zgrat | 7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d

Analysis

max time kernel
69s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 21:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

045f4cea4f863d9def6967fe35303066.exe
Size

6.4MB
MD5

045f4cea4f863d9def6967fe35303066
SHA1

e40b4393ac099688bee151c475c71a4354c69654
SHA256

7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d
SHA512

4779aa92792799d9e5dd6cce3a05c5f06959cdc8213e2fb5c5127733ff1d5c9108f7a13e926ea36f1661bda133b574ac484c5a3bfeed18fdf16f17d03509788f
SSDEEP

98304:Vi3w/4GrQBeQZ1P/by87heRw6+vllYmTDv7GQ6pwoTxFI:VCw/+eMy8te2dlYEDGQT6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral2/memory/3128-7-0x000000001D330000-0x000000001D39C000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-9-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-11-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-8-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-21-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-33-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-43-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-55-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-65-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-71-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-69-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-67-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-63-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-61-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-59-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-57-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-53-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-51-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-49-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-47-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-45-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-41-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-39-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-37-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-35-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-31-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-29-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-27-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-25-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-23-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-19-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-17-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-15-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-13-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/1916-2185-0x000000001E240000-0x000000001E880000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	045f4cea4f863d9def6967fe35303066.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	045f4cea4f863d9def6967fe35303066.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	045f4cea4f863d9def6967fe35303066.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3484	3128	045f4cea4f863d9def6967fe35303066.exe	104
PID 3128 wrote to memory of 3484	3128	045f4cea4f863d9def6967fe35303066.exe	104

C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
"C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs"
  2⤵
  PID:3484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\webfind.exe'
    3⤵
    PID:3152
- C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\045f4cea4f863d9def6967fe35303066.exe.log

Filesize
1KB

MD5
b65ecf27e16c9159164a4f3e4f71a9ca

SHA1
775ce345a9eaf954e4833bd25ee2fa4c11fc846a

SHA256
adce6dd6ba66e634fe10e7fade4b6de277f3311ee0d82f6c20141520893bf72a

SHA512
3927300905ca9f86fcdbc31743e285ee376ebb5b2202a07b0c4897f9a699fa84567a5e5c260d8a397b97ddc7d8e550fceccad3ebdc382556f6017816ab0efa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4240daff4d0559c94aeeaa69828423fa

SHA1
4d2cdd4a4f56c4bfdd632a7864249dc0fad7b18d

SHA256
ac44b3ec8a2fca634edffe5fcfe888256a4e93adc6cebe554a819680028a3e24

SHA512
a8d553a6a3bbf2f45683a6b143cd65e0ce203b4610fc5ff95b813e6fa04629ac4216aa561e4677e70158949ad76c308c8c47af3fcaf48f870b2ba951f3c91ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d096831023867930e62e6d8b3d4d8ca6

SHA1
404a1e73dc1590f1c8b9327c396591567dac7365

SHA256
167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

SHA512
31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs

Filesize
175B

MD5
10c2467cd97e13e22bd753be3c09c805

SHA1
a4da069e3936b4ab05f06281af76bd05f5d3c9f0

SHA256
29851d647c12d23c40a2b6623451052c1903cdc3ae4a44979507c423fcdb1024

SHA512
7cfd7c289c014b2307feb330e674db4ac3c74b7a3970f57406e98e3d3a29f027dda20820c00eb6559f58d9eb3b487ab5cfaca5e6d3abe70dea9a88690cae1e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckrdsmwj.iis.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-2153-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/536-2146-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/536-2149-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/536-2151-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/536-2150-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/896-2133-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/896-2136-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/896-2134-0x0000019EF56F0000-0x0000019EF5700000-memory.dmp

Filesize
64KB

Download
memory/1608-2163-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1608-2165-0x000002217F170000-0x000002217F180000-memory.dmp

Filesize
64KB

Download
memory/1608-2167-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2148-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2184-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/1916-2185-0x000000001E240000-0x000000001E880000-memory.dmp

Filesize
6.2MB

Download
memory/1916-2104-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2102-0x0000000140000000-0x000000014062A000-memory.dmp

Filesize
6.2MB

Download
memory/1916-2818-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/2008-2178-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/2008-2181-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2180-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2179-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2183-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-63-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-43-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-35-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-31-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-29-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-27-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-25-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-23-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-19-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-17-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-15-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-13-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-707-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-39-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2098-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-41-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2103-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-45-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-47-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-49-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-1-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-3-0x000000001C770000-0x000000001C7E6000-memory.dmp

Filesize
472KB

Download
memory/3128-4-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-5-0x000000001DAA0000-0x000000001E106000-memory.dmp

Filesize
6.4MB

Download
memory/3128-6-0x00000000035A0000-0x00000000035BE000-memory.dmp

Filesize
120KB

Download
memory/3128-51-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-53-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-57-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-59-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-61-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-0-0x0000000000290000-0x00000000008FA000-memory.dmp

Filesize
6.4MB

Download
memory/3128-67-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-69-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-71-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-65-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-55-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-37-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-33-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-21-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-8-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-11-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-9-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-7-0x000000001D330000-0x000000001D39C000-memory.dmp

Filesize
432KB

Download
memory/3152-2121-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2117-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2118-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2115-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2116-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2105-0x000001C878AC0000-0x000001C878AE2000-memory.dmp

Filesize
136KB

Download