Overview

overview

10

Static

static

3

2ce10fcd4e...36.exe

windows7-x64

10

2ce10fcd4e...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce10fcd4e165a82a76f77d1f661fa36.exe

  • Size

    2.3MB

  • MD5

    2ce10fcd4e165a82a76f77d1f661fa36

  • SHA1

    a3ffe8a330d9e2128172b74dd76f0a31060c0e1e

  • SHA256

    21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6

  • SHA512

    f2ed5af0ba9173d483943d7a3761ae2419232ec52980597dfc7ef9c79516297fd2df63970528faeed14f642fb1dbc00114d659068c33cc619ff70583da0bc818

  • SSDEEP

    49152:eOtTYNB84W4Vjms6VSSiht/zAKq4uhL61/I+C62w3/MLfQyTIUhlLY/EDZ50R:eOtTYzfVv6VSSEt/z7qfL6e+HaIez0Ee

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe
    "C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"
      2⤵
      • Executes dropped EXE
      PID:1192
    • C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe
      "C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\comDriverinto\HyperPortsavesmonitor.exe
            "C:\comDriverinto/HyperPortsavesmonitor.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ReZRYzVGh.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1364
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1348
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • Runs ping.exe
                  PID:2424
                • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HyperPortsavesmonitor.exe
                  "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HyperPortsavesmonitor.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3016
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HyperPortsavesmonitor.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1200
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitor" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:640
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\comDriverinto\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:712
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\comDriverinto\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:604
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\comDriverinto\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2972
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1244
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\comDriverinto\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comDriverinto\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2260
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\comDriverinto\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2276
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:592
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 13 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1088
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitor" /sc ONLOGON /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2064
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 8 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2172

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4ReZRYzVGh.bat
      Filesize

      217B

      MD5

      9b342bcc51a446ca9b40de21c39522e3

      SHA1

      d030093f6755c23a4ef4b204bf732877b79532fa

      SHA256

      efa43c6f6f9b38a4896bbb5ae6b0628e36dc8643ddf1f859b83078a46f722409

      SHA512

      225848ccdb1059e078a52c0ed319ec1c944894bca120e5dd0e6c8da15e635cb02ba8dff8a553c18cf4eb66d2aab1370a965429adc6783630e49419bb4c6927b1

      Download Submit
    • C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat
      Filesize

      85B

      MD5

      97f25de6d41811f5f69377a04cfa76c7

      SHA1

      e1ff3b69aa65bbf38b49bf3972f739c0af5f6805

      SHA256

      caf5baa2d2e1705ecae3aa9e95212d2cde2141161defa5e19b7aa9fda05575f4

      SHA512

      d4af223a7e438d596655cdb1e4189792cf685b9c02f8e5ae0290eabbe29972d1182daaa98d39abf803d1e41b6eefa671d2ae3f051568cfba6adaaa77b8ad74eb

      Download Submit
    • C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe
      Filesize

      236B

      MD5

      4ef5f91cd4fabd32da27992dacfc6ad6

      SHA1

      e6aae689706c107b9b6ff58e474df1d3fe1f16ff

      SHA256

      fc9b4a6b7b877ee52d56c5b1440de893d1b2bce5fbdf96c6233274af24a2cea7

      SHA512

      bc1698dc036031250e9dcb9c0d7b87271b1dc15fdaf63ef991aab195cdf9fe4056b2a4a164f46346cb9bfe63aa6c458555de43c9c96945f0f5752d983b1536b6

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
      Filesize

      368KB

      MD5

      e56343f2eb88fef62d4cf5df0a2c7734

      SHA1

      21f1b3a3dcbc29388bb72bc7aa7fc4ce654c6135

      SHA256

      d3e4275fe34ac20bb9d3c53e9971d2a21ba8f7ec5dc8b943c1a52edb2aa0f1ea

      SHA512

      b56053c8f0f86ee235cce13601000ed31622b87a5b5b6ed7e723b94bc4a9281918feccbab1f99d827187982ad4d5de2eafb02dd8d6dd179b49e2e029eeef4f32

      Download Submit
    • \Users\Admin\AppData\Local\Temp\tzidRecG.exe
      Filesize

      2.3MB

      MD5

      92a0909017b45d6498197b1b817e9303

      SHA1

      bc8a0aad4e4f3e6ddbd816a98873b24ba22bf502

      SHA256

      71fcb54017a98fe981d8b725891371518878e684acc63ca9c81f284f5e4b6e23

      SHA512

      b59ae5bd68f1ef934dbba306312c288f1e81b744cf717cff4a529f7b2ed779cd4f85d85e77b0589d1971d42896b8523b495ae1d81921d75cb7df43308940a021

      Download Submit
    • \comDriverinto\HyperPortsavesmonitor.exe
      Filesize

      2.0MB

      MD5

      75da1def0cb2b50f387441c2ebed4120

      SHA1

      7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

      SHA256

      2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

      SHA512

      adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

      Download Submit
    • memory/1192-40-0x0000000000DA0000-0x0000000000E02000-memory.dmp
      Filesize

      392KB

      Download
    • memory/2712-50-0x00000000009F0000-0x0000000000A0C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2712-48-0x0000000000420000-0x000000000042E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2712-52-0x0000000000430000-0x0000000000440000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2712-54-0x0000000002040000-0x0000000002058000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2712-56-0x0000000000440000-0x000000000044E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2712-58-0x0000000002200000-0x0000000002218000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2712-60-0x0000000000A10000-0x0000000000A1C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2712-46-0x0000000000A30000-0x0000000000C38000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/3016-79-0x0000000000F10000-0x0000000001118000-memory.dmp
      Filesize

      2.0MB

      Download