Overview

overview

10

Static

static

10

958ccd8e8d...24.exe

windows7-x64

10

958ccd8e8d...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe

  • Size

    2.7MB

  • MD5

    69cc2e20ea7a51666b8c14be90441073

  • SHA1

    6a3c7d3267c5c2a679f5f41dff36c091dccfb337

  • SHA256

    958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24

  • SHA512

    de565813d0ddfe491c367e78b2a11891a73859a04efd83d8f35a4a6f6a028a29c873750dc863d1dfca9c40f9b4778cb1882bf8c07b9609f8463db22ac912922a

  • SSDEEP

    49152:nsul/s9YiZYGuT/s9YEQtQRTMYIMi7ztf33cSywWyFoEgn9uw:nJVsG+YRzsG1tQRjdih8rwcr

Score
10/10
zgratransomwareratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe
    "C:\Users\Admin\AppData\Local\Temp\958ccd8e8dcce5e7bac5f891e8edc42ad6c5497d9385c8ae26c328c5f7beda24.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT.CashRansomware
    Filesize

    32B

    MD5

    a7d8c4f00ca1b0fe31816ce438d6514a

    SHA1

    f1009b3ab9b3068978c0f3489dd9fd1174fb69e2

    SHA256

    49b37352a5a7924b573d7eef218729c897cb938b0b422dfe93723571ea74b9b6

    SHA512

    ddf8a710fdc6c417990f85065a1c9457cddc538ef1595577c868645b4e20ffe85df5466abd95bf67ede2cdcb176e12362dcba0b9e79071488488215f5fcf6460

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.CashRansomware
    Filesize

    8KB

    MD5

    155e204beda700cc23e00a91cf0e3b2e

    SHA1

    4ccfe0537f6e737e295bb411cf7a65d6670bd7b0

    SHA256

    a71c8e4a8b6f3355db97697d0036e93b1f1f3e58d4f98a23ab60d313607f863d

    SHA512

    96ba4faf7cef6e63861ab105dd79e8fd70bb686adb32bad3b47920df3614b2323bb3c1b12d94e4d1370374dc4aba4e5a85dedcd0174171b8c460948e4a520c3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini.CashRansomware
    Filesize

    80B

    MD5

    bf91e980ba28ce6c58d00da1104aa8d3

    SHA1

    2b4ad13c9734d6f19172fd3c861ede2e6a36069d

    SHA256

    717478b3a7816352267f191df8ae8ab52147d81031a9d2fcb7cbbb9388a78c5c

    SHA512

    6ab8163e4da482b94385c524ed22a12491761b9c23ef08c6463b2940374526965e8f6f04cce2f5eeb67510307ff2e5290c411e6e8cda46fb2a9ef4e03c8cccbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.CashRansomware
    Filesize

    28KB

    MD5

    82d725c5becf1fcc9c8c541d2a8d982a

    SHA1

    33bc43036e5e0c6ddaf7b4655dc7e6330637a5c9

    SHA256

    fb30aae92bfa0d4e78e5da778322f014ff2666df34ed890b8a54212c87410af9

    SHA512

    e5dad678578b388c0b9e7f20bbc37fc39921f8373f20a584340121ee1c634be17c84047a550883b050d231be4da29fe3224ed5db1b457b282b5608d43372fb67

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat.CashRansomware
    Filesize

    16B

    MD5

    e9eb4ccfb1ae9537b9f0b17faf9695a0

    SHA1

    7f03eeb6d5547674aefc25dac1f7b7628dc3a792

    SHA256

    4c4c4e3d16fe6b426c216285c343488fd06372eead77351f2c6a71c4695fe863

    SHA512

    b0d31e48557aa31af48ea129fc49498c1a57fbb8529740501857b1f67055119c60272d0b837d563eab3ef2b281415044966a25310f0778305ead3c8b9f37028a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.CashRansomware
    Filesize

    48KB

    MD5

    c8da833f7c8dd2a27ec971a6483d37fe

    SHA1

    62e8099b27a90c645056035402fe8669fa0a2721

    SHA256

    e171bf7fe94f44ece2493f229a567293f4b931cb9f2b95c97c53c666c6a23695

    SHA512

    f2c5e83f4d66fc13b57f6bafff5f13a4dfea41ce0f601f3fb33ac57d2dee33f3afa7472d32915c48ac6dc95a410a0f13f71ee51129008f22145df06847f8ddd0

    Download Submit

  • memory/3000-0-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3000-2-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3000-1-0x0000000000EB0000-0x000000000115E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3000-1206-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3000-1207-0x000007FEF4E63000-0x000007FEF4E64000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3000-1208-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3000-1209-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3000-1210-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3000-1211-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

    Filesize

    9.9MB

    Download