zgrat | 871978fb97af5fca44a98714b79a3e86dfdb468eed6980dadc7f2bf7e5bf1aaa

Resubmissions

06/11/2023, 19:37

231106-ybwfxadf81 10

06/11/2023, 19:33

231106-x9tjjadf4z 10

06/11/2023, 16:18

231106-tr58tscc9y 10

Analysis

max time kernel
126s
max time network
131s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1106-06-Zgrat.exe
Size

7.5MB
MD5

f86edaaf9c119e2dbe9b58c4307842a5
SHA1

1c28fe601d25f3df520d62f82940b1fa61813433
SHA256

cf004015f5e10ab40a8bd7d3994e53ab17264e41ddec6cacea849e1f630cc21c
SHA512

993540f0b6d004cf193b154cd43b2f55704e84020a2a0fff14987ee3659deb652749fa7d835cd644c0117bdd355ce8a5f5162ec991c8d7bee29c4c00a93df85d
SSDEEP

196608:PrkiyCGE2FTbUbYtprkiyCGE2FTbUbYt9eJhho0Zvvh4toep:DbNGRU0bNGRUrLo0Zvvh4Gu

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral11/memory/1964-0-0x00000000013A0000-0x0000000001B26000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral11/memory/1964-0-0x00000000013A0000-0x0000000001B26000-memory.dmp	net_reactor

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	1106-06-Zgrat.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	1106-06-Zgrat.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main	1106-06-Zgrat.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	1106-06-Zgrat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\1106-06-Zgrat.exe = "11000"	1106-06-Zgrat.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	1106-06-Zgrat.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	1106-06-Zgrat.exe
1964	1106-06-Zgrat.exe

C:\Users\Admin\AppData\Local\Temp\1106-06-Zgrat.exe
"C:\Users\Admin\AppData\Local\Temp\1106-06-Zgrat.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-0-0x00000000013A0000-0x0000000001B26000-memory.dmp

Filesize
7.5MB

Download
memory/1964-1-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-2-0x0000000000E40000-0x0000000000EC0000-memory.dmp

Filesize
512KB

Download
memory/1964-3-0x000000001CEF0000-0x000000001D10E000-memory.dmp

Filesize
2.1MB

Download
memory/1964-4-0x000000001D610000-0x000000001D816000-memory.dmp

Filesize
2.0MB

Download
memory/1964-5-0x000000001D820000-0x000000001DA26000-memory.dmp

Filesize
2.0MB

Download
memory/1964-6-0x0000000000F30000-0x0000000000F7C000-memory.dmp

Filesize
304KB

Download
memory/1964-7-0x000000001DA30000-0x000000001DC0D000-memory.dmp

Filesize
1.9MB

Download
memory/1964-22-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/1964-36-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-40-0x000007FFFFEB0000-0x000007FFFFEC0000-memory.dmp

Filesize
64KB

Download
memory/1964-56-0x000007FFFFEA0000-0x000007FFFFEB0000-memory.dmp

Filesize
64KB

Download