zgrat | d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3

Analysis

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f082b9f08a5a3e1ce6360159c8732f.exe
Size

2.2MB
MD5

a4f082b9f08a5a3e1ce6360159c8732f
SHA1

343a2ec18799fe011c55895156bc58055a836522
SHA256

d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3
SHA512

164e721be202392965f5beda3df070e0f5c8d85447aee148f25d04ed84742fbceed4def21edb2475e4d8690f20604e1c41029acad8864cc81c7bd02fd56fec5f
SSDEEP

49152:SAK0RKiYjXfeZPP68zVIxKY92s5nfTPI3oSAv7xLqMTsMMs1a2i29obFbX:SAK0RKiYjXfe7zG2wk3QjnsEi2cl

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-0-0x00000000011C0000-0x0000000001404000-memory.dmp	family_zgrat_v1
C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	family_zgrat_v1
behavioral1/memory/3016-51-0x0000000000240000-0x0000000000484000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

3016 services.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3016	services.exe

Drops file in Program Files directory 3 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\886983d96e3d3e	a4f082b9f08a5a3e1ce6360159c8732f.exe

Drops file in Windows directory 3 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

description	ioc	process
File created	C:\Windows\diagnostics\index\sppsvc.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	a4f082b9f08a5a3e1ce6360159c8732f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2780 PING.EXE

pid	process
2780	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

pid	process
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
2028	a4f082b9f08a5a3e1ce6360159c8732f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

3016 services.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exeservices.exe

description pid process

Token: SeDebugPrivilege 2028 a4f082b9f08a5a3e1ce6360159c8732f.exe
Token: SeDebugPrivilege 3016 services.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

3016 services.exe

pid	process
3016	services.exe

description	pid	process
Token: SeDebugPrivilege	2028	a4f082b9f08a5a3e1ce6360159c8732f.exe
Token: SeDebugPrivilege	3016	services.exe

pid	process
3016	services.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.execmd.exe

description	pid	process	target process
PID 2028 wrote to memory of 2708	2028	a4f082b9f08a5a3e1ce6360159c8732f.exe	cmd.exe
PID 2028 wrote to memory of 2708	2028	a4f082b9f08a5a3e1ce6360159c8732f.exe	cmd.exe
PID 2028 wrote to memory of 2708	2028	a4f082b9f08a5a3e1ce6360159c8732f.exe	cmd.exe
PID 2708 wrote to memory of 2628	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2628	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2628	2708	cmd.exe	chcp.com
PID 2708 wrote to memory of 2780	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2780	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 2780	2708	cmd.exe	PING.EXE
PID 2708 wrote to memory of 3016	2708	cmd.exe	services.exe
PID 2708 wrote to memory of 3016	2708	cmd.exe	services.exe
PID 2708 wrote to memory of 3016	2708	cmd.exe	services.exe

C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe
"C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l6u5v4DBnF.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2780

C:\Users\Admin\My Documents\services.exe
"C:\Users\Admin\My Documents\services.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\l6u5v4DBnF.bat

Filesize
168B

MD5
278958036487292caf0d26a15a4db988

SHA1
43a26236dab9c3a36ba4784e8e2814ca4302f1b5

SHA256
56e65d9f97480b0aefa91db48b919f22a7b4c2ca3694973899030197dedda7d5

SHA512
cbbc1f11e67421862c921d584006f2e47f69950bcf886548a97c271fe22f44badda4062aceb44f5f40a5459b2855b89b912b13059909163f0378039338d1b935

Download Submit
C:\Windows\Prefetch\ReadyBoot\spoolsv.exe

Filesize
2.2MB

MD5
a4f082b9f08a5a3e1ce6360159c8732f

SHA1
343a2ec18799fe011c55895156bc58055a836522

SHA256
d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3

SHA512
164e721be202392965f5beda3df070e0f5c8d85447aee148f25d04ed84742fbceed4def21edb2475e4d8690f20604e1c41029acad8864cc81c7bd02fd56fec5f

Download Submit
memory/2028-28-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2028-20-0x0000000076CB0000-0x0000000076CB1000-memory.dmp

Filesize
4KB

Download
memory/2028-4-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2028-2-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2028-7-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2028-8-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2028-10-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2028-11-0x0000000076CE0000-0x0000000076CE1000-memory.dmp

Filesize
4KB

Download
memory/2028-13-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2028-14-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/2028-15-0x0000000076CC0000-0x0000000076CC1000-memory.dmp

Filesize
4KB

Download
memory/2028-17-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/2028-19-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2028-1-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-22-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2028-23-0x0000000076CA0000-0x0000000076CA1000-memory.dmp

Filesize
4KB

Download
memory/2028-25-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2028-48-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/2028-27-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/2028-30-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2028-0-0x00000000011C0000-0x0000000001404000-memory.dmp

Filesize
2.3MB

Download
memory/2028-31-0x0000000076C80000-0x0000000076C81000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/2028-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2028-26-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-93-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-52-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-53-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-54-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3016-55-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-56-0x0000000076CF0000-0x0000000076CF1000-memory.dmp

Filesize
4KB

Download
memory/3016-57-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-60-0x0000000076CE0000-0x0000000076CE1000-memory.dmp

Filesize
4KB

Download
memory/3016-62-0x0000000076CD0000-0x0000000076CD1000-memory.dmp

Filesize
4KB

Download
memory/3016-64-0x0000000076CC0000-0x0000000076CC1000-memory.dmp

Filesize
4KB

Download
memory/3016-66-0x0000000076CB0000-0x0000000076CB1000-memory.dmp

Filesize
4KB

Download
memory/3016-68-0x0000000076CA0000-0x0000000076CA1000-memory.dmp

Filesize
4KB

Download
memory/3016-71-0x000007FEF48D0000-0x000007FEF52BC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-72-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-73-0x0000000076C90000-0x0000000076C91000-memory.dmp

Filesize
4KB

Download
memory/3016-74-0x0000000076C80000-0x0000000076C81000-memory.dmp

Filesize
4KB

Download
memory/3016-75-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-76-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/3016-51-0x0000000000240000-0x0000000000484000-memory.dmp

Filesize
2.3MB

Download
memory/3016-95-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download