zgrat | fc07e1f14fe415abbf50144169406b444d1a70a06332892004d29e286da08f37

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b843b704dd6690f5cc7a8a400674b054.exe
Size

3.9MB
MD5

b843b704dd6690f5cc7a8a400674b054
SHA1

fec8571d6b9e1ae91e4cb0ff7d1a6477ff0888a9
SHA256

fc07e1f14fe415abbf50144169406b444d1a70a06332892004d29e286da08f37
SHA512

29f7e4bb063677f848ba45eb0e90dba542dceff1aa7c8a517d42645700545058fb6e507bc267678c0cc8c73d6f070f21e7d5bc78bd2540b5bd0384c0d4d3c2a3
SSDEEP

98304:ySA5A5qQ2o3QCHp2IzQCI2qQv3zjb7iK3OPBOMVw/WBmCL:Vv5WUQC4IzQL21zjb7X3uQMVYzO

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022e29-10.dat	family_zgrat_v1
behavioral2/files/0x0008000000022e29-11.dat	family_zgrat_v1
behavioral2/memory/3520-12-0x0000000000150000-0x00000000004EA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0025000000022e2f-97.dat	family_zgrat_v1
behavioral2/files/0x0007000000022e33-114.dat	family_zgrat_v1
behavioral2/files/0x0007000000022e33-115.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	b843b704dd6690f5cc7a8a400674b054.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Msnetcommon.exe

Executes dropped EXE 2 IoCs

pid	Process
3520	Msnetcommon.exe
3592	wininit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\56085415360792	Msnetcommon.exe
File created	C:\Program Files\ModifiableWindowsApps\dwm.exe	Msnetcommon.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe	Msnetcommon.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\csrss.exe	Msnetcommon.exe
File created	C:\Windows\DigitalLocker\en-US\886983d96e3d3e	Msnetcommon.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe	Msnetcommon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\fontdrvhost.exe	Msnetcommon.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\5b884080fd4f94	Msnetcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	b843b704dd6690f5cc7a8a400674b054.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	Msnetcommon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3496	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe
3520	Msnetcommon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3592	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	Msnetcommon.exe
Token: SeDebugPrivilege	3592	wininit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 4452	524	b843b704dd6690f5cc7a8a400674b054.exe	86
PID 524 wrote to memory of 4452	524	b843b704dd6690f5cc7a8a400674b054.exe	86
PID 524 wrote to memory of 4452	524	b843b704dd6690f5cc7a8a400674b054.exe	86
PID 4452 wrote to memory of 4524	4452	WScript.exe	92
PID 4452 wrote to memory of 4524	4452	WScript.exe	92
PID 4452 wrote to memory of 4524	4452	WScript.exe	92
PID 4524 wrote to memory of 3520	4524	cmd.exe	94
PID 4524 wrote to memory of 3520	4524	cmd.exe	94
PID 3520 wrote to memory of 1532	3520	Msnetcommon.exe	97
PID 3520 wrote to memory of 1532	3520	Msnetcommon.exe	97
PID 1532 wrote to memory of 4568	1532	cmd.exe	99
PID 1532 wrote to memory of 4568	1532	cmd.exe	99
PID 1532 wrote to memory of 3496	1532	cmd.exe	100
PID 1532 wrote to memory of 3496	1532	cmd.exe	100
PID 1532 wrote to memory of 3592	1532	cmd.exe	101
PID 1532 wrote to memory of 3592	1532	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\b843b704dd6690f5cc7a8a400674b054.exe
"C:\Users\Admin\AppData\Local\Temp\b843b704dd6690f5cc7a8a400674b054.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeintoPerfdll\FUtKAenxZ.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeintoPerfdll\SVKIEXo2DS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\bridgeintoPerfdll\Msnetcommon.exe
      "C:\bridgeintoPerfdll/Msnetcommon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3520
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9nDtWiztzP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4568
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3496
      - C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\Users\Admin\AppData\Local\Temp\9nDtWiztzP.bat

Filesize
186B

MD5
a1fc296af10600972fbc5869e9d49e56

SHA1
92485c2ea832365b7760e4892feddf4b7869407f

SHA256
5a3837ae6cc7a30a25119fe53e481393892f4b27b3c49812fbba3a344de0c5cc

SHA512
df3dfdbf33d3f323416f07f2d83f97585f2d7ff8491f5bc4a45569c9b7ca8323251b883166a29922a5d34a810ff193b3c723c7c92223a76e3dfab8071d4afe96

Download Submit
C:\Windows\DigitalLocker\en-US\csrss.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\bridgeintoPerfdll\FUtKAenxZ.vbe

Filesize
205B

MD5
ca9c208817e4eff516342d7dbd58cf27

SHA1
8ce27a728720ffb14f972cfe52a58c678890edc3

SHA256
18d95a16d9f533dc521aa30a7e714bcbe5cb976883b951e7a7d7ebfcb1565857

SHA512
ce8201ba3db66bccfa446df92ae82afb15a1f3817648b260bec5462e86ed2bd94ab4540ccfe3b127a3ade0ea21a0f6af6c817e3632ec363cee25d66e47fa04f4

Download Submit
C:\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\bridgeintoPerfdll\Msnetcommon.exe

Filesize
3.6MB

MD5
d6ded16404f42a6c35348feb7a6c326a

SHA1
ca8bef9f09db5ba365826b95fedc9bbe2b973216

SHA256
aedfdd5242db717a51fbb4e58b5dd17bb8a1ec5c19243724b9dd96d390de3842

SHA512
d91ca671402afa493c6d74b7ff810570ccf849c5087851e3d19c880eff646565e7045b21e90a5a6189ed101a63af9eb028f404c9a0348f928e63246764f78746

Download Submit
C:\bridgeintoPerfdll\SVKIEXo2DS.bat

Filesize
87B

MD5
b4c177d380fff1fe04e01223a66e0878

SHA1
2c9fef271f9c1633af8b8467f1e3956572d5f387

SHA256
56709fc7efc983e335352d009ae39344005df1c5bd49a3bfcc2d1f5c9ad08128

SHA512
9f8efe43cc18694cbbf002f011316c21afaea7f17923bc1dd21cd84fe8ea89667159eb5a5738ad667f549341b11fce845fc2bdaa93b690e79d3087e082d824f0

Download Submit
memory/3520-49-0x00007FFA04710000-0x00007FFA04711000-memory.dmp

Filesize
4KB

Download
memory/3520-57-0x00007FFA046F0000-0x00007FFA046F1000-memory.dmp

Filesize
4KB

Download
memory/3520-14-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3520-15-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/3520-16-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3520-17-0x00007FFA047D0000-0x00007FFA0488E000-memory.dmp

Filesize
760KB

Download
memory/3520-20-0x000000001B330000-0x000000001B356000-memory.dmp

Filesize
152KB

Download
memory/3520-18-0x00007FFA04790000-0x00007FFA04791000-memory.dmp

Filesize
4KB

Download
memory/3520-23-0x00007FFA04780000-0x00007FFA04781000-memory.dmp

Filesize
4KB

Download
memory/3520-22-0x00000000025B0000-0x00000000025BE000-memory.dmp

Filesize
56KB

Download
memory/3520-25-0x000000001C410000-0x000000001C42C000-memory.dmp

Filesize
112KB

Download
memory/3520-27-0x000000001C480000-0x000000001C4D0000-memory.dmp

Filesize
320KB

Download
memory/3520-28-0x00007FFA04770000-0x00007FFA04771000-memory.dmp

Filesize
4KB

Download
memory/3520-31-0x00007FFA04760000-0x00007FFA04761000-memory.dmp

Filesize
4KB

Download
memory/3520-30-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3520-26-0x00007FF9E57E0000-0x00007FF9E62A1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-33-0x000000001C430000-0x000000001C448000-memory.dmp

Filesize
96KB

Download
memory/3520-35-0x00007FFA04750000-0x00007FFA04751000-memory.dmp

Filesize
4KB

Download
memory/3520-34-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3520-37-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/3520-38-0x00007FFA04740000-0x00007FFA04741000-memory.dmp

Filesize
4KB

Download
memory/3520-39-0x00007FFA04730000-0x00007FFA04731000-memory.dmp

Filesize
4KB

Download
memory/3520-41-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/3520-42-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3520-45-0x000000001C450000-0x000000001C45E000-memory.dmp

Filesize
56KB

Download
memory/3520-43-0x00007FFA04720000-0x00007FFA04721000-memory.dmp

Filesize
4KB

Download
memory/3520-47-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download
memory/3520-48-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3520-12-0x0000000000150000-0x00000000004EA000-memory.dmp

Filesize
3.6MB

Download
memory/3520-52-0x00007FFA047D0000-0x00007FFA0488E000-memory.dmp

Filesize
760KB

Download
memory/3520-13-0x00007FF9E57E0000-0x00007FF9E62A1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-51-0x000000001C4F0000-0x000000001C502000-memory.dmp

Filesize
72KB

Download
memory/3520-67-0x000000001C4D0000-0x000000001C4DE000-memory.dmp

Filesize
56KB

Download
memory/3520-53-0x00007FFA04700000-0x00007FFA04701000-memory.dmp

Filesize
4KB

Download
memory/3520-56-0x000000001C470000-0x000000001C480000-memory.dmp

Filesize
64KB

Download
memory/3520-59-0x000000001C510000-0x000000001C526000-memory.dmp

Filesize
88KB

Download
memory/3520-60-0x00007FFA046E0000-0x00007FFA046E1000-memory.dmp

Filesize
4KB

Download
memory/3520-61-0x00007FFA046D0000-0x00007FFA046D1000-memory.dmp

Filesize
4KB

Download
memory/3520-63-0x000000001C530000-0x000000001C542000-memory.dmp

Filesize
72KB

Download
memory/3520-64-0x000000001CA80000-0x000000001CFA8000-memory.dmp

Filesize
5.2MB

Download
memory/3520-54-0x00007FFA047D0000-0x00007FFA0488E000-memory.dmp

Filesize
760KB

Download
memory/3520-65-0x00007FFA046C0000-0x00007FFA046C1000-memory.dmp

Filesize
4KB

Download
memory/3520-69-0x000000001C4E0000-0x000000001C4F0000-memory.dmp

Filesize
64KB

Download
memory/3520-70-0x00007FFA046B0000-0x00007FFA046B1000-memory.dmp

Filesize
4KB

Download
memory/3520-72-0x000000001C550000-0x000000001C560000-memory.dmp

Filesize
64KB

Download
memory/3520-73-0x00007FFA046A0000-0x00007FFA046A1000-memory.dmp

Filesize
4KB

Download
memory/3520-76-0x000000001C5C0000-0x000000001C61A000-memory.dmp

Filesize
360KB

Download
memory/3520-74-0x00007FFA04690000-0x00007FFA04691000-memory.dmp

Filesize
4KB

Download
memory/3520-77-0x00007FFA04680000-0x00007FFA04681000-memory.dmp

Filesize
4KB

Download
memory/3520-79-0x000000001C560000-0x000000001C56E000-memory.dmp

Filesize
56KB

Download
memory/3520-80-0x00007FFA04670000-0x00007FFA04671000-memory.dmp

Filesize
4KB

Download
memory/3520-82-0x000000001C570000-0x000000001C580000-memory.dmp

Filesize
64KB

Download
memory/3520-83-0x00007FFA04660000-0x00007FFA04661000-memory.dmp

Filesize
4KB

Download
memory/3520-85-0x000000001C580000-0x000000001C58E000-memory.dmp

Filesize
56KB

Download
memory/3520-87-0x00007FFA04650000-0x00007FFA04651000-memory.dmp

Filesize
4KB

Download
memory/3520-88-0x000000001C620000-0x000000001C638000-memory.dmp

Filesize
96KB

Download
memory/3520-89-0x00007FFA04640000-0x00007FFA04641000-memory.dmp

Filesize
4KB

Download
memory/3520-91-0x000000001C590000-0x000000001C59C000-memory.dmp

Filesize
48KB

Download
memory/3520-92-0x00007FFA04630000-0x00007FFA04631000-memory.dmp

Filesize
4KB

Download
memory/3520-94-0x000000001C690000-0x000000001C6DE000-memory.dmp

Filesize
312KB

Download
memory/3520-110-0x00007FFA047D0000-0x00007FFA0488E000-memory.dmp

Filesize
760KB

Download
memory/3520-111-0x00007FF9E57E0000-0x00007FF9E62A1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-116-0x00007FF9E57E0000-0x00007FF9E62A1000-memory.dmp

Filesize
10.8MB

Download
memory/3592-117-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download