Malware Analysis Report

2025-01-03 05:02

Sample ID 240107-ygzqhsdha6
Target 496d5fc129c98a075ea39863bd8938a2.exe
SHA256 a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09
Tags
zgrat rat bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6c9311a9434e428bec6dd1b01e2e4033d4f8685cae164aa14e335ba0a176d09

Threat Level: Known bad

The file 496d5fc129c98a075ea39863bd8938a2.exe was found to be: Known bad.

Malicious Activity Summary

zgrat rat bitrat trojan

BitRAT

ZGRat

Detect ZGRat V1

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:46

Reported

2024-01-07 19:48

Platform

win7-20231215-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 2424 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe
PID 2648 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2648 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2648 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2648 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2316 wrote to memory of 2308 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif
PID 2648 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif C:\Users\Admin\AppData\Local\Temp\Sys.pif

Processes

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'

C:\Users\Admin\AppData\Local\Temp\Sys.pif

C:\Users\Admin\AppData\Local\Temp\Sys.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp

Files

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 76555816c73f34e86608807c7737a593
SHA1 3c38473581f2c602a25707ee9000634f4b4d033a
SHA256 64299aa25ed5fae3be2ac53c376875280bb624a555674bc89f43e58cf06fde6d
SHA512 a2a28ef202a332d002cf831c8fb94ef67dc392e543748c8b819fae191829fce038211a905ee08836556a73f9bc4918313c4be6ab9e7ef068503054eedfd3f22b

\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 c2a78b5610d2abd529688c420bde478e
SHA1 7a6b9c6f66f7df7540ecfd633f9735c4828f9b3a
SHA256 36c76fcef546a898a0c6f4d811b9106574ac5e82f5354569871be9679091871c
SHA512 b000464af649879dc724a9d805601ba9f627e03f28a65bc2a13a946f840d70bd8e6835511701657c795b96fd4521c7f23826b168a0bf2429e9d36bb596797aa2

memory/2800-37-0x000000013F3A0000-0x000000013F406000-memory.dmp

memory/2648-38-0x0000000000240000-0x0000000000484000-memory.dmp

memory/2800-40-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2800-39-0x0000000000770000-0x0000000000788000-memory.dmp

memory/2648-41-0x0000000073CD0000-0x00000000743BE000-memory.dmp

memory/2800-42-0x000000001BAC0000-0x000000001BB40000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Direct2D1.dll

MD5 19f8591a6baa83af46de41f20224b6f1
SHA1 c736799e1936cec37acbf66fdf1df96f4679562f
SHA256 a94e2f3c206351503f6c4002585af270880854b4b97b730ea51764ef23b5ba79
SHA512 db4798af16452ce7c0e47f59692e1643d2639b0744075b78bb9dc33dbf7de78392bb21f28529b091d54ed0a2185add12f38c256bcb3ba97d34a050e29a19617e

memory/2800-44-0x0000000002130000-0x00000000021AC000-memory.dmp

memory/2800-45-0x0000000000560000-0x000000000056A000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.dll

MD5 6fabeaa1c8ea15e787f2e3b487ab434d
SHA1 c2091f69192903676ed6b181bbf8346b819c43a2
SHA256 28437b8f6036224b187f6ec324af9cd8f20dc5e363b0341f86869e4172f07909
SHA512 076bccbb7ddd4bb7b785bc70dfcaa920c080af30172ce1dcc49594a96f96133d0322db73362c47d8b4d2afa69e0ee0c78a3b423aa4886478080529f864bf1739

memory/2800-47-0x00000000007A0000-0x00000000007E8000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\SharpDX.Mathematics.dll

MD5 d30f6fb490a820dcdd9c7da971036393
SHA1 177b1b912fb09efacce8bae24fca35ea514f131b
SHA256 be2fe214f8a1515824b523ac85f25c8856370d4ffd90cd22dd78c079f5ea803b
SHA512 332508c32d6c5baf16da59c619fb4b55dfdfccea667582d02ccf72e88d0ddc0acaa2df97adba038bbada9d839145a6cd76c4a7ced5346256d868b3bd548d82e2

memory/2800-49-0x00000000021B0000-0x00000000021EC000-memory.dmp

memory/2648-50-0x0000000004C80000-0x0000000004CC0000-memory.dmp

memory/2492-53-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

memory/2492-54-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

memory/2492-56-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/2492-55-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/2800-57-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/2492-58-0x0000000002790000-0x00000000027D0000-memory.dmp

memory/2492-59-0x000000006F7B0000-0x000000006FD5B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9c274a21fccd0a0f34d9adbf1b5f46ec
SHA1 07879555b26f54f6adc4906bdc99c0f5cadd086e
SHA256 1ee4e70bd05228608e93b53228db1e35a3f8c8c5b987c3087af44d57c482abb0
SHA512 d49e1e79b22f3634c71546a88f52ae0ddde4949003687d2dcc3193c23a6963fa238ab8256504024bedc779b2c42b2f9431807aa094a1c19188a4a8669b524dec

memory/2648-65-0x0000000073CD0000-0x00000000743BE000-memory.dmp

memory/2952-66-0x000000006F500000-0x000000006FAAB000-memory.dmp

memory/2952-67-0x0000000002950000-0x0000000002990000-memory.dmp

memory/2952-68-0x000000006F500000-0x000000006FAAB000-memory.dmp

memory/2952-69-0x0000000002950000-0x0000000002990000-memory.dmp

memory/2800-70-0x000000001BAC0000-0x000000001BB40000-memory.dmp

memory/2648-71-0x0000000004C80000-0x0000000004CC0000-memory.dmp

memory/2648-72-0x0000000005B50000-0x0000000005D64000-memory.dmp

memory/2648-73-0x0000000004FA0000-0x0000000005020000-memory.dmp

memory/2648-74-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-75-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-77-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-79-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-81-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-83-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-85-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-87-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-89-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-91-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-93-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-95-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-97-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-99-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-101-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-103-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-105-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-107-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-109-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-111-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-113-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-115-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-117-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-119-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-121-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-123-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-125-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-127-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-129-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-131-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-133-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-135-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2648-137-0x0000000004FA0000-0x000000000501A000-memory.dmp

memory/2952-683-0x0000000002950000-0x0000000002990000-memory.dmp

memory/2952-686-0x000000006F500000-0x000000006FAAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs

MD5 0d6555dc02c45b1e49ac39075c65cebe
SHA1 2fb0e4464b16db957a06353e14345e0f5a5ba4be
SHA256 368760bf74c0fc525b30d96118bef07fe2cdd1a20373e04151be5a95e6afbe8f
SHA512 775cf89738b1ad02a1aefad53a632e576f9037c3da7adab83c63474716ad4352fc100f85c6045fe725ed04eb003a3afc52b4f809f30e6efe6c31bd59a1b77cd9

memory/2308-2596-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

memory/2308-2597-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2308-2598-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

memory/2308-2599-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2308-2600-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2308-2601-0x000000006F4F0000-0x000000006FA9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:46

Reported

2024-01-07 19:48

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

Signatures

BitRAT

trojan bitrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Processes

C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe

"C:\Users\Admin\AppData\Local\Temp\496d5fc129c98a075ea39863bd8938a2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe"

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

"C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Users\Admin\AppData\Local\Temp\Sys.pif

C:\Users\Admin\AppData\Local\Temp\Sys.pif

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NVIDIA\nvcontainer.exe'

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Cughlqhdqdvxnicuaztmvn.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
SG 139.99.66.103:25874 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 7c6ae5039d34ef48cb0ba0fdc51f8488
SHA1 81078d459d6f1c6dd69564f0d3c1731bf4a2128a
SHA256 a02b1cb427385a59c2afc7cd7d0301836bd3e2118cfa58f3a80660e55c82521b
SHA512 9c458bf95d94a370877be8cb73768d19ee20b4f1cb1e90283cbc95c066f68e30bdaeb35516160e3728c930ad73dbbe5ace076cf9e51924a627a83a20a780e6bc

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\Sys.pif

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4844-30-0x00000000000B0000-0x00000000002F4000-memory.dmp

memory/4844-32-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4844-33-0x00000000050C0000-0x0000000005664000-memory.dmp

memory/3060-34-0x0000024FBB460000-0x0000024FBB478000-memory.dmp

memory/3060-36-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp

memory/3060-46-0x0000024FBB570000-0x0000024FBB5AC000-memory.dmp

memory/3060-44-0x0000024FBB510000-0x0000024FBB558000-memory.dmp

memory/4844-42-0x0000000004C60000-0x0000000004C6A000-memory.dmp

memory/3060-41-0x0000024FBB4A0000-0x0000024FBB4AA000-memory.dmp

memory/3060-40-0x0000024FBB500000-0x0000024FBB510000-memory.dmp

memory/4844-39-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2344-50-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/2344-51-0x0000000005780000-0x0000000005DA8000-memory.dmp

memory/2344-54-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/2344-64-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/2344-53-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/2344-52-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/2344-65-0x0000000006540000-0x000000000655E000-memory.dmp

memory/2344-66-0x00000000065F0000-0x000000000663C000-memory.dmp

memory/2344-49-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/2344-48-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/2344-47-0x0000000002C50000-0x0000000002C86000-memory.dmp

memory/3060-38-0x0000024FD5620000-0x0000024FD569C000-memory.dmp

memory/4844-35-0x0000000004BB0000-0x0000000004C42000-memory.dmp

memory/3060-31-0x0000024FBB060000-0x0000024FBB0C6000-memory.dmp

C:\Users\Admin\AppData\Local\Origin\Install\Setup\Battlefield1\ErrorAssistant\BF1PureCracker0.exe

MD5 db839c59eee092b7aadaf7c429e45c32
SHA1 e8be58417dfd4ed4dd110776de843084302f43df
SHA256 e495c5fc9eb8073157995929503522403f160fcf4f3519770185539784bd3684
SHA512 64242febb1bc8941ef4b2fdced4bfa914c06fc7ab96b9e9ffce9aa1913404380999e20f8b0eca3320feecbb9eb37e040339a832915ffa195beb5de9e65b4a56f

memory/2344-69-0x0000000006A70000-0x0000000006A92000-memory.dmp

memory/2344-68-0x0000000006A20000-0x0000000006A3A000-memory.dmp

memory/2344-67-0x0000000007530000-0x00000000075C6000-memory.dmp

memory/2344-70-0x00000000087B0000-0x0000000008E2A000-memory.dmp

memory/4844-71-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4404-73-0x0000000005100000-0x0000000005110000-memory.dmp

memory/4404-72-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/3060-83-0x00007FFE7A590000-0x00007FFE7B051000-memory.dmp

memory/2344-86-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4844-87-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/3060-88-0x0000024FBB500000-0x0000024FBB510000-memory.dmp

memory/4844-89-0x0000000006A50000-0x0000000006C64000-memory.dmp

memory/4844-91-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-104-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-116-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-124-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-138-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-146-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-154-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-152-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-150-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-148-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-144-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-142-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-140-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-136-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-134-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-132-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-130-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-128-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-126-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-122-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-120-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-118-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-114-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-112-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-110-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-108-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-106-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-102-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-100-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-98-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-96-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-94-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-92-0x0000000005EE0000-0x0000000005F5A000-memory.dmp

memory/4844-90-0x0000000005EE0000-0x0000000005F60000-memory.dmp

memory/4404-839-0x00000000732A0000-0x0000000073A50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 0774a05ce5ee4c1af7097353c9296c62
SHA1 658ff96b111c21c39d7ad5f510fb72f9762114bb
SHA256 d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4
SHA512 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3208d49ba6636842bd1fbf160895f03a
SHA1 0b467dba6f9c2d4ba92b8316305c268f66091542
SHA256 42be444d765ccf981588d0178c87e27f6e4779159c2801ac5686273f5b9fb32b
SHA512 fc0701993fb6670fe548fae0d079213c32adfa0012106a9606bab10895ad25c5e67faf26fdd55a07a12ab3d53155169c8a8b6cbf7ec1a269ed97be8eceba1182

memory/4416-2609-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/2952-2611-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/4844-2610-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4416-2617-0x0000000005C00000-0x0000000005F54000-memory.dmp

memory/4416-2623-0x00000000062F0000-0x000000000633C000-memory.dmp

memory/4416-2604-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/4416-2625-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4416-2638-0x0000000007530000-0x00000000075D3000-memory.dmp

memory/4416-2637-0x0000000006830000-0x000000000684E000-memory.dmp

memory/4416-2636-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/4416-2626-0x0000000075750000-0x000000007579C000-memory.dmp

memory/4416-2639-0x0000000007650000-0x000000000765A000-memory.dmp

memory/4416-2624-0x000000007FA40000-0x000000007FA50000-memory.dmp

memory/4416-2640-0x00000000077D0000-0x00000000077E1000-memory.dmp

memory/4416-2642-0x0000000007810000-0x0000000007824000-memory.dmp

memory/4416-2644-0x00000000078F0000-0x00000000078F8000-memory.dmp

memory/4416-2643-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4416-2641-0x0000000007800000-0x000000000780E000-memory.dmp

memory/4416-2646-0x00000000732A0000-0x0000000073A50000-memory.dmp

memory/2952-2648-0x0000000075060000-0x0000000075099000-memory.dmp

memory/2952-2656-0x00000000753E0000-0x0000000075419000-memory.dmp

memory/2952-2657-0x0000000000400000-0x00000000007CE000-memory.dmp

memory/2952-2660-0x00000000753E0000-0x0000000075419000-memory.dmp

memory/2952-2663-0x00000000753E0000-0x0000000075419000-memory.dmp

memory/2952-2666-0x00000000753E0000-0x0000000075419000-memory.dmp