zgrat | 490e9bf001134266683e18fbe9e8f1b14aa3535e035ed79b8c68e025543b1d0c

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ed686c2589a244be106a6dddde801f8.exe
Size

10.5MB
MD5

2ed686c2589a244be106a6dddde801f8
SHA1

cfb489b3c2c5940a18ab57c34fb4ef2f39161611
SHA256

490e9bf001134266683e18fbe9e8f1b14aa3535e035ed79b8c68e025543b1d0c
SHA512

6748264a2b8e55bc5097fdf53f7f0dd3f91ce8060134e94cf8f775efb844055a3babaa818fe4f005605b77174d13ba024ffe862e354feda9e3d814d760d0e675
SSDEEP

12288:R9C/QKe5soX7IeGZcheDdAJljshoAkdQ3uNozoZWHLv98baYh2SnvXdRM0ChnNGn:RwBd3X3w

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1340-6-0x0000000000E10000-0x0000000000E2C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\stst = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\windows\\stst.exe\""	2ed686c2589a244be106a6dddde801f8.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe
1340	2ed686c2589a244be106a6dddde801f8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	2ed686c2589a244be106a6dddde801f8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2732	1340	2ed686c2589a244be106a6dddde801f8.exe	30
PID 1340 wrote to memory of 2732	1340	2ed686c2589a244be106a6dddde801f8.exe	30
PID 1340 wrote to memory of 2732	1340	2ed686c2589a244be106a6dddde801f8.exe	30
PID 1340 wrote to memory of 2732	1340	2ed686c2589a244be106a6dddde801f8.exe	30
PID 1340 wrote to memory of 2696	1340	2ed686c2589a244be106a6dddde801f8.exe	31
PID 1340 wrote to memory of 2696	1340	2ed686c2589a244be106a6dddde801f8.exe	31
PID 1340 wrote to memory of 2696	1340	2ed686c2589a244be106a6dddde801f8.exe	31
PID 1340 wrote to memory of 2696	1340	2ed686c2589a244be106a6dddde801f8.exe	31
PID 1340 wrote to memory of 2608	1340	2ed686c2589a244be106a6dddde801f8.exe	32
PID 1340 wrote to memory of 2608	1340	2ed686c2589a244be106a6dddde801f8.exe	32
PID 1340 wrote to memory of 2608	1340	2ed686c2589a244be106a6dddde801f8.exe	32
PID 1340 wrote to memory of 2608	1340	2ed686c2589a244be106a6dddde801f8.exe	32
PID 1340 wrote to memory of 2624	1340	2ed686c2589a244be106a6dddde801f8.exe	33
PID 1340 wrote to memory of 2624	1340	2ed686c2589a244be106a6dddde801f8.exe	33
PID 1340 wrote to memory of 2624	1340	2ed686c2589a244be106a6dddde801f8.exe	33
PID 1340 wrote to memory of 2624	1340	2ed686c2589a244be106a6dddde801f8.exe	33
PID 1340 wrote to memory of 2560	1340	2ed686c2589a244be106a6dddde801f8.exe	34
PID 1340 wrote to memory of 2560	1340	2ed686c2589a244be106a6dddde801f8.exe	34
PID 1340 wrote to memory of 2560	1340	2ed686c2589a244be106a6dddde801f8.exe	34
PID 1340 wrote to memory of 2560	1340	2ed686c2589a244be106a6dddde801f8.exe	34
PID 1340 wrote to memory of 2556	1340	2ed686c2589a244be106a6dddde801f8.exe	35
PID 1340 wrote to memory of 2556	1340	2ed686c2589a244be106a6dddde801f8.exe	35
PID 1340 wrote to memory of 2556	1340	2ed686c2589a244be106a6dddde801f8.exe	35
PID 1340 wrote to memory of 2556	1340	2ed686c2589a244be106a6dddde801f8.exe	35
PID 1340 wrote to memory of 2576	1340	2ed686c2589a244be106a6dddde801f8.exe	36
PID 1340 wrote to memory of 2576	1340	2ed686c2589a244be106a6dddde801f8.exe	36
PID 1340 wrote to memory of 2576	1340	2ed686c2589a244be106a6dddde801f8.exe	36
PID 1340 wrote to memory of 2576	1340	2ed686c2589a244be106a6dddde801f8.exe	36
PID 1340 wrote to memory of 2592	1340	2ed686c2589a244be106a6dddde801f8.exe	37
PID 1340 wrote to memory of 2592	1340	2ed686c2589a244be106a6dddde801f8.exe	37
PID 1340 wrote to memory of 2592	1340	2ed686c2589a244be106a6dddde801f8.exe	37
PID 1340 wrote to memory of 2592	1340	2ed686c2589a244be106a6dddde801f8.exe	37
PID 1340 wrote to memory of 2604	1340	2ed686c2589a244be106a6dddde801f8.exe	38
PID 1340 wrote to memory of 2604	1340	2ed686c2589a244be106a6dddde801f8.exe	38
PID 1340 wrote to memory of 2604	1340	2ed686c2589a244be106a6dddde801f8.exe	38
PID 1340 wrote to memory of 2604	1340	2ed686c2589a244be106a6dddde801f8.exe	38
PID 1340 wrote to memory of 2636	1340	2ed686c2589a244be106a6dddde801f8.exe	39
PID 1340 wrote to memory of 2636	1340	2ed686c2589a244be106a6dddde801f8.exe	39
PID 1340 wrote to memory of 2636	1340	2ed686c2589a244be106a6dddde801f8.exe	39
PID 1340 wrote to memory of 2636	1340	2ed686c2589a244be106a6dddde801f8.exe	39
PID 1340 wrote to memory of 1476	1340	2ed686c2589a244be106a6dddde801f8.exe	40
PID 1340 wrote to memory of 1476	1340	2ed686c2589a244be106a6dddde801f8.exe	40
PID 1340 wrote to memory of 1476	1340	2ed686c2589a244be106a6dddde801f8.exe	40
PID 1340 wrote to memory of 1476	1340	2ed686c2589a244be106a6dddde801f8.exe	40
PID 1340 wrote to memory of 3060	1340	2ed686c2589a244be106a6dddde801f8.exe	41
PID 1340 wrote to memory of 3060	1340	2ed686c2589a244be106a6dddde801f8.exe	41
PID 1340 wrote to memory of 3060	1340	2ed686c2589a244be106a6dddde801f8.exe	41
PID 1340 wrote to memory of 3060	1340	2ed686c2589a244be106a6dddde801f8.exe	41
PID 1340 wrote to memory of 3064	1340	2ed686c2589a244be106a6dddde801f8.exe	42
PID 1340 wrote to memory of 3064	1340	2ed686c2589a244be106a6dddde801f8.exe	42
PID 1340 wrote to memory of 3064	1340	2ed686c2589a244be106a6dddde801f8.exe	42
PID 1340 wrote to memory of 3064	1340	2ed686c2589a244be106a6dddde801f8.exe	42
PID 1340 wrote to memory of 2856	1340	2ed686c2589a244be106a6dddde801f8.exe	43
PID 1340 wrote to memory of 2856	1340	2ed686c2589a244be106a6dddde801f8.exe	43
PID 1340 wrote to memory of 2856	1340	2ed686c2589a244be106a6dddde801f8.exe	43
PID 1340 wrote to memory of 2856	1340	2ed686c2589a244be106a6dddde801f8.exe	43
PID 1340 wrote to memory of 2344	1340	2ed686c2589a244be106a6dddde801f8.exe	44
PID 1340 wrote to memory of 2344	1340	2ed686c2589a244be106a6dddde801f8.exe	44
PID 1340 wrote to memory of 2344	1340	2ed686c2589a244be106a6dddde801f8.exe	44
PID 1340 wrote to memory of 2344	1340	2ed686c2589a244be106a6dddde801f8.exe	44
PID 1340 wrote to memory of 2256	1340	2ed686c2589a244be106a6dddde801f8.exe	45
PID 1340 wrote to memory of 2256	1340	2ed686c2589a244be106a6dddde801f8.exe	45
PID 1340 wrote to memory of 2256	1340	2ed686c2589a244be106a6dddde801f8.exe	45
PID 1340 wrote to memory of 2256	1340	2ed686c2589a244be106a6dddde801f8.exe	45

C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
"C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:536
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1328
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe
  "C:\Users\Admin\AppData\Local\Temp\2ed686c2589a244be106a6dddde801f8.exe"
  2⤵
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-0-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-1-0x00000000001F0000-0x0000000000C68000-memory.dmp

Filesize
10.5MB

Download
memory/1340-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-3-0x00000000057A0000-0x00000000057E0000-memory.dmp

Filesize
256KB

Download
memory/1340-4-0x0000000007C40000-0x0000000007E00000-memory.dmp

Filesize
1.8MB

Download
memory/1340-6-0x0000000000E10000-0x0000000000E2C000-memory.dmp

Filesize
112KB

Download
memory/1340-7-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download