Analysis
-
max time kernel
199s -
max time network
185s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
13-08-2024 16:11
General
-
Target
https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/
Malware Config
Signatures
-
Detect ZGRat V2 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf0bc3cb8,0x7ffcf0bc3cc8,0x7ffcf0bc3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10144563502129637466,9267824017344603235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Calamari\Calamari.exe"C:\Users\Admin\Desktop\Calamari\Calamari.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d30a5618854b9da7bcfc03aeb0a594c4
SHA17f37105d7e5b1ecb270726915956c2271116eab7
SHA2563494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8
SHA512efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77
-
Filesize
152B
MD503a56f81ee69dd9727832df26709a1c9
SHA1ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b
SHA25665d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53
SHA512e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781
-
Filesize
1KB
MD53432381e7fbfa200794ee2754f97cb37
SHA17dd2b792b2bc30375ed620d27f59ba4384f0b057
SHA256132437d9933a1b3167f909c8e306bbd14f409466d3bb265236fcebf79f0272e2
SHA512ba334ac119a199f41df6be98e8d099cfe3844a729372c8c5618554f30842e602845dfdcab45116e93b01fd6dca2a2942afcf6885a2eefc5a515a0952d8dc6da1
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
496B
MD5ff997c70b1eee82d85b8a660841281c9
SHA126cd27f0cf62de21d22369b051cf94acce31a639
SHA256f1401e201ffee75f1d7f5ee4a7cd20de72e09c3159d876951ff5570a74fae971
SHA5124021baa43fa902519445649b9ee7162fdd5c22d9af1017b6d038be84005296c170ad89faa4d9da0e24d0976f4b15d7818045c2e79fbad10d5002a2d5ced2bf3e
-
Filesize
6KB
MD5d326f472b936f40128d500b78c98fcdd
SHA1ad24722aebe5bfeed0958a1be5b1b67963b77558
SHA256236c1b02be6141ac79937482f0dffee78c845ebdb20a771d8f736446fdbdad05
SHA512a78826944fc33dc7a1af5c230dc24464a45591bbf9b0b76bd59af93666cb53c0a0e0e079c0ea373f69e87c79e5684ee9e3081566270dbc527eaf18b67cb4da9f
-
Filesize
6KB
MD5ea3024391ee17933a848c2a59146bd20
SHA17055c690e5de39a8cc97fc982990a5aca5b142a7
SHA2561be90f53c25a54430457500386ed3c8d951f0d778a9dd368982cb909b185d051
SHA512fbf94955bb161471559f78d3d1b28df480ec6b3dbe65e3fa839272e225544e97aa1e0edc0f9a35f79ac5e0a360a0958ce7570c75eddb51516ea72776ad8e1fa7
-
Filesize
6KB
MD558a59bd6347dacb23787d8edbf45ec5a
SHA117e71c328cc3813d9663b7c58db2f9c502ab7dde
SHA25698cb3b15a924647fd721c3fc8d53b4306af567cccf05e1ebda31d7677a5982f8
SHA512db3e63d7481ae2fcf4ecfc445def2258d3abc630450e0dcf5cb08d093fdd78123901ca9d58d44219c97bc789223d42d4b50b209a6c5836152b592fb4be92fed5
-
Filesize
874B
MD5132fe3dfd9b0d44718b81e25e25e1368
SHA165311fd51465fa444460c83b8b542d3edf1b0185
SHA256135ae5b602785b4b708c3f0d3db0cccc666bca80a5843dd581490b3a0e774f0e
SHA5122282db14bcb0fd35e8b958074c4136af53d9ed2e8c139edf917fa4c4b8b6c1db6f274127e41d5234f733b02f10dfbd6f9817be92f5c075a7793e98388e481289
-
Filesize
874B
MD5dcb70489e7223575ec8b9fca731669b4
SHA1afa4b8a59989c49f9e686773941f5ff6645e53ca
SHA2565764eda21d852636d1085359e24ebb7f797e9846d0c64aff6fb827b9941dfe8a
SHA512f7a25a9296ec32e190140bdf6b2712fd3de6904f6a36cdc2a3c1945cc0c347c77b8ac5a6833f7c7bd3cbad140d06d53fd61fecb8a37e9baf7419befd6b089765
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD57f5bf5e6d5f162d1c36faa979a9a7b08
SHA12a7845a2491eb99bf3b3a5d7ab9115148c039dbc
SHA2562bd1a2fa69c369d9727a4e1f9a1e3f3f0236076cc57920cb36a4bf9c84801952
SHA5121415440d011307247bb30f9b90347e69f4316ca6aa85487340ea609432cda4c2b8af0d84d5cf789a52503926c27be38102466bb2c99c842370e6e6ea1a8c1f71
-
Filesize
11KB
MD521d376efb1dd8b9cf7af14248652bb5b
SHA13f196b5cffe86e65b1bba717896130b4edf07a18
SHA2561a507c4e5079b2ce085188b11fc168f294eeac93b4aeca67348efa0f5be941a0
SHA512bfa7fa8c3cd637e7ef2af8f04ad9827171265b6048aa94fed03e2527bdf7c751f13bf803c01d7479e90a2b1c8c65fcaf455a684a8f278596267e860b6c220425
-
Filesize
384KB
MD55c44e27b856db169635881ba67aaa0e8
SHA13f0d99399500f29c51d4a560d960b27710ad6f2d
SHA256461f4f10b8436d6f697fda640aea96a572f0efbbad15a0cca4a6f147dea4891a
SHA512c7b87d16fee058e95d76ec524e311a7034ce7d90faabe050d380bbffa8382b12bd198db987b652998b6ba1ac72c6deef9de83a44a7d5864a2fef551a8170982d
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
943KB
MD52ff7acfa80647ee46cc3c0e446327108
SHA1c994820d03af722c244b046d1ee0967f1b5bc478
SHA25608f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d
SHA51250a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd
-
Filesize
5.8MB
MD55321acff16bbe68a2942c9c655f9e4fc
SHA156f82061cb7d044c89470c01e7805cb2365c0bb9
SHA256e232359fdbaa1d46dcf56a5715a0ba4c700c93fb310f551a4a3afa912afdaed1
SHA512affb725177d76f3f8f86660f690e0d87a1a52198594334600d5c8b4a1653d6af83caaa74998e1b6c8a0e0891395acd2286cd03ecea26ea7b94694eac35279910
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
176KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
32KB
-
Filesize
1.3MB
-
Filesize
5.6MB
-
Filesize
888KB