zgrat | db5011b16509afe1545daf23cc42b1bc3ff1a6b8efbe2d3f610b9cdde1681160

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 12:09

Target

40d26f881c7626ef6b69d3e1b2a0cdb1.exe
Size

321KB
MD5

40d26f881c7626ef6b69d3e1b2a0cdb1
SHA1

c350792bdf2c1d4c3ef26b9cf463dbbe1ba77ec1
SHA256

db5011b16509afe1545daf23cc42b1bc3ff1a6b8efbe2d3f610b9cdde1681160
SHA512

e3926144647c5d3641bffc0210fbadbb12e4c9dd21779e40e6694f5dd6a4ad6eef2c274ac717379201ca3f246684072bf6521645fd6b2bcf93239d979d0219bc
SSDEEP

6144:hFSw+DqFLpftpvkiNEZKpMHqO8/78HDua66Vm6QYThi9WIFzlkbAAqnVD:EeFLpftpvpeZKpMKOk78juaHQ6QYTUWa

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/1312-9-0x0000000005180000-0x0000000005196000-memory.dmp	family_zgrat_v1

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1560	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	69
PID 1312 wrote to memory of 1560	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	69
PID 1312 wrote to memory of 1560	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	69
PID 1312 wrote to memory of 1036	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	74
PID 1312 wrote to memory of 1036	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	74
PID 1312 wrote to memory of 1036	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	74
PID 1312 wrote to memory of 2652	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	73
PID 1312 wrote to memory of 2652	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	73
PID 1312 wrote to memory of 2652	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	73
PID 1312 wrote to memory of 4812	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	72
PID 1312 wrote to memory of 4812	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	72
PID 1312 wrote to memory of 4812	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	72
PID 1312 wrote to memory of 1936	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	71
PID 1312 wrote to memory of 1936	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	71
PID 1312 wrote to memory of 1936	1312	40d26f881c7626ef6b69d3e1b2a0cdb1.exe	71

C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
"C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
  "C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
  2⤵
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
  "C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
  "C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
  2⤵
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
  "C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
  2⤵
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe
  "C:\Users\Admin\AppData\Local\Temp\40d26f881c7626ef6b69d3e1b2a0cdb1.exe"
  2⤵
  PID:1036

memory/1312-1-0x0000000000730000-0x0000000000786000-memory.dmp

Filesize
344KB

Download
memory/1312-0-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/1312-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1312-3-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1312-4-0x0000000005250000-0x00000000052C6000-memory.dmp

Filesize
472KB

Download
memory/1312-5-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/1312-6-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1312-7-0x0000000005150000-0x000000000516E000-memory.dmp

Filesize
120KB

Download
memory/1312-8-0x00000000052D0000-0x00000000052EE000-memory.dmp

Filesize
120KB

Download
memory/1312-9-0x0000000005180000-0x0000000005196000-memory.dmp

Filesize
88KB

Download
memory/1312-11-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download