zgrat | e04b61d1ca799559e8e22b4df62e49c134934fad3e9efe55d7336d171e4009d7

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42af7513c4f90b903faea61ef6f3730e.exe
Size

2.3MB
MD5

42af7513c4f90b903faea61ef6f3730e
SHA1

362f7f224e6a44efbd8111b73d3957ccbc8b6ad2
SHA256

e04b61d1ca799559e8e22b4df62e49c134934fad3e9efe55d7336d171e4009d7
SHA512

61e8827003371e6baee9ed6bdd30838314216358c8f9687e058f9ebe6f7a533af2858277dbf912d2a27f1aa9d106300e4267cf2a95a35bd21a233c9c5126c6bb
SSDEEP

49152:ZTrFrY0PuAPqmxJic7p24NLfweBFBz2fKwz/KqKW:Z3lZuAPqmxJJ784NLourkrzCB

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1992-175-0x00000000050E0000-0x0000000005152000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2328	1992	42af7513c4f90b903faea61ef6f3730e.exe	24
PID 1992 wrote to memory of 2328	1992	42af7513c4f90b903faea61ef6f3730e.exe	24
PID 1992 wrote to memory of 2328	1992	42af7513c4f90b903faea61ef6f3730e.exe	24
PID 1992 wrote to memory of 2328	1992	42af7513c4f90b903faea61ef6f3730e.exe	24

C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
"C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:1668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  PID:112
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:628
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  C:\Users\Admin\AppData\Local\Temp\42af7513c4f90b903faea61ef6f3730e.exe
  2⤵
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LFRKQ2I9LTB8QBRMLIUY.temp

Filesize
7KB

MD5
f194a34d8debfa0823a215a37bc1d9f9

SHA1
74ff9592e37907cdab3f98f3a0ff1605f0b9e688

SHA256
0969ecadde5434130e7e21d8185830cb6e4fdbd5c578590d595f2de61dd7ca94

SHA512
4c0e4d0371472efa7135bce813f1f1b1f1704ae56057ab8c27f2a324fc1b846abdb04644260bf49bc80066200e2ea074955c24583d845701c99753e6e0b28849

Download Submit
memory/112-106-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/112-104-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/112-109-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/112-107-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/112-108-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/112-105-0x0000000002C40000-0x0000000002C80000-memory.dmp

Filesize
256KB

Download
memory/1668-92-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-97-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-93-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1668-95-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1668-96-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1668-94-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-126-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-114-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-122-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-124-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-172-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-130-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-132-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-136-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-138-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-140-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-144-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-146-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-148-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-152-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-154-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-174-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-158-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-57-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-170-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-63-0x0000000004580000-0x00000000045C0000-memory.dmp

Filesize
256KB

Download
memory/1992-164-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-156-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-150-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-142-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-134-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-128-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-120-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-112-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-110-0x0000000009070000-0x0000000009294000-memory.dmp

Filesize
2.1MB

Download
memory/1992-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-160-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-162-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-166-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-0-0x00000000002D0000-0x000000000051E000-memory.dmp

Filesize
2.3MB

Download
memory/1992-175-0x00000000050E0000-0x0000000005152000-memory.dmp

Filesize
456KB

Download
memory/1992-2-0x0000000004580000-0x00000000045C0000-memory.dmp

Filesize
256KB

Download
memory/1992-168-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-2561-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-111-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-116-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/1992-118-0x0000000009070000-0x000000000928F000-memory.dmp

Filesize
2.1MB

Download
memory/2028-64-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-60-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-62-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2028-61-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2028-59-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2028-58-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-18-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-17-0x0000000002F90000-0x0000000002FD0000-memory.dmp

Filesize
256KB

Download
memory/2148-19-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-21-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2148-20-0x0000000002F90000-0x0000000002FD0000-memory.dmp

Filesize
256KB

Download
memory/2148-16-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-72-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-73-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2220-74-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2220-71-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2220-70-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-75-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2276-83-0x000000006FE40000-0x00000000703EB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-86-0x000000006FE40000-0x00000000703EB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-82-0x0000000002E80000-0x0000000002EC0000-memory.dmp

Filesize
256KB

Download
memory/2276-84-0x0000000002E80000-0x0000000002EC0000-memory.dmp

Filesize
256KB

Download
memory/2276-85-0x0000000002E80000-0x0000000002EC0000-memory.dmp

Filesize
256KB

Download
memory/2276-81-0x000000006FE40000-0x00000000703EB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-8-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2328-5-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-9-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2328-7-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-6-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2328-10-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/2340-30-0x0000000002E40000-0x0000000002E80000-memory.dmp

Filesize
256KB

Download
memory/2340-28-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-31-0x0000000002E40000-0x0000000002E80000-memory.dmp

Filesize
256KB

Download
memory/2340-32-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-29-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-48-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

Filesize
256KB

Download
memory/2520-47-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-49-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-50-0x0000000001CB0000-0x0000000001CF0000-memory.dmp

Filesize
256KB

Download
memory/2520-51-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-39-0x0000000002B30000-0x0000000002B70000-memory.dmp

Filesize
256KB

Download
memory/2660-40-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-38-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/2660-41-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download