zgrat | d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f082b9f08a5a3e1ce6360159c8732f.exe
Size

2.2MB
MD5

a4f082b9f08a5a3e1ce6360159c8732f
SHA1

343a2ec18799fe011c55895156bc58055a836522
SHA256

d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3
SHA512

164e721be202392965f5beda3df070e0f5c8d85447aee148f25d04ed84742fbceed4def21edb2475e4d8690f20604e1c41029acad8864cc81c7bd02fd56fec5f
SSDEEP

49152:SAK0RKiYjXfeZPP68zVIxKY92s5nfTPI3oSAv7xLqMTsMMs1a2i29obFbX:SAK0RKiYjXfe7zG2wk3QjnsEi2cl

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2316-0-0x0000000000CD0000-0x0000000000F14000-memory.dmp	family_zgrat_v1
C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	a4f082b9f08a5a3e1ce6360159c8732f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 4 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\Registry.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Program Files (x86)\Internet Explorer\ee2ad38f3d4382	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\6203df4a6bafc7	a4f082b9f08a5a3e1ce6360159c8732f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	a4f082b9f08a5a3e1ce6360159c8732f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

pid	process
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
2316	a4f082b9f08a5a3e1ce6360159c8732f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

pid process

4356 a4f082b9f08a5a3e1ce6360159c8732f.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exea4f082b9f08a5a3e1ce6360159c8732f.exe

description pid process

Token: SeDebugPrivilege 2316 a4f082b9f08a5a3e1ce6360159c8732f.exe
Token: SeDebugPrivilege 4356 a4f082b9f08a5a3e1ce6360159c8732f.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.exe

pid process

4356 a4f082b9f08a5a3e1ce6360159c8732f.exe

pid	process
4356	a4f082b9f08a5a3e1ce6360159c8732f.exe

description	pid	process
Token: SeDebugPrivilege	2316	a4f082b9f08a5a3e1ce6360159c8732f.exe
Token: SeDebugPrivilege	4356	a4f082b9f08a5a3e1ce6360159c8732f.exe

pid	process
4356	a4f082b9f08a5a3e1ce6360159c8732f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a4f082b9f08a5a3e1ce6360159c8732f.execmd.exe

description	pid	process	target process
PID 2316 wrote to memory of 1040	2316	a4f082b9f08a5a3e1ce6360159c8732f.exe	cmd.exe
PID 2316 wrote to memory of 1040	2316	a4f082b9f08a5a3e1ce6360159c8732f.exe	cmd.exe
PID 1040 wrote to memory of 1600	1040	cmd.exe	chcp.com
PID 1040 wrote to memory of 1600	1040	cmd.exe	chcp.com
PID 1040 wrote to memory of 1292	1040	cmd.exe	w32tm.exe
PID 1040 wrote to memory of 1292	1040	cmd.exe	w32tm.exe
PID 1040 wrote to memory of 4356	1040	cmd.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe
PID 1040 wrote to memory of 4356	1040	cmd.exe	a4f082b9f08a5a3e1ce6360159c8732f.exe

C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe
"C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0L3EGWMt2p.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1600

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe
"C:\Users\Admin\AppData\Local\Temp\a4f082b9f08a5a3e1ce6360159c8732f.exe"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe

Filesize
2.2MB

MD5
a4f082b9f08a5a3e1ce6360159c8732f

SHA1
343a2ec18799fe011c55895156bc58055a836522

SHA256
d16281d36cb3139f4353ae35ebf214c42a6e19f050906961cec2fc656d295df3

SHA512
164e721be202392965f5beda3df070e0f5c8d85447aee148f25d04ed84742fbceed4def21edb2475e4d8690f20604e1c41029acad8864cc81c7bd02fd56fec5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\a4f082b9f08a5a3e1ce6360159c8732f.exe.log

Filesize
1KB

MD5
98d93f7a2239452aef29ed995c71b759

SHA1
d1fc6bff08e49cb16a1e5d0b0348232282cf5677

SHA256
399712789c6f2c7bd1b7afdf835eb2ac525632424daf08e751186195ebdbba52

SHA512
1073e74c9f065aa02be1bfb172308c555c0ad0c5ff35315d76de23d2c6daf1d3fe0b32042a428431847d09b679f14cb129c058af3277e9ed16787d37ae276d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\0L3EGWMt2p.bat

Filesize
246B

MD5
dd0ee9a95ed038d2431c2f6235ec1819

SHA1
fa9f1d2a7f61c0add2db72e3e1132e65b2ac293a

SHA256
673b115a85ba2ad45398b6af0a052dcaa53f43865b095b9575d95dd7f853c7e3

SHA512
46d6ebabdae6ca2c52220348ec6a3d5f04b41110c3b1a9fb666177c4bf4e06d4a6130b88aa506968985dd8ba04620999670c38ab2f09ae7c75055ea7daf22d8e

Download Submit
memory/2316-0-0x0000000000CD0000-0x0000000000F14000-memory.dmp

Filesize
2.3MB

Download
memory/2316-1-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/2316-2-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2316-3-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/2316-4-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2316-7-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/2316-6-0x0000000001A20000-0x0000000001A46000-memory.dmp

Filesize
152KB

Download
memory/2316-8-0x00007FF84AF70000-0x00007FF84AF71000-memory.dmp

Filesize
4KB

Download
memory/2316-9-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2316-10-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/2316-13-0x00007FF84AF60000-0x00007FF84AF61000-memory.dmp

Filesize
4KB

Download
memory/2316-12-0x000000001BB80000-0x000000001BB9C000-memory.dmp

Filesize
112KB

Download
memory/2316-14-0x000000001CFD0000-0x000000001D020000-memory.dmp

Filesize
320KB

Download
memory/2316-16-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download
memory/2316-17-0x00007FF84AF50000-0x00007FF84AF51000-memory.dmp

Filesize
4KB

Download
memory/2316-19-0x000000001CF80000-0x000000001CF98000-memory.dmp

Filesize
96KB

Download
memory/2316-20-0x00007FF84AF40000-0x00007FF84AF41000-memory.dmp

Filesize
4KB

Download
memory/2316-21-0x00007FF84AF30000-0x00007FF84AF31000-memory.dmp

Filesize
4KB

Download
memory/2316-23-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/2316-25-0x000000001CFA0000-0x000000001CFB6000-memory.dmp

Filesize
88KB

Download
memory/2316-26-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/2316-27-0x00007FF84AF20000-0x00007FF84AF21000-memory.dmp

Filesize
4KB

Download
memory/2316-29-0x000000001D020000-0x000000001D032000-memory.dmp

Filesize
72KB

Download
memory/2316-30-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2316-31-0x00007FF84AF10000-0x00007FF84AF11000-memory.dmp

Filesize
4KB

Download
memory/2316-32-0x000000001D570000-0x000000001DA98000-memory.dmp

Filesize
5.2MB

Download
memory/2316-34-0x000000001D040000-0x000000001D058000-memory.dmp

Filesize
96KB

Download
memory/2316-35-0x00007FF84AF00000-0x00007FF84AF01000-memory.dmp

Filesize
4KB

Download
memory/2316-52-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/2316-53-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/4356-56-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/4356-57-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/4356-58-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/4356-59-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/4356-60-0x00007FF84AF70000-0x00007FF84AF71000-memory.dmp

Filesize
4KB

Download
memory/4356-62-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/4356-63-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/4356-65-0x00007FF84AF60000-0x00007FF84AF61000-memory.dmp

Filesize
4KB

Download
memory/4356-67-0x00007FF84AF50000-0x00007FF84AF51000-memory.dmp

Filesize
4KB

Download
memory/4356-70-0x00007FF82D2C0000-0x00007FF82DD81000-memory.dmp

Filesize
10.8MB

Download
memory/4356-71-0x00007FF84AF40000-0x00007FF84AF41000-memory.dmp

Filesize
4KB

Download
memory/4356-72-0x00007FF84AF20000-0x00007FF84AF21000-memory.dmp

Filesize
4KB

Download
memory/4356-74-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/4356-75-0x00007FF84AF30000-0x00007FF84AF31000-memory.dmp

Filesize
4KB

Download
memory/4356-77-0x00007FF84AF10000-0x00007FF84AF11000-memory.dmp

Filesize
4KB

Download
memory/4356-79-0x00007FF84AF00000-0x00007FF84AF01000-memory.dmp

Filesize
4KB

Download
memory/4356-80-0x00007FF84B130000-0x00007FF84B1EE000-memory.dmp

Filesize
760KB

Download
memory/4356-81-0x000000001E160000-0x000000001E275000-memory.dmp

Filesize
1.1MB

Download
memory/4356-82-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/4356-111-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download
memory/4356-114-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

Filesize
64KB

Download