zgrat | 9d077371cd1d6dc2b8b337d0bc978afb1e910a947bb0e14c15a37c70c745704c

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05595fa61734a9acede85154fc8fe03b.exe
Size

1.7MB
MD5

05595fa61734a9acede85154fc8fe03b
SHA1

c3842ef0d4b88b53098c9fcb36082219f39b112f
SHA256

9d077371cd1d6dc2b8b337d0bc978afb1e910a947bb0e14c15a37c70c745704c
SHA512

9e959d30eac39b3fe81f36360f29f4ecdc2c5d7b5b71a12c593f0754860e696822530e022552db3c0d9c1df189a18425bb7030bf7a0d869331a2bbda154f6066
SSDEEP

49152:yopU78Oe8T6UQJ+Ss4ie6tu4HY90Jm9WbV:y+E1e87Y+QKZm9WbV

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2872-6-0x0000000005F40000-0x0000000005FB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-7-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-8-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-10-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-18-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-24-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-28-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-36-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-44-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-48-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-54-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-56-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-52-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-66-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-70-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-68-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-64-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-62-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-60-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-58-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-50-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-46-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-42-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-40-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-38-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-34-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-32-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-30-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-26-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-22-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-20-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-16-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-14-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-12-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "\"C:\\Users\\Admin\\AppData\\Roaming\\outlook.exe\""	05595fa61734a9acede85154fc8fe03b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	05595fa61734a9acede85154fc8fe03b.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	30
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	30
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	30
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	30
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	31
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	31
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	31
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	31
PID 2160 wrote to memory of 1556	2160	WScript.exe	32
PID 2160 wrote to memory of 1556	2160	WScript.exe	32
PID 2160 wrote to memory of 1556	2160	WScript.exe	32
PID 2160 wrote to memory of 1556	2160	WScript.exe	32
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	33
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	33
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	33
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	33
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	35
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	35
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	35
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	35
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	36
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	36
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	36
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	36
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	37
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	37
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	37
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	37
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	38
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	38
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	38
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	38
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	39
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	39
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	39
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	39
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	40
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	40
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	40
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	40
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	41
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	41
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	41
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	41
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	42
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	42
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	42
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	42

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
"C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Glkcwxl.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
  2⤵
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Glkcwxl.vbs

Filesize
137B

MD5
41c8a8551ff6fc7a2b9aadcff976ca0f

SHA1
444db8be2af0b1128229ac46e4963e0570159c3c

SHA256
bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

SHA512
b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

Download Submit
memory/1556-2405-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2404-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1556-2403-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1556-2402-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2401-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-64-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-46-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-8-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-10-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-18-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-24-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-28-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-36-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-44-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-48-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-54-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-56-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-52-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-66-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-70-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-68-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-1-0x0000000000350000-0x0000000000512000-memory.dmp

Filesize
1.8MB

Download
memory/2872-62-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-60-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-58-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-50-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-7-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-42-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-40-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-38-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-34-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-32-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-30-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-26-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-22-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-20-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-16-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-14-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-12-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-6-0x0000000005F40000-0x0000000005FB8000-memory.dmp

Filesize
480KB

Download
memory/2872-2398-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-5-0x00000000080D0000-0x0000000008280000-memory.dmp

Filesize
1.7MB

Download
memory/2872-4-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2872-3-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-2-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2872-0-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download