Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows7-x64

10

958ccd8e8d...24.exe

windows10-2004-x64

10

Resubmissions

14-05-2024 07:02

240514-ht24eaeh43 10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1036
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.CashRansomware
    Filesize

    32B

    MD5

    1ccba8c54cd64cc8254b978685e80bb2

    SHA1

    d6b43737b555c935a2f36ab0f1b1b095eac1b45f

    SHA256

    422f475143d4b7734a12bcdc86afb741712e6d064073a94c97c16d2d0960db96

    SHA512

    93f6d590c195c7fe9e6dd51b866f377b07b68adc91b11bea5eb8a2ac7a2a8ce37fd8e644f1f93476ea00556b9479331095c7959797be2f0c15e9ac6aa39f9a3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.CashRansomware
    Filesize

    8KB

    MD5

    fe92848b5ce56f5c5198474d40f2b207

    SHA1

    522d963723cfb7d6dcdecbf25f8c1aa017f31efc

    SHA256

    96d855611b390719dffbb312762687264adc653c7fd1d922aac29f25683b44a1

    SHA512

    facacb82210e88e0485b4e476669378d622f36a7707a900147befcb269d1ecf3a56e5fae3043d8c63985f36550237b6eaa9f09fc07da4b9a7a8680a05cfeea42

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YR1SPOMQ\desktop.ini.CashRansomware
    Filesize

    80B

    MD5

    0f3b65cc868f45f9c00b3a948b8def16

    SHA1

    3eb61fa1f2a0d3fec2f50607a09114b7fbd34f08

    SHA256

    9aa48dd1684bbcfe0ff01ac7c0f7f65483724c33c403c5870154c743374eaeb4

    SHA512

    cb86e06144ae2b44ed0b5165ffd49c27e7389535ee78486479f179a73737f566a3a8393f8f641d57b42806499cfc8ace3d9d8ac5279a737cbbc24c1d24b77b47

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.CashRansomware
    Filesize

    28KB

    MD5

    5309cb1e07d93e52e8089cc338a97d84

    SHA1

    20ce2d341f18996e8219c109605c137a29bd1434

    SHA256

    b24a8b73d5f811396bfde3d6db303a9c51fb26ce3692aad526645efc31406053

    SHA512

    3b860530942b58daabc9bd17d3eb2030dd2098fe09a23a05206940a646da306fbd9c6a2531a073fc4de3bfb6ca15d16e34c1507c6e52f140df76a98c60a59459

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat.CashRansomware
    Filesize

    16B

    MD5

    a1ee1f95939dded84d1ac0d13f44744d

    SHA1

    919ab8132c6e9f110ce27e5ce3d8bfe11d122f1c

    SHA256

    5e07ca296b4521042722b697f5bdb041b21699b478b6a025d21876af9a6eac06

    SHA512

    40c947a9dbcfce0279eb1f01e8422fc838a6168aaecfc1831ac95ef32fad79334167b842100b3027960733a978d77a09d6c1e26ca816fa28188e18a79a899450

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
    Filesize

    48KB

    MD5

    5b3f76eb16856db983afffcf4f6c4e88

    SHA1

    327bdfbe92865b37a2d436b901a05990043ee427

    SHA256

    37d01998d05676df4e735746335a2c11846b00dac8120de175f191b882994639

    SHA512

    10761250de10563fc31c509bd3951a5216da28cbaab4882505026d232ce3a2c1b38afbe2e09825714157446d2f306c1debe17d8671e34c06206c7469bbb0afec

    Download Submit

  • memory/1036-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1036-1-0x0000000001060000-0x000000000130E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1036-1199-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1036-1200-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1036-1201-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-1202-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1036-1203-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1036-1204-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

    Filesize

    9.9MB

    Download