Analysis
-
max time kernel
259s -
max time network
255s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
14-05-2024 11:30
General
-
Target
Loader.exe
-
Size
348KB
-
MD5
11f654abf3ca9b28cb249e98b804a980
-
SHA1
bd08373ada451d494b94067f3d68c830f9563e02
-
SHA256
93fff33d2e1adb0f8fe56338727c0074cab763fc9018ae18884e2ff1c95a6df0
-
SHA512
f6b97936361a3e9e763d875a6516ce4992d313866b0ce8ba23356c55aca9fda4184fbb37f4723990ac419f1f13b5c4a361a6905e522408008f6b4d0162883de2
-
SSDEEP
6144:o6IgLSq6ucXCJq7KPx/AuBshtZFDG5YorToy4d96r:QgLNF6fZFDGSovSzC
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Checker.exe"C:\Users\Admin\AppData\Roaming\Checker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f5⤵
- Modifies registry key
-
-
C:\blockcontainerWincrtdll\Sessionperf.exe"C:\blockcontainerWincrtdll/Sessionperf.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kob43vet\kob43vet.cmdline"6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES472E.tmp" "c:\Windows\System32\CSC80CE99B1922F4E16B21752D98B44FB54.TMP"7⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\taskhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\wininit.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AK04JJGLgh.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
-
C:\blockcontainerWincrtdll\Idle.exe"C:\blockcontainerWincrtdll\Idle.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\blockcontainerWincrtdll\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\blockcontainerWincrtdll\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {FFFCDD30-AC25-4931-932E-C8CF620A4AE5} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\conhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163B
MD563c6c2c647f40a7d542e600cfe5d3d20
SHA17ccca841a05a312ba63447eceb50e010044136c7
SHA2569d46ba05181f968fe9a9ab95a643bea7a343cfe69c7c24c573de2b548e92bf46
SHA51203a9172986c0ce5f319362e9a9d0a98fd20fa222f9fcd7a1b07603651dd12c9cfda71e766a90b25dfc1f555866d102ce0ea90285296e23fa7fc9352038092f8b
-
Filesize
1KB
MD5d756d8586c1f04d20710228004408081
SHA13b943042fa56cc14facfb3afc79ffb1bb64f5c3a
SHA2560ea2cc6de8e930781458bbf7a421e581994d0a60c6502287250bc34af1328c9e
SHA5123596480f2c087e0797ff24fbc873e5bb2d4ad4cffe4138c0fb210d0199be8aa78e7f0b165665c0965c55fd5dc32268a61826e0ed04d586c95e52a64acfa04816
-
Filesize
3.9MB
MD51003b37d9d942d41a38a83670eaa285c
SHA1a4ee7ef69fc681caf1116d59578667abb9080ad6
SHA256d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae
SHA5120c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a
-
Filesize
7KB
MD5486ed656b41acf1770f9e6ec5959d50c
SHA15493225e375536f84b35368c50bba9cad5a3067c
SHA256476173b428a910e0ced5ff5545af2fb476b29007694633e054e174b525c67c63
SHA512b14b6f5811646467baee2cd759d4be49d57927efab2dc5b4dbbf55e4931edebf4a1c59be9169c7327f04cd06d00c7bbdd26dc8c97341fe9680757a33c29df07e
-
Filesize
228B
MD54f702b152f4098393712e3fe99b04fbd
SHA1fec2f913e1fac5053127e175f1ba048c9d8dd25c
SHA256f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2
SHA5127c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf
-
Filesize
201B
MD5159297f9e35114bf97d74622097780d8
SHA12aaaf993b9ecb9bae43ccd41585734512ff08355
SHA256650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81
SHA512a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69
-
Filesize
361B
MD5338484b71ab362e55a216c6d15955772
SHA18bb00f7e60795773aadf30a9d68e280ccf48396d
SHA256065e7ff6692b96a4e88d6d686a022d5d9a25e88a3b945f3507cef163b7f34fdd
SHA512637ba3aa23cbde8e677238a44e4f84bf11ca5420781611274a87448484f67d4e24906ed63cf5178c66d728d5b424bf748b5d44e79f799533e266286297951ef9
-
Filesize
235B
MD5a583fd83c2665bf2fe4624b4374598c6
SHA1d8e84abd1557f8a48800bda5d0899790405b6154
SHA25629f0ebbbf6a05b537571573f1f52923f20a2d63ac803cf19883fc6f87b7da4a6
SHA512322680389ea2f817604475c92e674a57f135e54c185677a8a94f77c4b3981700b516149feab9688849f33d50ed36298179266f9a3c1ded8c4139ccb35ae9186c
-
Filesize
1KB
MD5707f3ae17d1443518c14e3d57f6b0fa5
SHA178ac15700b932222fa2ce60142966a1716c90838
SHA2561fafc870513c7e90d1f2569dd473478821fb4798e8eb51e1f8a1620b3bf29aea
SHA512ac3805f209da253c7eb6758d472a7c6a084392594a4dd7389dc926181933f9333fa0a74d7f749bc7ecb0b901afa5cad91d64d62989122acd3f4b583c3a4e2c9f
-
Filesize
3.6MB
MD5bf0f63bb48eb95aaec6fc6a001c974ce
SHA119baab2b0c129ecbd6a1aa21bada3e2e5cdd1136
SHA256bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc
SHA512130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c
-
Filesize
2.9MB
-
Filesize
3.6MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
376KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.6MB
-
Filesize
88KB
-
Filesize
312KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
360KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
3.6MB