Overview

overview

10

Static

static

10

0e77c7eaf2...a3.exe

windows7-x64

10

0e77c7eaf2...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 04:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e77c7eaf29e7cc81d6a5870545509a3.exe

  • Size

    2.0MB

  • MD5

    0e77c7eaf29e7cc81d6a5870545509a3

  • SHA1

    e56496e200c3246c149b41bd826b9e762fa5e534

  • SHA256

    64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

  • SHA512

    bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18

  • SSDEEP

    49152:R6K39H/NzGjGzMErFiEntNARL3AVtsk53gEdMJ9O:R6KnjrLntNAR2tPfO

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe
    "C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zoxTJ3GdPP.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2704
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:2692
          • C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe
            "C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\spoolsv.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2520

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zoxTJ3GdPP.bat
        Filesize

        236B

        MD5

        c6bae80c3ad87fa76fc1eaafab4126ee

        SHA1

        a0a2dcc2a4bfe53412e1bbf6aa1caa7b9437a70e

        SHA256

        901a518c7780baf47851875fe493358a1d23dedff85272ccabe760120e0440f5

        SHA512

        7bf4b77156a45ab98d30b59887f3f4e7069e4945eec02d3380a12d92c3f1b56f8aca4f45bf3096f1bc0b5a51a52d1623c5ae1aeff235cad3876c7588831752a8

        Download Submit
      • C:\Users\Default\System.exe
        Filesize

        2.0MB

        MD5

        0e77c7eaf29e7cc81d6a5870545509a3

        SHA1

        e56496e200c3246c149b41bd826b9e762fa5e534

        SHA256

        64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

        SHA512

        bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18

        Download Submit
      • memory/2188-13-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-18-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-4-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-6-0x0000000000440000-0x0000000000466000-memory.dmp
        Filesize

        152KB

        Download
      • memory/2188-7-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-8-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-10-0x0000000000410000-0x000000000041E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2188-12-0x0000000000590000-0x00000000005AC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/2188-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2188-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-21-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-20-0x0000000000430000-0x000000000043C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2188-22-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-23-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-17-0x0000000000420000-0x0000000000430000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2188-15-0x00000000005B0000-0x00000000005C8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/2188-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-39-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2188-1-0x0000000000A00000-0x0000000000C0E000-memory.dmp
        Filesize

        2.1MB

        Download
      • memory/2520-43-0x0000000001320000-0x000000000152E000-memory.dmp
        Filesize

        2.1MB

        Download