zgrat | 2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4168406dbd28c5b416f4435e0c40644c.exe
Size

2.3MB
MD5

4168406dbd28c5b416f4435e0c40644c
SHA1

a9bd0155ab9bf43fd0fd92ade8e860333cbac098
SHA256

2af462168bad2cb895fdaf9f778fa2021d8e77ba7212f02f3cb3f3ac0f03431d
SHA512

acba52424c66e8998c4642b1cb55ed99f3f53867483640a62f3aa171234ee4e04f4394b2f7eb09944e6fe259866460a9feaeddcb7555d9a3503b545da3ebfc12
SSDEEP

49152:tBXEr/iSw+0VETjpsFjo4HceGVhp3aZRle4WhpjNp8Wb:nULpw+5TT4HOZahe4GNp8S

Score

10^/10

zgrat evasion rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231d8-10.dat	family_zgrat_v1
behavioral2/memory/4928-12-0x0000000000EA0000-0x00000000010D4000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000231e7-50.dat	family_zgrat_v1
behavioral2/files/0x00070000000231e7-69.dat	family_zgrat_v1
behavioral2/files/0x00070000000231e7-68.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4168406dbd28c5b416f4435e0c40644c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	AgentcomponentWinhostDll.exe

Executes dropped EXE 2 IoCs

pid	Process
4928	AgentcomponentWinhostDll.exe
1624	StartMenuExperienceHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\WmiPrvSE.exe	AgentcomponentWinhostDll.exe
File created	C:\Program Files (x86)\Windows Mail\24dbde2999530e	AgentcomponentWinhostDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	4168406dbd28c5b416f4435e0c40644c.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	AgentcomponentWinhostDll.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1468	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe
4928	AgentcomponentWinhostDll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	AgentcomponentWinhostDll.exe
Token: SeDebugPrivilege	1624	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2556	3520	4168406dbd28c5b416f4435e0c40644c.exe	85
PID 3520 wrote to memory of 2556	3520	4168406dbd28c5b416f4435e0c40644c.exe	85
PID 3520 wrote to memory of 2556	3520	4168406dbd28c5b416f4435e0c40644c.exe	85
PID 2556 wrote to memory of 1612	2556	WScript.exe	86
PID 2556 wrote to memory of 1612	2556	WScript.exe	86
PID 2556 wrote to memory of 1612	2556	WScript.exe	86
PID 1612 wrote to memory of 1468	1612	cmd.exe	88
PID 1612 wrote to memory of 1468	1612	cmd.exe	88
PID 1612 wrote to memory of 1468	1612	cmd.exe	88
PID 1612 wrote to memory of 4928	1612	cmd.exe	89
PID 1612 wrote to memory of 4928	1612	cmd.exe	89
PID 4928 wrote to memory of 4720	4928	AgentcomponentWinhostDll.exe	97
PID 4928 wrote to memory of 4720	4928	AgentcomponentWinhostDll.exe	97
PID 4720 wrote to memory of 4612	4720	cmd.exe	93
PID 4720 wrote to memory of 4612	4720	cmd.exe	93
PID 4720 wrote to memory of 4304	4720	cmd.exe	92
PID 4720 wrote to memory of 4304	4720	cmd.exe	92
PID 4720 wrote to memory of 1624	4720	cmd.exe	101
PID 4720 wrote to memory of 1624	4720	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\4168406dbd28c5b416f4435e0c40644c.exe
"C:\Users\Admin\AppData\Local\Temp\4168406dbd28c5b416f4435e0c40644c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgeComcomponentRefcrt\1ldIcBYEQg7RjcVGSq1ng9KiAB3AQy7htAmpoYpl9wYMA.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BridgeComcomponentRefcrt\wdXGsvxl0pdrLsLPPCPXx3825LswXliS6Ryz.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1468
  - - C:\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe
      "C:\BridgeComcomponentRefcrt/AgentcomponentWinhostDll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9et8C3CQw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Users\Public\Videos\StartMenuExperienceHost.exe
        
        "C:\Users\Public\Videos\StartMenuExperienceHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4304

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeComcomponentRefcrt\1ldIcBYEQg7RjcVGSq1ng9KiAB3AQy7htAmpoYpl9wYMA.vbe

Filesize
238B

MD5
d0e7d23e5ae90f5357d76ab2cc26724b

SHA1
6651290f841eaafec1016677b8d59fd79a3b314b

SHA256
965f6f5bc53e0b6de78fe1cbb9473055c66a56958c120adde959cf0861c344c4

SHA512
216dcc38fe7ddea60960f15d45ed570e4386764d6e1a12ad0cc3a3cb9aa27d909cec1b3c50a38a54ba6772c2bf1629c115f3a35af19b387288787e02dd81cb23

Download Submit
C:\BridgeComcomponentRefcrt\AgentcomponentWinhostDll.exe

Filesize
2.2MB

MD5
900246653d3c4582b86ba8c3f363c814

SHA1
ebb4194497160b7770cd9c543141a9bce458fe79

SHA256
f5cfd67248766681a0adf219ddd04a1ea1c78157be90a7d7c92d115bd1fab22c

SHA512
54b16b68143cfdb995b9e5bac9474e3f83a32fffe74310371e89590f279a5650763c2cd17761c5989137b57eed229b06a5521c522f739f173733602f92794e33

Download Submit
C:\BridgeComcomponentRefcrt\wdXGsvxl0pdrLsLPPCPXx3825LswXliS6Ryz.bat

Filesize
227B

MD5
ae228c7e7072b7087b1594b052797062

SHA1
f46d1e6240f6105effb0a8a8cfe70faf01573fe6

SHA256
934a37052592bcb2ed1ea0d4ecf5cdcea85b42583e776da939301a400e6b58ec

SHA512
886d71f897cce717047c8bb035abf3dd0724f68736d742786772876024b8e9a57d41ec2bb3c9d89c1cc19f66bac19678be64c32e761180a90b9f516bb742d84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9et8C3CQw.bat

Filesize
178B

MD5
f2c92e77cf571f2ce2f66b2c19e35afe

SHA1
c56163dc52efa2c5fd41460f6e4dd1a108ce00bc

SHA256
5b00817ebce72f448b20829b5a2f0170f72e71218222a43cd10f803537e87db6

SHA512
15e6e25e2dc5f6d9cdac7c5e1b81005665fb298745eccdc24150cb32f397093d5e61e3fba5f97332a04640c06215ce6b86cc44343685cb41cca45d9ab35c01e5

Download Submit
C:\Users\Public\Videos\StartMenuExperienceHost.exe

Filesize
1.5MB

MD5
5322da06574ae750cbb0b57746c5338c

SHA1
82e914e9485bb6003c516e16d64845616b8a058e

SHA256
0b896106ccb816634e7fd0a8005ab7a73e18f860ba89dcf44c738a6480e5d72d

SHA512
e95f4c6049a148dbca5be6ecffc6d10355da1aef7ce714c8a990e24d5a4b719fe98f411ac8987e32610afa99fedd8290b40309ea48e2963ad365ce902fadee00

Download Submit
C:\Users\Public\Videos\StartMenuExperienceHost.exe

Filesize
203KB

MD5
ef0929ec4f3988c03af62f1faf96aca2

SHA1
de2c1963a43209eef70f0a1aba6e9dc1e4068e55

SHA256
0e020c5220716b0d115866d48cba6a3edb6e4f8584158cb1960f924a94cc1c2e

SHA512
9a5fd3dcf437c7c8e249ad22dc577609e43f0ea45e5faf5e53a4e2369f4546ac0e4d4e57c7afff753f289815d494319adfc74aedfc12193869d9d592c9ceea87

Download Submit
C:\Users\Public\Videos\StartMenuExperienceHost.exe

Filesize
250KB

MD5
05eb681affb0859eee8848bb22c2d7f3

SHA1
fda6ceb603eb2a3d67b079bce35827f28a3ce6ef

SHA256
3aa3b068511ee2b3324b95a97e987e2209d0fc7661f4732a1c4091afc3bd8c87

SHA512
99ada85c66e5c1123db506aab1731c64ff5ff89233452137a0dadb6a3bd3cb03f1112e4a2bf9c1d6609995803a247846feb90e260adfcad067033c546fbda159

Download Submit
memory/1624-88-0x00007FFF04120000-0x00007FFF04121000-memory.dmp

Filesize
4KB

Download
memory/1624-84-0x00007FFF04130000-0x00007FFF04131000-memory.dmp

Filesize
4KB

Download
memory/1624-89-0x00007FFF04100000-0x00007FFF04101000-memory.dmp

Filesize
4KB

Download
memory/1624-91-0x00007FFF04110000-0x00007FFF04111000-memory.dmp

Filesize
4KB

Download
memory/1624-92-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/1624-93-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/1624-74-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/1624-94-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/1624-82-0x00007FFF04140000-0x00007FFF04141000-memory.dmp

Filesize
4KB

Download
memory/1624-87-0x00007FFEE6AC0000-0x00007FFEE7581000-memory.dmp

Filesize
10.8MB

Download
memory/1624-78-0x00007FFF04160000-0x00007FFF04161000-memory.dmp

Filesize
4KB

Download
memory/1624-79-0x00007FFF04150000-0x00007FFF04151000-memory.dmp

Filesize
4KB

Download
memory/1624-75-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/1624-76-0x00007FFF04170000-0x00007FFF04171000-memory.dmp

Filesize
4KB

Download
memory/1624-72-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/1624-71-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/1624-70-0x00007FFEE6AC0000-0x00007FFEE7581000-memory.dmp

Filesize
10.8MB

Download
memory/1624-95-0x000000001D530000-0x000000001D5D9000-memory.dmp

Filesize
676KB

Download
memory/1624-124-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/1624-127-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/4928-24-0x00000000018A0000-0x00000000018AE000-memory.dmp

Filesize
56KB

Download
memory/4928-40-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4928-66-0x00007FFEE7010000-0x00007FFEE7AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-63-0x000000001C7D0000-0x000000001C879000-memory.dmp

Filesize
676KB

Download
memory/4928-36-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/4928-31-0x00000000018B0000-0x00000000018C0000-memory.dmp

Filesize
64KB

Download
memory/4928-29-0x000000001C230000-0x000000001C280000-memory.dmp

Filesize
320KB

Download
memory/4928-27-0x000000001BE70000-0x000000001BE8C000-memory.dmp

Filesize
112KB

Download
memory/4928-37-0x00007FFEE7010000-0x00007FFEE7AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-38-0x00007FFF04130000-0x00007FFF04131000-memory.dmp

Filesize
4KB

Download
memory/4928-41-0x00007FFF04110000-0x00007FFF04111000-memory.dmp

Filesize
4KB

Download
memory/4928-43-0x000000001BD30000-0x000000001BD3E000-memory.dmp

Filesize
56KB

Download
memory/4928-44-0x00007FFF04100000-0x00007FFF04101000-memory.dmp

Filesize
4KB

Download
memory/4928-46-0x000000001BEB0000-0x000000001BEC8000-memory.dmp

Filesize
96KB

Download
memory/4928-39-0x00007FFF04120000-0x00007FFF04121000-memory.dmp

Filesize
4KB

Download
memory/4928-64-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/4928-34-0x000000001BE90000-0x000000001BEA8000-memory.dmp

Filesize
96KB

Download
memory/4928-32-0x00007FFF04140000-0x00007FFF04141000-memory.dmp

Filesize
4KB

Download
memory/4928-28-0x00007FFF04150000-0x00007FFF04151000-memory.dmp

Filesize
4KB

Download
memory/4928-25-0x00007FFF04160000-0x00007FFF04161000-memory.dmp

Filesize
4KB

Download
memory/4928-22-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/4928-21-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4928-20-0x00007FFF04170000-0x00007FFF04171000-memory.dmp

Filesize
4KB

Download
memory/4928-18-0x000000001BD00000-0x000000001BD26000-memory.dmp

Filesize
152KB

Download
memory/4928-19-0x00007FFF04250000-0x00007FFF0430E000-memory.dmp

Filesize
760KB

Download
memory/4928-16-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4928-15-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/4928-13-0x00007FFEE7010000-0x00007FFEE7AD1000-memory.dmp

Filesize
10.8MB

Download
memory/4928-14-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/4928-12-0x0000000000EA0000-0x00000000010D4000-memory.dmp

Filesize
2.2MB

Download