Overview

overview

10

Static

static

1

e.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-05-2024 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e.rar

  • Size

    5.5MB

  • MD5

    03a72a36ec1a2c7012b0518f93b86835

  • SHA1

    4d0b4b6307ff9206422be555d090f746d3038d2a

  • SHA256

    6be46618824bb0582789cfb6b37b80c9bb220079ea90cded22826ca68b35fa64

  • SHA512

    d1bc3b1871b85e756873d8b05a485f88b6ad7a2f2b242f71a525b2cab271f71f2e072204a63cae260d8febbef1d35c3b4aba44932b64f57db09075f8227a62b5

  • SSDEEP

    98304:ZtlOZm+7rK63WaQwzYgQWKBmwVTH3x+eKtiCmYnzFdnAXfVs2D8qCK:7lO8+vKUZxzUWKBmwdXxEiYnzUl8qCK

Score
10/10
zgratratspyware

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\e.rar
    1⤵
    • Modifies registry class
    PID:3412
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\e.rar"
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO88CB8947\README!!!!.txt
        3⤵
          PID:3228
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\BLACKSOFT.rar"
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4672
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4572
      • C:\Users\Admin\Desktop\New folder\Blauncher-gj.exe
        "C:\Users\Admin\Desktop\New folder\Blauncher-gj.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2396

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        14KB

        MD5

        e1e2880ba7cf5e2a2b4b3eca526d7d9d

        SHA1

        4b2b85e675c1e9414c8cb8d17469a1d615341eb3

        SHA256

        5ade0b57a9c632ffffa9bb88789dab5b144f8cdf1554419f0100cbea70384459

        SHA512

        175d05b2efdb1cf63882a529be752927e7c4db4286de9f5affaff28ac4f8ef117aa6aa7f8a07dac6471a2ee5f475d22e15753749516a78c700d6d1fd2cb62ce7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        14KB

        MD5

        d1c30d5a0ebd4da4efe12dbf2efe2bde

        SHA1

        ca76b31a8241aec7e0888c40cd868dfcd84861ac

        SHA256

        38ed1565002c15b3e4754f75f6cacb64edda3664a0336f3f1304f2fbfd1b03e5

        SHA512

        4276c76038b75771bda90379fdeaa4cea8982dccbb92f648ae3284cab13b4f288edd389ad9acf59c17b8d0b601d31ab024b2d97e73b53330e0ac417b87541815

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7zO88CB8947\README!!!!.txt
        Filesize

        132B

        MD5

        311ae7932812f4db048b050c90aee4a8

        SHA1

        80df91826d27ee375507adf065c4991577ab647c

        SHA256

        fa4d748999e013ad9981bf5798de85c63acbe121909aba1057c64de2e2a3590b

        SHA512

        8fffd640b6240e42b911babd07d9093eeff0e31f5781a91e01e56d884f16e0408caee9fc746393e08f5677d0192ba2f5a5836065b856e035529c1d9b682b7f20

        Download Submit
      • C:\Users\Admin\AppData\Roaming\d3d9.dll
        Filesize

        469KB

        MD5

        2bc9e1a18730ece391a1a0b1be7b6ca3

        SHA1

        cc86e4d67eaec2c3ea61ded7f48b60dfe52dbcf6

        SHA256

        fe96363141c5a3ae0c2d6006c9681bde894dc742688980d356d072396891a81a

        SHA512

        17a0ea4343b419e3ecbecc03482ff45f6b4a9934a141d591ec0277ef0c8922800eccf8ca473be4c851c6e2dce996f7489f7e1ff65e76fac43a4493ddd1c6d4dd

        Download Submit
      • C:\Users\Admin\Desktop\BLACKSOFT.rar
        Filesize

        5.5MB

        MD5

        be932b62260eaafae6e10a36d55f9b91

        SHA1

        a251db4aee1d8a9444ecc59493f8794daf69fdc0

        SHA256

        8258b4d438d9f2ac2cf3cff29e1f59fdcfae8436e1cfbcd4c811b260514121dc

        SHA512

        bee8059076a70b5e3fb2d39d8672532d20c3acfb2a7c8124ed46fae4b135c0579f4ce37b82d6c7b15f5554c9c28720ce85ee5945de5f252e24fd4ff77486dfeb

        Download Submit
      • C:\Users\Admin\Desktop\New folder\Blauncher-gj.exe
        Filesize

        2.8MB

        MD5

        aca157c3b70c7608939d04b9aeca082a

        SHA1

        d14875764772b8d9b9e9bf21d8129ee602f40114

        SHA256

        3759ca6c6085cceda0ac1f6bb3bfa3c3fec62b3c4d487fa532bbf0e51c8be01f

        SHA512

        946ef4bf50b92beb57520319792b9ae588655d36dbddfad6c2c15b7d2f948d21d79042a94c653c7c7afa253e8725d2692ca94e9500e16f78da1255fda79c66ab

        Download Submit
      • memory/2396-62-0x0000000007C40000-0x0000000007C7C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2396-60-0x0000000007CB0000-0x0000000007DBA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2396-54-0x0000000000500000-0x0000000000562000-memory.dmp
        Filesize

        392KB

        Download
      • memory/2396-56-0x0000000004FA0000-0x0000000005546000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2396-57-0x0000000004AD0000-0x0000000004B62000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2396-58-0x0000000004B80000-0x0000000004B8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2396-59-0x0000000008140000-0x0000000008758000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2396-68-0x0000000009B10000-0x000000000A03C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2396-61-0x0000000007BE0000-0x0000000007BF2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2396-67-0x0000000009410000-0x00000000095D2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2396-63-0x0000000007DC0000-0x0000000007E0C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2396-64-0x0000000007F30000-0x0000000007F96000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2396-65-0x0000000008860000-0x00000000088D6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2396-66-0x0000000008110000-0x000000000812E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3908-47-0x0000000000C50000-0x0000000001076000-memory.dmp
        Filesize

        4.1MB

        Download
      • memory/3908-48-0x0000000005590000-0x0000000005591000-memory.dmp
        Filesize

        4KB

        Download