zgrat | 776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER 6523027_1.scr.exe
Size

9KB
MD5

fa17ada82de6fd6c7b93ec054ce3f085
SHA1

9db9954948de1c720ad28bf41b5e10c3588d9c21
SHA256

776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603
SHA512

0495c2479f5d7fd47bdcd5a5a098fca2c05c50f2c851540da138f0f280ba944eb4f8cdb9241d54faf829f217b7d2f82d394cc84feb1536f2a96664e49234323e
SSDEEP

96:WAfyA0Qts/4gb1f4JaYogNJVMps3PH7C64ln+flCnWiYNYNaRzNt:z0Q6/4gkT2ps+6unyBakz

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2208-39-0x000000001BFB0000-0x000000001C110000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-40-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-41-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-45-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-43-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-47-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-49-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-53-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-51-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-55-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-57-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-59-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-61-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-63-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-67-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-65-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-69-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-73-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-71-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-75-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-79-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-77-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-83-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-81-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-87-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-85-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-91-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-89-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-97-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-99-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-95-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-93-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-103-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2208-101-0x000000001BFB0000-0x000000001C10B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ljfwqmdkju = "C:\\Users\\Admin\\AppData\\Roaming\\Ljfwqmdkju.exe"	PURCHASE ORDER 6523027_1.scr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2208	PURCHASE ORDER 6523027_1.scr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	PURCHASE ORDER 6523027_1.scr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30
PID 2208 wrote to memory of 2340	2208	PURCHASE ORDER 6523027_1.scr.exe	30

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 6523027_1.scr.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 6523027_1.scr.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 6523027_1.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER 6523027_1.scr.exe"
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab84DB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar852C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2208-73-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-53-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-37-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-38-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2208-39-0x000000001BFB0000-0x000000001C110000-memory.dmp

Filesize
1.4MB

Download
memory/2208-40-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-41-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-45-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-43-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-47-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-49-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-71-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-51-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-55-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-57-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-59-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-61-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-63-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-67-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-65-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-69-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-2-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2208-0-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2208-91-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-79-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-77-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-83-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-81-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-87-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-85-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-75-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-89-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-97-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-99-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-95-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-93-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-103-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-101-0x000000001BFB0000-0x000000001C10B000-memory.dmp

Filesize
1.4MB

Download
memory/2208-972-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2208-974-0x0000000000540000-0x000000000058C000-memory.dmp

Filesize
304KB

Download
memory/2208-973-0x000000001BB30000-0x000000001BC28000-memory.dmp

Filesize
992KB

Download
memory/2208-982-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-985-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-984-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/2340-986-0x000000001ACA0000-0x000000001ADAA000-memory.dmp

Filesize
1.0MB

Download
memory/2340-987-0x000000001AE00000-0x000000001AE80000-memory.dmp

Filesize
512KB

Download