zgrat | 7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d

Analysis

max time kernel
202s
max time network
161s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

045f4cea4f863d9def6967fe35303066.exe
Size

6.4MB
MD5

045f4cea4f863d9def6967fe35303066
SHA1

e40b4393ac099688bee151c475c71a4354c69654
SHA256

7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d
SHA512

4779aa92792799d9e5dd6cce3a05c5f06959cdc8213e2fb5c5127733ff1d5c9108f7a13e926ea36f1661bda133b574ac484c5a3bfeed18fdf16f17d03509788f
SSDEEP

98304:Vi3w/4GrQBeQZ1P/by87heRw6+vllYmTDv7GQ6pwoTxFI:VCw/+eMy8te2dlYEDGQT6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2260-5-0x000000001B660000-0x000000001B6CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-15-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-25-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-33-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-39-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-53-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-61-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-69-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-67-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-65-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-63-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-59-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-57-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-55-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-51-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-49-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-47-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-45-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-43-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-41-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-37-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-35-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-31-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-29-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-27-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-23-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-21-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-19-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-17-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-13-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-11-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-9-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-7-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1
behavioral1/memory/2260-6-0x000000001B660000-0x000000001B6C5000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2260	045f4cea4f863d9def6967fe35303066.exe
2260	045f4cea4f863d9def6967fe35303066.exe
1472	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	045f4cea4f863d9def6967fe35303066.exe
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 788	2260	045f4cea4f863d9def6967fe35303066.exe	28
PID 2260 wrote to memory of 788	2260	045f4cea4f863d9def6967fe35303066.exe	28
PID 2260 wrote to memory of 788	2260	045f4cea4f863d9def6967fe35303066.exe	28
PID 788 wrote to memory of 1472	788	WScript.exe	29
PID 788 wrote to memory of 1472	788	WScript.exe	29
PID 788 wrote to memory of 1472	788	WScript.exe	29
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31
PID 2260 wrote to memory of 340	2260	045f4cea4f863d9def6967fe35303066.exe	31

C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
"C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\webfind.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  2⤵
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs

Filesize
175B

MD5
10c2467cd97e13e22bd753be3c09c805

SHA1
a4da069e3936b4ab05f06281af76bd05f5d3c9f0

SHA256
29851d647c12d23c40a2b6623451052c1903cdc3ae4a44979507c423fcdb1024

SHA512
7cfd7c289c014b2307feb330e674db4ac3c74b7a3970f57406e98e3d3a29f027dda20820c00eb6559f58d9eb3b487ab5cfaca5e6d3abe70dea9a88690cae1e26

Download Submit
memory/340-2116-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1472-2102-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1472-2104-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1472-2115-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1472-2119-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1472-2118-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/1472-2117-0x000000000289B000-0x0000000002902000-memory.dmp

Filesize
412KB

Download
memory/2260-51-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-41-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-5-0x000000001B660000-0x000000001B6CC000-memory.dmp

Filesize
432KB

Download
memory/2260-15-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-25-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-33-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-39-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-53-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-61-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-69-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-67-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-65-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-63-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-59-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-57-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-55-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-3-0x000000001F280000-0x000000001F8E6000-memory.dmp

Filesize
6.4MB

Download
memory/2260-49-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-47-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-45-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-43-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-4-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-37-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-35-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-31-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-29-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-27-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-23-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-21-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-19-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-17-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-13-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-11-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-9-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-7-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-6-0x000000001B660000-0x000000001B6C5000-memory.dmp

Filesize
404KB

Download
memory/2260-546-0x000000001BCF0000-0x000000001BD70000-memory.dmp

Filesize
512KB

Download
memory/2260-2-0x000000001BCF0000-0x000000001BD70000-memory.dmp

Filesize
512KB

Download
memory/2260-1-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-0-0x000000013F9D0000-0x000000014003A000-memory.dmp

Filesize
6.4MB

Download
memory/2260-2112-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-2114-0x000000001BCF6000-0x000000001BD5D000-memory.dmp

Filesize
412KB

Download