zgrat | e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

D3C4575E325D9B2EA4375BE6AE184469.exe
Size

3.7MB
MD5

d3c4575e325d9b2ea4375be6ae184469
SHA1

dba82c40924a219234c29c7ab7d6da4e715c8aa2
SHA256

e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e
SHA512

75d19580269523c1eedbcf3079c6bd15dd4848d212e81028af1a7363927153451b3d579dd5f158df787edd246a9fcc18f7b48d67629e8f120bdd998d6641ef7d
SSDEEP

98304:723bBil+7+NRBY2V9sJg2E65NEOzobiP8Xlb46LqpGVP:70BioqNbY2nsJg2E6Npzobi0Xlb462

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2244-0-0x0000000000F90000-0x000000000134A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	D3C4575E325D9B2EA4375BE6AE184469.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\explorer.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\explorer.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\7a0fd90576e088	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Adobe\RuntimeBroker.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	D3C4575E325D9B2EA4375BE6AE184469.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e	D3C4575E325D9B2EA4375BE6AE184469.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	D3C4575E325D9B2EA4375BE6AE184469.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe
2244	D3C4575E325D9B2EA4375BE6AE184469.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	D3C4575E325D9B2EA4375BE6AE184469.exe
Token: SeDebugPrivilege	3264	D3C4575E325D9B2EA4375BE6AE184469.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 3688	2244	D3C4575E325D9B2EA4375BE6AE184469.exe	93
PID 2244 wrote to memory of 3688	2244	D3C4575E325D9B2EA4375BE6AE184469.exe	93
PID 3688 wrote to memory of 4708	3688	cmd.exe	95
PID 3688 wrote to memory of 4708	3688	cmd.exe	95
PID 3688 wrote to memory of 3340	3688	cmd.exe	94
PID 3688 wrote to memory of 3340	3688	cmd.exe	94
PID 3688 wrote to memory of 3264	3688	cmd.exe	99
PID 3688 wrote to memory of 3264	3688	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe
"C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7g3TGbo2PO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3340
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe
    "C:\Users\Admin\AppData\Local\Temp\D3C4575E325D9B2EA4375BE6AE184469.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\D3C4575E325D9B2EA4375BE6AE184469.exe.log

Filesize
1KB

MD5
98d93f7a2239452aef29ed995c71b759

SHA1
d1fc6bff08e49cb16a1e5d0b0348232282cf5677

SHA256
399712789c6f2c7bd1b7afdf835eb2ac525632424daf08e751186195ebdbba52

SHA512
1073e74c9f065aa02be1bfb172308c555c0ad0c5ff35315d76de23d2c6daf1d3fe0b32042a428431847d09b679f14cb129c058af3277e9ed16787d37ae276d96

Download Submit
memory/2244-0-0x0000000000F90000-0x000000000134A000-memory.dmp

Filesize
3.7MB

Download
memory/2244-1-0x00007FF8B74D0000-0x00007FF8B7F91000-memory.dmp

Filesize
10.8MB

Download
memory/2244-3-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/2244-8-0x00007FF8D4110000-0x00007FF8D41CE000-memory.dmp

Filesize
760KB

Download
memory/2244-5-0x00007FF8D4100000-0x00007FF8D4101000-memory.dmp

Filesize
4KB

Download
memory/2244-7-0x000000001BF90000-0x000000001BFB6000-memory.dmp

Filesize
152KB

Download
memory/2244-4-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/2244-13-0x000000001BFC0000-0x000000001BFDC000-memory.dmp

Filesize
112KB

Download
memory/2244-18-0x00007FF8D40D0000-0x00007FF8D40D1000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x0000000003460000-0x0000000003470000-memory.dmp

Filesize
64KB

Download
memory/2244-15-0x000000001D550000-0x000000001D5A0000-memory.dmp

Filesize
320KB

Download
memory/2244-25-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/2244-29-0x0000000003590000-0x00000000035A0000-memory.dmp

Filesize
64KB

Download
memory/2244-32-0x00007FF8D4090000-0x00007FF8D4091000-memory.dmp

Filesize
4KB

Download
memory/2244-31-0x00000000035A0000-0x00000000035AE000-memory.dmp

Filesize
56KB

Download
memory/2244-39-0x000000001C020000-0x000000001C02C000-memory.dmp

Filesize
48KB

Download
memory/2244-42-0x00007FF8D4110000-0x00007FF8D41CE000-memory.dmp

Filesize
760KB

Download
memory/2244-46-0x00007FF8D3EC0000-0x00007FF8D3EC1000-memory.dmp

Filesize
4KB

Download
memory/2244-45-0x000000001D520000-0x000000001D532000-memory.dmp

Filesize
72KB

Download
memory/2244-43-0x00007FF8D3ED0000-0x00007FF8D3ED1000-memory.dmp

Filesize
4KB

Download
memory/2244-49-0x000000001D500000-0x000000001D50C000-memory.dmp

Filesize
48KB

Download
memory/2244-52-0x00007FF8D3EA0000-0x00007FF8D3EA1000-memory.dmp

Filesize
4KB

Download
memory/2244-51-0x000000001D510000-0x000000001D520000-memory.dmp

Filesize
64KB

Download
memory/2244-58-0x000000001D5E0000-0x000000001D5F2000-memory.dmp

Filesize
72KB

Download
memory/2244-56-0x00007FF8D3E80000-0x00007FF8D3E81000-memory.dmp

Filesize
4KB

Download
memory/2244-59-0x000000001DB30000-0x000000001E058000-memory.dmp

Filesize
5.2MB

Download
memory/2244-55-0x000000001D5C0000-0x000000001D5D6000-memory.dmp

Filesize
88KB

Download
memory/2244-62-0x00007FF8D3E70000-0x00007FF8D3E71000-memory.dmp

Filesize
4KB

Download
memory/2244-61-0x000000001D540000-0x000000001D54E000-memory.dmp

Filesize
56KB

Download
memory/2244-53-0x00007FF8D3E90000-0x00007FF8D3E91000-memory.dmp

Filesize
4KB

Download
memory/2244-47-0x00007FF8D3EB0000-0x00007FF8D3EB1000-memory.dmp

Filesize
4KB

Download
memory/2244-41-0x000000001C030000-0x000000001C03E000-memory.dmp

Filesize
56KB

Download
memory/2244-37-0x00007FF8D3EE0000-0x00007FF8D3EE1000-memory.dmp

Filesize
4KB

Download
memory/2244-36-0x00007FF8D4080000-0x00007FF8D4081000-memory.dmp

Filesize
4KB

Download
memory/2244-35-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/2244-34-0x000000001C010000-0x000000001C01E000-memory.dmp

Filesize
56KB

Download
memory/2244-27-0x00007FF8D40A0000-0x00007FF8D40A1000-memory.dmp

Filesize
4KB

Download
memory/2244-26-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/2244-23-0x00007FF8D40B0000-0x00007FF8D40B1000-memory.dmp

Filesize
4KB

Download
memory/2244-22-0x00007FF8D40C0000-0x00007FF8D40C1000-memory.dmp

Filesize
4KB

Download
memory/2244-21-0x00007FF8B74D0000-0x00007FF8B7F91000-memory.dmp

Filesize
10.8MB

Download
memory/2244-67-0x000000001D5B0000-0x000000001D5C0000-memory.dmp

Filesize
64KB

Download
memory/2244-71-0x00007FF8D3E40000-0x00007FF8D3E41000-memory.dmp

Filesize
4KB

Download
memory/2244-74-0x000000001D670000-0x000000001D6CA000-memory.dmp

Filesize
360KB

Download
memory/2244-77-0x00007FF8D3E20000-0x00007FF8D3E21000-memory.dmp

Filesize
4KB

Download
memory/2244-76-0x000000001D610000-0x000000001D61E000-memory.dmp

Filesize
56KB

Download
memory/2244-80-0x000000001D620000-0x000000001D630000-memory.dmp

Filesize
64KB

Download
memory/2244-83-0x000000001D630000-0x000000001D63E000-memory.dmp

Filesize
56KB

Download
memory/2244-86-0x000000001D8D0000-0x000000001D8E8000-memory.dmp

Filesize
96KB

Download
memory/2244-89-0x000000001D640000-0x000000001D64C000-memory.dmp

Filesize
48KB

Download
memory/2244-87-0x00007FF8D3DE0000-0x00007FF8D3DE1000-memory.dmp

Filesize
4KB

Download
memory/2244-85-0x00007FF8D3DF0000-0x00007FF8D3DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-81-0x00007FF8D3E00000-0x00007FF8D3E01000-memory.dmp

Filesize
4KB

Download
memory/2244-78-0x00007FF8D3E10000-0x00007FF8D3E11000-memory.dmp

Filesize
4KB

Download
memory/2244-72-0x00007FF8D3E30000-0x00007FF8D3E31000-memory.dmp

Filesize
4KB

Download
memory/2244-109-0x000000001E060000-0x000000001E12D000-memory.dmp

Filesize
820KB

Download
memory/2244-70-0x000000001D600000-0x000000001D610000-memory.dmp

Filesize
64KB

Download
memory/2244-68-0x00007FF8D3E50000-0x00007FF8D3E51000-memory.dmp

Filesize
4KB

Download
memory/2244-65-0x000000001D5A0000-0x000000001D5AC000-memory.dmp

Filesize
48KB

Download
memory/2244-63-0x00007FF8D3E60000-0x00007FF8D3E61000-memory.dmp

Filesize
4KB

Download
memory/2244-20-0x000000001BFE0000-0x000000001BFF8000-memory.dmp

Filesize
96KB

Download
memory/2244-14-0x00007FF8D40E0000-0x00007FF8D40E1000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000003410000-0x000000000341E000-memory.dmp

Filesize
56KB

Download
memory/2244-9-0x00007FF8D40F0000-0x00007FF8D40F1000-memory.dmp

Filesize
4KB

Download
memory/3264-178-0x000000001C920000-0x000000001C9ED000-memory.dmp

Filesize
820KB

Download