zgrat | 4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

Analysis

max time kernel
125s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 11:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
Size

1.4MB
MD5

a6c81a90d72b2ca218b6a74996f62e46
SHA1

6ee3282f253d4c117b87c27519505e4b238079f4
SHA256

4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4
SHA512

411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc
SSDEEP

24576:US9nR7hC+aARWXVa5RZLVUIICx0TcoXicHVf+ppJ7W:VkiiCxjoBHVf+pT7W

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/3556-10-0x0000017F7E020000-0x0000017F7E104000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-13-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-14-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-16-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-18-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-20-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-22-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-24-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-26-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-28-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-30-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-32-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-34-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-36-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-38-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-40-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-42-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-44-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-46-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-48-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-50-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-52-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-54-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-56-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-58-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-60-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-62-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-64-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-66-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-68-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-70-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-72-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1
behavioral2/memory/3556-74-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
5012	AllData.exe
4180	AllData.exe
1452	sumwzxe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 5012 set thread context of 4180	5012	AllData.exe	103
PID 4584 set thread context of 800	4584	InstallUtil.exe	108

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1128	1452	WerFault.exe	113

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
Token: SeDebugPrivilege	3556	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
Token: SeDebugPrivilege	5012	AllData.exe
Token: SeDebugPrivilege	4584	InstallUtil.exe
Token: SeDebugPrivilege	800	InstallUtil.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 2376 wrote to memory of 3556	2376	NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe	91
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 5012 wrote to memory of 4180	5012	AllData.exe	103
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108
PID 4584 wrote to memory of 800	4584	InstallUtil.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3556

C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
  C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:800

C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe
1⤵
- Executes dropped EXE
PID:1452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 432
  2⤵
  - Program crash
  PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1452 -ip 1452
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe

Filesize
1.4MB

MD5
a6c81a90d72b2ca218b6a74996f62e46

SHA1
6ee3282f253d4c117b87c27519505e4b238079f4

SHA256
4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

SHA512
411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

Download Submit
C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe

Filesize
1.4MB

MD5
a6c81a90d72b2ca218b6a74996f62e46

SHA1
6ee3282f253d4c117b87c27519505e4b238079f4

SHA256
4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

SHA512
411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

Download Submit
C:\Users\Admin\AppData\Local\Current\kxouwv\AllData.exe

Filesize
1.4MB

MD5
a6c81a90d72b2ca218b6a74996f62e46

SHA1
6ee3282f253d4c117b87c27519505e4b238079f4

SHA256
4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4

SHA512
411cfa2b0e13b844da6d0741e2bb8a27b854ff884b72b9cb493dfd3d1223bf1472e5b27a4441c182a9894751f03222e78f09d520beb1767160a56a8be603fadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NEAS.4fe6f4391fa535d402b0bd20632c1967dbec2b2e77848782b22c320a22f7b1f4.exe.log

Filesize
1KB

MD5
84a01db52ea5a878520e162c80acfcd3

SHA1
49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

SHA256
25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

SHA512
0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe

Filesize
230KB

MD5
99429748908f36ca97c4f69ff3b5225f

SHA1
0b72d4875765354c185a2a854e3f0be2bdaf9b53

SHA256
f17ae0a90c9b00001bfe421ab271e7973a1ad14bfdad235ff025ccd617de6b71

SHA512
8355b93acba30b59522602d7ec945ad8049edfbe5fa9e71b8b3b0eba4e3dbc578e931d8a642f6c77402473c54c8aa9cdbaf1375fd686ac77b2dbd5a1b4885235

Download Submit
C:\Users\Admin\AppData\Local\Temp\sumwzxe.exe

Filesize
230KB

MD5
99429748908f36ca97c4f69ff3b5225f

SHA1
0b72d4875765354c185a2a854e3f0be2bdaf9b53

SHA256
f17ae0a90c9b00001bfe421ab271e7973a1ad14bfdad235ff025ccd617de6b71

SHA512
8355b93acba30b59522602d7ec945ad8049edfbe5fa9e71b8b3b0eba4e3dbc578e931d8a642f6c77402473c54c8aa9cdbaf1375fd686ac77b2dbd5a1b4885235

Download Submit
memory/800-2205-0x0000023532980000-0x0000023532990000-memory.dmp

Filesize
64KB

Download
memory/800-2204-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/800-4379-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/800-4382-0x0000023532980000-0x0000023532990000-memory.dmp

Filesize
64KB

Download
memory/800-4383-0x0000023532980000-0x0000023532990000-memory.dmp

Filesize
64KB

Download
memory/1452-4386-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-4392-0x0000000000740000-0x0000000000978000-memory.dmp

Filesize
2.2MB

Download
memory/2376-5-0x000001C953050000-0x000001C953118000-memory.dmp

Filesize
800KB

Download
memory/2376-6-0x000001C953260000-0x000001C953328000-memory.dmp

Filesize
800KB

Download
memory/2376-82-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/2376-7-0x000001C953330000-0x000001C95337C000-memory.dmp

Filesize
304KB

Download
memory/2376-0-0x000001C9388B0000-0x000001C938A12000-memory.dmp

Filesize
1.4MB

Download
memory/2376-4-0x000001C952F70000-0x000001C953050000-memory.dmp

Filesize
896KB

Download
memory/2376-3-0x000001C93A7B0000-0x000001C93A7C0000-memory.dmp

Filesize
64KB

Download
memory/2376-2-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/2376-1-0x000001C93A7C0000-0x000001C93A8A0000-memory.dmp

Filesize
896KB

Download
memory/3556-22-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-2186-0x0000017F181B0000-0x0000017F181B8000-memory.dmp

Filesize
32KB

Download
memory/3556-36-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-38-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-40-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-42-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-44-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-46-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-48-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-50-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-52-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-54-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-56-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-58-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-60-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-62-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-64-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-66-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-68-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-70-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-72-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-74-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-32-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-34-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-2187-0x0000017F181C0000-0x0000017F18216000-memory.dmp

Filesize
344KB

Download
memory/3556-2188-0x0000017F185B0000-0x0000017F18604000-memory.dmp

Filesize
336KB

Download
memory/3556-30-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-2191-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/3556-28-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-26-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-8-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3556-10-0x0000017F7E020000-0x0000017F7E104000-memory.dmp

Filesize
912KB

Download
memory/3556-24-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-11-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/3556-12-0x0000017F7D890000-0x0000017F7D8A0000-memory.dmp

Filesize
64KB

Download
memory/3556-13-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-20-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-18-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-14-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/3556-16-0x0000017F7E020000-0x0000017F7E0FF000-memory.dmp

Filesize
892KB

Download
memory/4584-2206-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/4584-2201-0x000001DF8A850000-0x000001DF8A860000-memory.dmp

Filesize
64KB

Download
memory/4584-2200-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/5012-2199-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download
memory/5012-2195-0x000002D5FEE50000-0x000002D5FEE60000-memory.dmp

Filesize
64KB

Download
memory/5012-2194-0x00007FFCC5C60000-0x00007FFCC6721000-memory.dmp

Filesize
10.8MB

Download