zgrat | 1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864

General

Target

1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
Size

693KB
MD5

c1f0e8aa7f02901f5161c3e71f04ecb4
SHA1

3619db7c226a71b1705c8802935f4f7e32006546
SHA256

1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864
SHA512

4e91a5601734d516fbefd40c656f89a10ff325c561c8703c6da833efd064e38904264ac5a7ca3bfb283120aefd0ae9702adf68df41382f0b58952b0e1e9c636b
SSDEEP

12288:Z3IU8S6eUdob1XWtvtECGFMrxuxxjsMns/P4jQHm1sbRNKGMw6B+Ou+tboc5:RItSAd9v+C1uXgMnSZm4KGhqjJbj5

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-3-0x0000000000330000-0x0000000000348000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2540 schtasks.exe

pid	process
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exepowershell.exepowershell.exe

pid	process
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
2824	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CkdcUd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkdcUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp"
2⤵
- Creates scheduled task(s)
PID:2540

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
"C:\Users\Admin\AppData\Local\Temp\1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe"
2⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8D61.tmp

Filesize
1KB

MD5
b9df0bc267a567c6bd3a358b12842674

SHA1
66aa552ca9945177ebff192b56a2dc97890ca6bb

SHA256
79039729e64d3c70536eedee7d13da856e4bb9a2a3dce618cc7c1b1b2a2389e7

SHA512
8d64582266a98cfb453a96fa0b38b7d026dd98b45f953e51e8975c1c0210bc733c41ab4b6e69759c0a951d833abc8f89c07308c516ff3dcda6ca61c5a3c71aa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W9J7MIUFAYRJQ9ERT58C.temp

Filesize
7KB

MD5
1f2ff99f975e391c7e3f5a123e90f275

SHA1
55104c0c9a5b8c1c8b7671af5e086be78ae9bb11

SHA256
18878fb3fd9fff59f9f94e25415eaa98ad5c7277db15a8941f272038e7a9f3a9

SHA512
19e645646539d80efb1cfd49e8a17cff57a013efb08d92b35bf6a884c0d64c126020c6caae121ba68b23f713fe9bd16eedbb10f5d69ba9fe8c477e994786544f

Download Submit
memory/2144-0-0x0000000000360000-0x0000000000414000-memory.dmp

Filesize
720KB

Download
memory/2144-1-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2144-2-0x0000000005050000-0x0000000005090000-memory.dmp

Filesize
256KB

Download
memory/2144-3-0x0000000000330000-0x0000000000348000-memory.dmp

Filesize
96KB

Download
memory/2144-4-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/2144-5-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2144-6-0x0000000005B70000-0x0000000005BEA000-memory.dmp

Filesize
488KB

Download
memory/2144-19-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-20-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-23-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-25-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2736-27-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2736-28-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2736-29-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-21-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2824-22-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-24-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-26-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/2824-30-0x000000006ED20000-0x000000006F2CB000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 2144 wrote to memory of 2824	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2824	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2824	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2824	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2736	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2736	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2736	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2736	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	powershell.exe
PID 2144 wrote to memory of 2540	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	schtasks.exe
PID 2144 wrote to memory of 2540	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	schtasks.exe
PID 2144 wrote to memory of 2540	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	schtasks.exe
PID 2144 wrote to memory of 2540	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	schtasks.exe
PID 2144 wrote to memory of 2628	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2628	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2628	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2628	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2652	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2652	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2652	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2652	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2700	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2700	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2700	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2700	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2520	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2520	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2520	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 2520	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 1168	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 1168	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 1168	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe
PID 2144 wrote to memory of 1168	2144	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe	1060c376ca5aaa3f3f294a4118209f645d1db4f1c8788f7424376d23889be864.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads