zgrat | 357b4897a2c4cd56d0c9b1258a355877b5840903a13cb2dae6178344fbd695b2

Analysis

max time kernel
168s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe
Size

9KB
MD5

fa17ada82de6fd6c7b93ec054ce3f085
SHA1

9db9954948de1c720ad28bf41b5e10c3588d9c21
SHA256

776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603
SHA512

0495c2479f5d7fd47bdcd5a5a098fca2c05c50f2c851540da138f0f280ba944eb4f8cdb9241d54faf829f217b7d2f82d394cc84feb1536f2a96664e49234323e
SSDEEP

96:WAfyA0Qts/4gb1f4JaYogNJVMps3PH7C64ln+flCnWiYNYNaRzNt:z0Q6/4gkT2ps+6unyBakz

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/1000-5-0x00000253709B0000-0x0000025370B10000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-6-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-7-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-9-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-11-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-13-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-15-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-19-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-17-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-21-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-23-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-25-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-27-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-29-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-31-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-33-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-35-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-37-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-39-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-41-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-43-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-45-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-47-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-49-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-51-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-53-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-55-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-57-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-59-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-61-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-63-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-65-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-67-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1000-69-0x00000253709B0000-0x0000025370B0B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ljfwqmdkju = "C:\\Users\\Admin\\AppData\\Roaming\\Ljfwqmdkju.exe"	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109
PID 1000 wrote to memory of 1832	1000	776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe	109

C:\Users\Admin\AppData\Local\Temp\776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe
"C:\Users\Admin\AppData\Local\Temp\776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe
  C:\Users\Admin\AppData\Local\Temp\776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe
  2⤵
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\776f5f4b3705685232f19d3bc76bc34af07ee2f230b9f4e16e56475dc7318603.exe.log

Filesize
1KB

MD5
613cb5d019ab441a116f4eef391473c5

SHA1
f5b5ee69ffed1572a4dfeb057ff7d8497ca26b7e

SHA256
fdee314b0607958df9c21a1c3ecad8149a243e0a6fe15002ff0fcc3435a9f1e6

SHA512
2dfb09adac2591594932cbf634ed54b52336150e5c1b9ae8ed09a2a61035296c02cc4d22bb515c88b36bacd26271048fa99d2044242631ecd9cf6a724fb8809f

Download Submit
memory/1000-41-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-17-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-3-0x00007FFCD1C20000-0x00007FFCD26E1000-memory.dmp

Filesize
10.8MB

Download
memory/1000-4-0x0000025358070000-0x0000025358080000-memory.dmp

Filesize
64KB

Download
memory/1000-5-0x00000253709B0000-0x0000025370B10000-memory.dmp

Filesize
1.4MB

Download
memory/1000-6-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-7-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-9-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-11-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-13-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-15-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-19-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-0-0x00000253562A0000-0x00000253562A8000-memory.dmp

Filesize
32KB

Download
memory/1000-21-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-23-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-25-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-27-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-29-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-31-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-33-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-35-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-37-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-2-0x0000025358070000-0x0000025358080000-memory.dmp

Filesize
64KB

Download
memory/1000-39-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-57-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-45-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-47-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-49-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-51-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-53-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-55-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-43-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-59-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-61-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-63-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-65-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-67-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-69-0x00000253709B0000-0x0000025370B0B000-memory.dmp

Filesize
1.4MB

Download
memory/1000-938-0x0000025356680000-0x0000025356681000-memory.dmp

Filesize
4KB

Download
memory/1000-939-0x0000025370B10000-0x0000025370C08000-memory.dmp

Filesize
992KB

Download
memory/1000-940-0x0000025357FF0000-0x000002535803C000-memory.dmp

Filesize
304KB

Download
memory/1000-1-0x00007FFCD1C20000-0x00007FFCD26E1000-memory.dmp

Filesize
10.8MB

Download
memory/1000-949-0x00007FFCD1C20000-0x00007FFCD26E1000-memory.dmp

Filesize
10.8MB

Download
memory/1832-947-0x00000222CCBD0000-0x00000222CCBE0000-memory.dmp

Filesize
64KB

Download
memory/1832-946-0x00007FFCD1C20000-0x00007FFCD26E1000-memory.dmp

Filesize
10.8MB

Download
memory/1832-948-0x00000222CCA00000-0x00000222CCB0A000-memory.dmp

Filesize
1.0MB

Download
memory/1832-945-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download