Analysis Overview
SHA256
0ad4f1d30893f1e1a9cd576cea5ce0ac536ab9b361c7bda325d42fe52f306531
Threat Level: Known bad
The file 025079c343931f6b9327d097676bd2e1.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
NanoCore
ZGRat
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-01 09:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-01 09:49
Reported
2024-01-06 04:49
Platform
win7-20231215-en
Max time kernel
2s
Max time network
157s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NanoCore
ZGRat
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2996 set thread context of 1148 | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe
"C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe"
C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe
"C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp |
Files
memory/2996-1-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/2996-0-0x0000000000E50000-0x0000000000F8C000-memory.dmp
memory/2996-2-0x0000000004F40000-0x0000000004F80000-memory.dmp
memory/2996-3-0x0000000004390000-0x0000000004434000-memory.dmp
memory/2996-4-0x0000000000500000-0x0000000000516000-memory.dmp
memory/1148-6-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-17-0x0000000073C10000-0x00000000742FE000-memory.dmp
memory/2996-13-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/1148-18-0x0000000000460000-0x00000000004A0000-memory.dmp
memory/1148-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1148-8-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-7-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1148-20-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/1148-21-0x0000000000440000-0x000000000045E000-memory.dmp
memory/1148-22-0x00000000004A0000-0x00000000004AA000-memory.dmp
memory/1148-23-0x0000000073C10000-0x00000000742FE000-memory.dmp
memory/1148-24-0x0000000000460000-0x00000000004A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-01 09:49
Reported
2024-01-06 04:51
Platform
win10v2004-20231215-en
Max time kernel
165s
Max time network
183s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NanoCore
ZGRat
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4200 set thread context of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe
"C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe"
C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe
"C:\Users\Admin\AppData\Local\Temp\025079c343931f6b9327d097676bd2e1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| DE | 45.154.4.187:7416 | tcp | |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| DE | 45.154.4.187:7416 | tcp | |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| US | 8.8.4.4:53 | alexwill.ddns.net | udp |
| US | 8.8.8.8:53 | alexwill.ddns.net | udp |
| DE | 45.154.4.187:7416 | tcp |
Files
memory/4200-1-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4200-0-0x0000000000C60000-0x0000000000D9C000-memory.dmp
memory/4200-2-0x0000000005ED0000-0x0000000006474000-memory.dmp
memory/4200-3-0x00000000057C0000-0x0000000005852000-memory.dmp
memory/4200-4-0x0000000005860000-0x00000000058D6000-memory.dmp
memory/4200-5-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/4200-6-0x0000000005B30000-0x0000000005B40000-memory.dmp
memory/4200-7-0x0000000005760000-0x000000000577E000-memory.dmp
memory/4200-8-0x0000000005A40000-0x0000000005AE4000-memory.dmp
memory/4200-9-0x0000000005790000-0x00000000057A6000-memory.dmp
memory/4092-10-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4092-12-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4200-13-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4092-14-0x0000000005340000-0x0000000005350000-memory.dmp
memory/4092-15-0x0000000005330000-0x000000000533A000-memory.dmp
memory/4092-17-0x0000000005A00000-0x0000000005A0A000-memory.dmp
memory/4092-18-0x00000000060B0000-0x00000000060CE000-memory.dmp
memory/4092-19-0x00000000061F0000-0x00000000061FA000-memory.dmp
memory/4092-20-0x0000000074A50000-0x0000000075200000-memory.dmp
memory/4092-21-0x0000000005340000-0x0000000005350000-memory.dmp