Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows7-x64

10

958ccd8e8d...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.CashRansomware
    Filesize

    32B

    MD5

    8a03d84d82949464efe00acaf68daf1f

    SHA1

    e4349d5fc939fe4944c750a25f771631c1d4f2bf

    SHA256

    decfd63e39fa6f497a001824d471ce5afab32bd9c850b2650840f30e3e262818

    SHA512

    9001948cc6183cc9f7158b226b1be5106984d8e487b401109ad704bec41e7f9057e08fd4be98e80bc466cca477ef587c97d7273fd641976275016db643e5c0a6

    Download Submit
  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.CashRansomware
    Filesize

    8KB

    MD5

    785a95add241af21c2c66a35f79b5cb5

    SHA1

    658fd252bc0561b53aad0cc52779795647ca35d0

    SHA256

    4a8db59aa1ea3a522a23554859eb539e85c914d016ac6f10f28eb1e1844f4291

    SHA512

    12c3d4d07ea804abb05f88962be4eb2a9c38c1233c5e67c5fa9e870c1266e3a0b8bf42517b87a925e6a9128a11c9236ada69ecb2a1838661d75befaa174e7387

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X7K1QVVO\desktop.ini.CashRansomware
    Filesize

    80B

    MD5

    2aa729500e15b159ef0a1be8bb153f24

    SHA1

    a3c499c1486b402a6a8370fc8d155a33376f9d57

    SHA256

    550757bc502ebad3ef1109bd8ddf8fd761a87e266d7879802ea2410315588681

    SHA512

    737149cae3bd57105940f29208e1eff77f687613fac16e4b83f35a80df127ca0cb539dea301780586c0b6a7706951a0f26ec3ae9291fcf849142c8328b8723d0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.CashRansomware
    Filesize

    28KB

    MD5

    819dacf9bcbc5bb13fbaa9e6f3ce5648

    SHA1

    d5cd63c8f81b0f7028e3e9b75b231bb6b969aa08

    SHA256

    7c3809fd1f38389c1abd6f52be52cb648be70754d244576ed02440e271498b61

    SHA512

    7404b3f4ce4ed4b957f0a1a7525a9d0d9a2253bff4be9a4612abaae7f7c26684546c326e346709aa590aabfae3de3b10b7656256442988428cf7cc34f79b7eb4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat.CashRansomware
    Filesize

    16B

    MD5

    acf53d0542c6f8c60be1ad86da170ef9

    SHA1

    ca2ddd62b149cb78403f44c07d66402d62e0a28e

    SHA256

    14f4d1f77f1d1fecc7bd067ef1f2ffade8ed34a0c327343e8ad6ca2ddda93ae2

    SHA512

    e9ade91ddd9e7e79581210887c3a9f2476689ad6dd20a0d259c2ab72be4c695975900e79785bbded54889970d9e8e195faea165b93772f706fe7ff01d4630974

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
    Filesize

    48KB

    MD5

    75f9b7f8e7a7ed87e9ddf9cc02c19316

    SHA1

    83b3dfe1feda6fc490ae93cd5d496ff0b35cd6ff

    SHA256

    9e87d82efbf6b39cbafa8b8fc334c4f41bf06d0671469b838d219481faa1a182

    SHA512

    276391639162b0b2ca21b066c9835f98e2d50f85f04c9a9d9f4b040881c03dd8f43d3bc9b77c65a667a92402238d24989e5df50b1a2638eff993c47e76efb15a

    Download Submit
  • memory/1700-0-0x000007FEF5553000-0x000007FEF5554000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1700-2-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1700-1-0x0000000001130000-0x00000000013DE000-memory.dmp
    Filesize

    2.7MB

    Download
  • memory/1700-1251-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1700-1252-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1700-1253-0x000007FEF5553000-0x000007FEF5554000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1700-1254-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1700-1255-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1700-1256-0x000007FEF5550000-0x000007FEF5F3C000-memory.dmp
    Filesize

    9.9MB

    Download