd51012

        SHA512

        40c748f1b5981e775849bfe74879d82d29f580ea0d82c2f428abfdf10ab120c672ed1660ed6b7b29545ed5ae576c96be7115b6cb43bf2121989cb2df822a835f

        Download Submit

      • memory/2308-16-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2308-17-0x0000000000BD0000-0x0000000000F28000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2308-18-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2308-29-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3988-59-0x000000001AF00000-0x000000001AF10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-70-0x000000001BAB0000-0x000000001BFD8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3988-141-0x000000001C9F0000-0x000000001CB99000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3988-44-0x0000000000020000-0x00000000003AE000-memory.dmp

        Filesize

        3.6MB

        Download

      • memory/3988-46-0x00000000024E0000-0x0000000002506000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3988-48-0x0000000002330000-0x000000000233E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-50-0x000000001AF10000-0x000000001AF2C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3988-51-0x000000001B4F0000-0x000000001B540000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3988-53-0x0000000002340000-0x0000000002350000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-55-0x000000001AF50000-0x000000001AF68000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3988-57-0x000000001AEF0000-0x000000001AF00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-140-0x000000001B9E0000-0x000000001BAAD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/3988-61-0x000000001AF30000-0x000000001AF3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-63-0x000000001B4A0000-0x000000001B4B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3988-65-0x000000001AF70000-0x000000001AF80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-67-0x000000001B540000-0x000000001B556000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3988-69-0x000000001B560000-0x000000001B572000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3988-124-0x000000001C9F0000-0x000000001CB99000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3988-72-0x000000001AF80000-0x000000001AF8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-74-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-76-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-78-0x000000001B5E0000-0x000000001B63A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3988-80-0x000000001B4E0000-0x000000001B4EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-82-0x000000001B580000-0x000000001B590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3988-84-0x000000001B590000-0x000000001B59E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3988-86-0x000000001B5C0000-0x000000001B5D8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3988-88-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3988-90-0x000000001B890000-0x000000001B8DE000-memory.dmp

        Filesize

        312KB

        Download

      • memory/3988-91-0x000000001B9E0000-0x000000001BAAD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/3988-92-0x000000001C9F0000-0x000000001CB99000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4340-15-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4340-0-0x00007FFA53DD3000-0x00007FFA53DD5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4340-10-0x00007FFA53DD0000-0x00007FFA54891000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4340-1-0x0000000000340000-0x0000000000698000-memory.dmp

        Filesize

        3.3MB

        Download