zgrat | a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09

Analysis

max time kernel
164s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

496d5fc129c98a075ea39863bd8938a2.exe
Size

4.2MB
MD5

496d5fc129c98a075ea39863bd8938a2
SHA1

17ea2c2f785749550044a4fe055163216f47b76c
SHA256

a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
SHA512

567fa49ceced374a4123a7441014c1da325973d763f1222b4631b01c26ac7163330fae7a1ba08d73a9e68b4830e4320a17523d48ccd786f86b087a3d3094a2ad
SSDEEP

49152:36PaeNTOyzL4EXgpSTeCrkT04991Gexjmo1G3q99C336nGhl52LQaRV8/qz+qq2E:kagTOb4TGljhFmU/eqq2Ltk/FqqibWT7

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4296-85-0x0000000006170000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-86-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-87-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-89-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-91-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-93-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-95-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-97-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-99-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-101-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-103-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-105-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-107-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-109-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-111-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-113-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-115-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-117-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-119-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-121-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-123-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-125-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-127-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-129-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-131-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-133-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-135-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-137-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-139-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-141-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-143-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-145-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-147-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4296-149-0x0000000006170000-0x00000000061EA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Sys.pif
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	496d5fc129c98a075ea39863bd8938a2.exe

Executes dropped EXE 2 IoCs

pid	Process
4296	Sys.pif
2752	BF1PureCracker0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4296	Sys.pif

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 4296	1044	496d5fc129c98a075ea39863bd8938a2.exe	95
PID 1044 wrote to memory of 4296	1044	496d5fc129c98a075ea39863bd8938a2.exe	95
PID 1044 wrote to memory of 4296	1044	496d5fc129c98a075ea39863bd8938a2.exe	95
PID 1044 wrote to memory of 2752	1044	496d5fc129c98a075ea39863bd8938a2.exe	97
PID 1044 wrote to memory of 2752	1044	496d5fc129c98a075ea39863bd8938a2.exe	97
PID 4296 wrote to memory of 3908	4296	Sys.pif	111
PID 4296 wrote to memory of 3908	4296	Sys.pif	111
PID 4296 wrote to memory of 3908	4296	Sys.pif	111
PID 4296 wrote to memory of 4548	4296	Sys.pif	114
PID 4296 wrote to memory of 4548	4296	Sys.pif	114
PID 4296 wrote to memory of 4548	4296	Sys.pif	114

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe
"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
  "C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

Filesize
383KB

MD5
c2a78b5610d2abd529688c420bde478e

SHA1
7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a

SHA256
36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c

SHA512
b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

Filesize
470KB

MD5
19f8591a6baa83af46de41f20224b6f1

SHA1
c736799e1936cec37acbf66fdf1df96f4679562f

SHA256
a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79

SHA512
db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

Filesize
216KB

MD5
d30f6fb490a820dcdd9c7da971036393

SHA1
177b1b912fb09efacce8bae24fca35ea514f131b

SHA256
be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b

SHA512
332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

Filesize
260KB

MD5
6fabeaa1c8ea15e787f2e3b487ab434d

SHA1
c2091f69192903676ed6b181bbf8346b819c43a2

SHA256
28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909

SHA512
076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

Download Submit
C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

Filesize
2.2MB

MD5
76555816c73f34e86608807c7737a593

SHA1
3c38473581f2c602a25707ee9000634f4b4d033a

SHA256
64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d

SHA512
a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcbj4mlk.3ee.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2752-32-0x00007FFD8D380000-0x00007FFD8DE41000-memory.dmp

Filesize
10.8MB

Download
memory/2752-33-0x00000190D0370000-0x00000190D0380000-memory.dmp

Filesize
64KB

Download
memory/2752-36-0x00000190D02B0000-0x00000190D032C000-memory.dmp

Filesize
496KB

Download
memory/2752-37-0x00000190CE8E0000-0x00000190CE8EA000-memory.dmp

Filesize
40KB

Download
memory/2752-44-0x00007FFD8D380000-0x00007FFD8DE41000-memory.dmp

Filesize
10.8MB

Download
memory/2752-39-0x00000190D0120000-0x00000190D0168000-memory.dmp

Filesize
288KB

Download
memory/2752-31-0x00000190CE8B0000-0x00000190CE8C8000-memory.dmp

Filesize
96KB

Download
memory/2752-41-0x00000190D0330000-0x00000190D036C000-memory.dmp

Filesize
240KB

Download
memory/2752-46-0x00000190D0370000-0x00000190D0380000-memory.dmp

Filesize
64KB

Download
memory/2752-30-0x00000190CE4A0000-0x00000190CE506000-memory.dmp

Filesize
408KB

Download
memory/3908-84-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3908-82-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/3908-57-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/3908-81-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

Filesize
304KB

Download
memory/3908-80-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/3908-67-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/3908-353-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3908-51-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/3908-52-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/3908-53-0x00000000025A0000-0x00000000025D6000-memory.dmp

Filesize
216KB

Download
memory/3908-54-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/3908-55-0x0000000004E40000-0x0000000004E62000-memory.dmp

Filesize
136KB

Download
memory/3908-56-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/4296-45-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/4296-107-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-49-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/4296-34-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4296-149-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-48-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4296-147-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-47-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4296-43-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/4296-83-0x0000000006210000-0x0000000006424000-memory.dmp

Filesize
2.1MB

Download
memory/4296-42-0x0000000000050000-0x0000000000294000-memory.dmp

Filesize
2.3MB

Download
memory/4296-85-0x0000000006170000-0x00000000061F0000-memory.dmp

Filesize
512KB

Download
memory/4296-86-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-87-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-89-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-91-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-93-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-95-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-97-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-99-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-101-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-103-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-105-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-50-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4296-109-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-111-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-113-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-115-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-117-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-119-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-121-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-123-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-125-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-127-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-129-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-131-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-133-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-135-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-137-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-139-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-141-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-143-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4296-145-0x0000000006170000-0x00000000061EA000-memory.dmp

Filesize
488KB

Download
memory/4548-79-0x0000000004AF0000-0x0000000004B0E000-memory.dmp

Filesize
120KB

Download
memory/4548-69-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/4548-68-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download