zgrat | ab254e5bcf30770801da06adf22054fc787a0d6b3764169424746124a48dfb50

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a876f989c1ef0d1ab5316acabaaeb4b.exe
Size

6.2MB
MD5

0a876f989c1ef0d1ab5316acabaaeb4b
SHA1

fe15f50ed02accce123be1a9b333093c1a212ab5
SHA256

ab254e5bcf30770801da06adf22054fc787a0d6b3764169424746124a48dfb50
SHA512

d29e87e526a5ca9c52dfd279ac0c2ca4227bf16f58678614142363c9defcf9fdfa6fd0924939a5ddec244903fb38fa3882316e68bfb0195d4f60b1e678e92fef
SSDEEP

196608:fe4GLZhOxmiUZwt/zIKpMD1HytNYZjDbWpHq:W4GLZg3UZY+SHKnWY

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2028-54-0x000000001D240000-0x000000001D880000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-55-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-56-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-58-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-60-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-62-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-64-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-66-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-68-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-70-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-72-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-74-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-76-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-78-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-80-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-82-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-84-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-86-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-88-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-90-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-92-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-94-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-96-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-98-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-100-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-102-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-104-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-106-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-108-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-110-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-112-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-114-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-116-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-118-0x000000001D240000-0x000000001D87B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2664	powershell.exe
2644	powershell.exe
2832	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeIncreaseQuotaPrivilege	2664	powershell.exe
Token: SeSecurityPrivilege	2664	powershell.exe
Token: SeTakeOwnershipPrivilege	2664	powershell.exe
Token: SeLoadDriverPrivilege	2664	powershell.exe
Token: SeSystemProfilePrivilege	2664	powershell.exe
Token: SeSystemtimePrivilege	2664	powershell.exe
Token: SeProfSingleProcessPrivilege	2664	powershell.exe
Token: SeIncBasePriorityPrivilege	2664	powershell.exe
Token: SeCreatePagefilePrivilege	2664	powershell.exe
Token: SeBackupPrivilege	2664	powershell.exe
Token: SeRestorePrivilege	2664	powershell.exe
Token: SeShutdownPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeSystemEnvironmentPrivilege	2664	powershell.exe
Token: SeRemoteShutdownPrivilege	2664	powershell.exe
Token: SeUndockPrivilege	2664	powershell.exe
Token: SeManageVolumePrivilege	2664	powershell.exe
Token: 33	2664	powershell.exe
Token: 34	2664	powershell.exe
Token: 35	2664	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeIncreaseQuotaPrivilege	2644	powershell.exe
Token: SeSecurityPrivilege	2644	powershell.exe
Token: SeTakeOwnershipPrivilege	2644	powershell.exe
Token: SeLoadDriverPrivilege	2644	powershell.exe
Token: SeSystemProfilePrivilege	2644	powershell.exe
Token: SeSystemtimePrivilege	2644	powershell.exe
Token: SeProfSingleProcessPrivilege	2644	powershell.exe
Token: SeIncBasePriorityPrivilege	2644	powershell.exe
Token: SeCreatePagefilePrivilege	2644	powershell.exe
Token: SeBackupPrivilege	2644	powershell.exe
Token: SeRestorePrivilege	2644	powershell.exe
Token: SeShutdownPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeSystemEnvironmentPrivilege	2644	powershell.exe
Token: SeRemoteShutdownPrivilege	2644	powershell.exe
Token: SeUndockPrivilege	2644	powershell.exe
Token: SeManageVolumePrivilege	2644	powershell.exe
Token: 33	2644	powershell.exe
Token: 34	2644	powershell.exe
Token: 35	2644	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeIncreaseQuotaPrivilege	2832	powershell.exe
Token: SeSecurityPrivilege	2832	powershell.exe
Token: SeTakeOwnershipPrivilege	2832	powershell.exe
Token: SeLoadDriverPrivilege	2832	powershell.exe
Token: SeSystemProfilePrivilege	2832	powershell.exe
Token: SeSystemtimePrivilege	2832	powershell.exe
Token: SeProfSingleProcessPrivilege	2832	powershell.exe
Token: SeIncBasePriorityPrivilege	2832	powershell.exe
Token: SeCreatePagefilePrivilege	2832	powershell.exe
Token: SeBackupPrivilege	2832	powershell.exe
Token: SeRestorePrivilege	2832	powershell.exe
Token: SeShutdownPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeSystemEnvironmentPrivilege	2832	powershell.exe
Token: SeRemoteShutdownPrivilege	2832	powershell.exe
Token: SeUndockPrivilege	2832	powershell.exe
Token: SeManageVolumePrivilege	2832	powershell.exe
Token: 33	2832	powershell.exe
Token: 34	2832	powershell.exe
Token: 35	2832	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2664	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	28
PID 2028 wrote to memory of 2664	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	28
PID 2028 wrote to memory of 2664	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	28
PID 2028 wrote to memory of 2644	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	31
PID 2028 wrote to memory of 2644	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	31
PID 2028 wrote to memory of 2644	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	31
PID 2028 wrote to memory of 2832	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	35
PID 2028 wrote to memory of 2832	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	35
PID 2028 wrote to memory of 2832	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	35
PID 2028 wrote to memory of 1936	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	37
PID 2028 wrote to memory of 1936	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	37
PID 2028 wrote to memory of 1936	2028	0a876f989c1ef0d1ab5316acabaaeb4b.exe	37

C:\Users\Admin\AppData\Local\Temp\0a876f989c1ef0d1ab5316acabaaeb4b.exe
"C:\Users\Admin\AppData\Local\Temp\0a876f989c1ef0d1ab5316acabaaeb4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4587c8ef63eae0fc5dae60d3ad7d03f1

SHA1
87281669a62bbd5bfc19a5b318828b991da79785

SHA256
cb3ab0b08aebe21ce3f80399268a2762fe7e0eb8612579efccb8593fe10161de

SHA512
45ed4b6c4fdeaa091220b338a634a2007b44fee4301baa37090ae4e1ef55a1ba59685b63363c4f0cf440f6ea2e89cfb6e8eab8ae951c35ce22f6ec3719c046d3

Download Submit
memory/1936-52-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1936-51-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1936-50-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1936-48-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1936-49-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1936-47-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2028-82-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-88-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-681-0x000000001BCA0000-0x000000001BD20000-memory.dmp

Filesize
512KB

Download
memory/2028-15-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-118-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-116-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-114-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-112-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-110-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-108-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-106-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-104-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-102-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-100-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-98-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-96-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-94-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-92-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-90-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-86-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-84-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-0-0x000000013F1D0000-0x000000013F80C000-memory.dmp

Filesize
6.2MB

Download
memory/2028-80-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-78-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-76-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-74-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-1-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-53-0x000000001BCA0000-0x000000001BD20000-memory.dmp

Filesize
512KB

Download
memory/2028-54-0x000000001D240000-0x000000001D880000-memory.dmp

Filesize
6.2MB

Download
memory/2028-55-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-56-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-58-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-60-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-62-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-64-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-66-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-68-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-70-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2028-72-0x000000001D240000-0x000000001D87B000-memory.dmp

Filesize
6.2MB

Download
memory/2644-29-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-21-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-22-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2644-23-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-24-0x000007FEF2530000-0x000007FEF2ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2644-25-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2644-26-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2644-27-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2644-28-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/2664-12-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2664-11-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2664-14-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-6-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2664-10-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-9-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2664-13-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2664-8-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2664-7-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-37-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2832-41-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-40-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2832-39-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2832-38-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-36-0x000007FEF2ED0000-0x000007FEF386D000-memory.dmp

Filesize
9.6MB

Download