zgrat | 57e1f6b17381fa0659b19afdfa944a11205caae6556006f00bae5f6e39cb15d6

Analysis

max time kernel
191s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 11:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13.exe
Size

628KB
MD5

1173a1f0469d241b02c1d57dc29cdf4d
SHA1

b789fd20e546ce3da045f30ae4ca5d02f260cc68
SHA256

a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13
SHA512

ca7fa41e3fe0812231ffdaad853534327bbad987c31b7431debc17a2ee042fab1339d01d8a1ba5cc054248e4276337bf3cf770a6862fc001f36bc50af1934498
SSDEEP

12288:i8VYM4g/lRdZYbcyqeI9ZPH7H7sxIhDJsCeuR8mmTKfut:RB3RvGoJHEkNsPuKmmT

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3640-1-0x000002243B690000-0x000002243B790000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13.exe
"C:\Users\Admin\AppData\Local\Temp\a22f38c26dc96fa285efd4c0732a22e9bb81b105ad65c75c609a478dd551ac13.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3640-0-0x0000022421140000-0x00000224211E2000-memory.dmp

Filesize
648KB

Download
memory/3640-1-0x000002243B690000-0x000002243B790000-memory.dmp

Filesize
1024KB

Download
memory/3640-2-0x00007FFA405F0000-0x00007FFA410B1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-3-0x0000022422F60000-0x0000022422F70000-memory.dmp

Filesize
64KB

Download
memory/3640-4-0x00007FFA405F0000-0x00007FFA410B1000-memory.dmp

Filesize
10.8MB

Download
memory/3640-5-0x0000022422F60000-0x0000022422F70000-memory.dmp

Filesize
64KB

Download
memory/3640-6-0x0000022422F00000-0x0000022422F56000-memory.dmp

Filesize
344KB

Download
memory/3640-7-0x0000022422F70000-0x0000022422FBC000-memory.dmp

Filesize
304KB

Download
memory/3640-8-0x000002243B790000-0x000002243B7E4000-memory.dmp

Filesize
336KB

Download
memory/3640-12-0x00007FFA405F0000-0x00007FFA410B1000-memory.dmp

Filesize
10.8MB

Download