Analysis

  • max time kernel
    435s
  • max time network
    437s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 10:42

General

  • Target

    https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/tag/release

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V2 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/GypsySynapse2/Calamari-SynapseZ/releases/tag/release
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9b2b7cc40,0x7ff9b2b7cc4c,0x7ff9b2b7cc58
      2⤵
        PID:4928
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1804 /prefetch:2
        2⤵
          PID:972
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
          2⤵
            PID:1724
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
            2⤵
              PID:4824
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
              2⤵
                PID:952
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
                2⤵
                  PID:3700
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3664,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4652 /prefetch:8
                  2⤵
                    PID:716
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,10367880099014440864,2022482134689764067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4932 /prefetch:8
                    2⤵
                      PID:2796
                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                    1⤵
                      PID:2068
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                      1⤵
                        PID:4448
                      • C:\Program Files\7-Zip\7zG.exe
                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Calamari\" -spe -an -ai#7zMap18592:74:7zEvent31907
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:224
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:448
                        • C:\Users\Admin\Desktop\Calamari\Calamari.exe
                          "C:\Users\Admin\Desktop\Calamari\Calamari.exe"
                          1⤵
                          • Executes dropped EXE
                          • Enumerates connected drives
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:3324
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x470 0x508
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2760

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                          Filesize

                          649B

                          MD5

                          4a106d04a71551533fd26d0f8d33c085

                          SHA1

                          4fe766dafebd5c004a0915c58b8e53aadaf7614c

                          SHA256

                          06a75c8e27413ec97da2a1786a6140d106692b6c380095f7b2475365ff10ee94

                          SHA512

                          569fd5d9a28080a74cc688ab33a3214b142fe32a7581f2211c18c2853228a1ed20c4b195d6cd017913aa5b3d8a4e7d78ce4fd75b4dea3dbfb87d7c0f09a80e10

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                          Filesize

                          1KB

                          MD5

                          d3fbfd04e098b22dfb618d467e291d6f

                          SHA1

                          64fc16646b4673a481cfbbee35d3dfe6b02e242a

                          SHA256

                          d1655b06bc4ba08485ffb8e2a8a1ae5fbea599f89ce06129d382310ebbe1c9e9

                          SHA512

                          7f6a7c4439e2a11f8e36206c90c2eeb4a1da0a828d8085eb2a850601f365892884398d4efcb236b2921a5baf09692119d7980b8665d1117c90ea32ef8e1183cc

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                          Filesize

                          1KB

                          MD5

                          2144d790ab10ba7ae853f82868670dba

                          SHA1

                          59f05b6863124db6e044dadcda2b56454474a37d

                          SHA256

                          fb24f9c2f6413ac587f04b52b4fd6daf9cafb0e70b98800bd77be6110a88356a

                          SHA512

                          23c05e0cc7455be2829616b2cdc87ef607e27c1631e19a5608c54d68cc78ff60b3d32d6585aee7b7e0f5e7efeb52c4287793923bbe18323005183ed89a46d5d5

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                          Filesize

                          1KB

                          MD5

                          cd823f8ddf2a6046d9fc06c642d4454e

                          SHA1

                          bd41faf5c9a706ff936782f83f805ec27788105a

                          SHA256

                          a57de5c112dec3890c1cb65e0de4dcb71f7033956d4640cb7854b0099daf4fda

                          SHA512

                          0dd5ea98f154481e33cff462316d3062a163bdb555192016bed2d805d272195a2567526c6cdeff18a973488b3474815aaac2ae3c4fe60e7f4606956b9104ffd0

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                          Filesize

                          1KB

                          MD5

                          2b18f5d1171dc6bce3f46cff7742ba59

                          SHA1

                          9bbc6340ce6c36573585fb5b9850b1b65ed45b91

                          SHA256

                          f1fbac2de62f5e7e63e34cd583ce0bb52cf9c08fd683b1cd2db1fbbbe683885d

                          SHA512

                          22aae9f9989eb6b38717a2311bdaebd7b56f3a6e4289e92d97d3ccf2a256734e1b9d1b16d78278e56db2263a84c8216b161608331d69fbc65deac9ca1da0052b

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          9KB

                          MD5

                          bdf1cbd627c805c706e30fa943fc48f5

                          SHA1

                          d332247fe2d527e28cfcb9debd1254cd902cede2

                          SHA256

                          f81d55c4d55cebcb678fc8e961881fce98ae633ed88b900792b901970cb1757b

                          SHA512

                          58a0ff9e3445b34cd4dab0a1ea278d9543b8ae1b4c8bdd7fb8c82aa1773e2c9d2da5b7c3e48dd7c972de0416dccbbb84bf87fb5eaa326eca4d6dcd105d043930

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                          Filesize

                          10KB

                          MD5

                          7f75493b95b75f9bad9f2f8213166f25

                          SHA1

                          c9711c8e08d423cf9c45f9d32b42850be0658bc5

                          SHA256

                          03a59c0e547f810b57d236680fb40bad2fdcde0a1ed6299f22686f48de45ee30

                          SHA512

                          fec8eb45ca133d2fd3d9b0d7094bdaa25f0d108e4cc08be0e32b33dac2dba41a008f86ecec75bb853fa4362e3b3e5163d1ab7867f2a5c458f5435d65fc470450

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          99KB

                          MD5

                          68e9f8185ff9bd5dabb4ec79ffac1e3c

                          SHA1

                          d085564d4b886d957b6952f88060e8904b88d623

                          SHA256

                          60d6a19a9fc3ab346e45a49b75a7b98de5f4030239a7cf1fc60d0181f5a5b7e7

                          SHA512

                          d5decb870ac5ad070be0d2cca396e8231fff312752b57a04b6bee24c0158491f4961438d6daeb3c969f5ea80822218b5013a795fc9039fd2985201a4b5eba4f7

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                          Filesize

                          99KB

                          MD5

                          bc6774cc51dd63cace781163d41407ed

                          SHA1

                          6255b19623d6f9c52ae190cdaf09dc9190f0a34b

                          SHA256

                          84fb1a978daf2f90e41cfa5c1b92ddd54d3082b9de4876af8a49b54acaa719b9

                          SHA512

                          4cab8fac5272b77499d45959ff92d2a0a7abfa3d52096ed69d3350dbc0d1988f28da7f9b760039ad77af346f4b7faadcf486cb946f5b89d242c0ed25ddffdfc2

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                          Filesize

                          64KB

                          MD5

                          8ac9797e77ead5c0f93f83cd7c118917

                          SHA1

                          889d13fc685b7c880a4ce4a4e069bad7bd5507f5

                          SHA256

                          5227c0237eb53e5a0082150926e16cb4e9879e0fbcd7a69c14be59b77c5d2a87

                          SHA512

                          ec4044baf280521068ee8763f89d60fbe4883b875c5fe35e0a3979eb12d10525f274c1c22ecf718c8aa8d355d46cee41a4cdd1632afa2a4d6a44aeeb6fdcc226

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                          Filesize

                          9KB

                          MD5

                          7050d5ae8acfbe560fa11073fef8185d

                          SHA1

                          5bc38e77ff06785fe0aec5a345c4ccd15752560e

                          SHA256

                          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                          SHA512

                          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                        • C:\Users\Admin\Desktop\Calamari\Calamari.exe

                          Filesize

                          154KB

                          MD5

                          3bb68e459405f9d621fea08fca8db99e

                          SHA1

                          a667438af4a30700d229752df30f423f169c1186

                          SHA256

                          0f7071d56098ef0a448b562760ea2f547e4a2f8d26fc4e456b6e6ed47445cc20

                          SHA512

                          69788e7b8a0a5cae8fb85f31cd63c735343b11128da1be0c71414c41973ad9246487915b24eb40436ba104a3851f0848e902f7c9cb9a084255420eff4a49478b

                        • C:\Users\Admin\Desktop\Calamari\ScintillaNET.dll

                          Filesize

                          1.3MB

                          MD5

                          9166536c31f4e725e6befe85e2889a4b

                          SHA1

                          f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae

                          SHA256

                          ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163

                          SHA512

                          113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562

                        • C:\Users\Admin\Desktop\Calamari\SynapseZAPI.dll

                          Filesize

                          6KB

                          MD5

                          877e3d22c496d3441bb9eb54965babc5

                          SHA1

                          73912c32638e8acb0097b59c25c62b29bc0f47cc

                          SHA256

                          4ee4111409c6d9e9e82b846798ffd1b404d7fce49a0429421c7d5be540edcceb

                          SHA512

                          633a2fab8b13a6ca8e884917c77f0a67e6452164373b9c2fcd0ad7c5e5d329aa2a297e7adee40e047afc71d94b50ecc733783aa9a41a7630d298752ae939a6db

                        • C:\Users\Admin\Desktop\Calamari\jacked_up.mp3

                          Filesize

                          4.0MB

                          MD5

                          66ec6b7ee0786cba5a3ae13e4e4e20ba

                          SHA1

                          612861268f56692069b60a0218826cbf8e593ede

                          SHA256

                          fd0aa203f284a09dab3b6a24118db8ed30ad5fad2591b3367111bf27eb4df617

                          SHA512

                          6ad4182771b0e983394a4446b61eb6b43793b6db85a3e9035823b053594ae88bbd5da595b83e817b4739f2b4c5dd209546e4264a76d397c9ad71771a64329d3b

                        • C:\Users\Admin\Desktop\Calamari\sxlib.dll

                          Filesize

                          864KB

                          MD5

                          d00e1627d7536022dd81aeb27577221c

                          SHA1

                          56a1f78e5acc89b97b02652f61a154265511ffcf

                          SHA256

                          904a9329bf56d110adec486f37411831a1148934a5ca4bbff9e33a1ca8ce5bcb

                          SHA512

                          d7cb95dd515f1edfde7e17681563bf5b709ac06f33805ce70dbcb76aca4ee34061c5201a54e1a92d67a1fb8f59512c8a64fcbb201fc88e5536001e40489dab69

                        • C:\Users\Admin\Downloads\Calamari.zip.crdownload

                          Filesize

                          5.8MB

                          MD5

                          5321acff16bbe68a2942c9c655f9e4fc

                          SHA1

                          56f82061cb7d044c89470c01e7805cb2365c0bb9

                          SHA256

                          e232359fdbaa1d46dcf56a5715a0ba4c700c93fb310f551a4a3afa912afdaed1

                          SHA512

                          affb725177d76f3f8f86660f690e0d87a1a52198594334600d5c8b4a1653d6af83caaa74998e1b6c8a0e0891395acd2286cd03ecea26ea7b94694eac35279910

                        • memory/3324-297-0x0000000000620000-0x000000000064C000-memory.dmp

                          Filesize

                          176KB

                        • memory/3324-313-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-315-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-314-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-317-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-316-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-312-0x000000000ABE0000-0x000000000ABF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/3324-300-0x0000000005670000-0x000000000567A000-memory.dmp

                          Filesize

                          40KB

                        • memory/3324-299-0x0000000005020000-0x00000000050B2000-memory.dmp

                          Filesize

                          584KB

                        • memory/3324-298-0x00000000056A0000-0x0000000005C44000-memory.dmp

                          Filesize

                          5.6MB