zgrat | 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

General

Target

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Size

1.9MB
MD5

14f6f2650e4115f846437a021780ad79
SHA1

11825457804c1aec20dfb7049bc9d21e409e8094
SHA256

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14
SHA512

97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8
SSDEEP

24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023171-10.dat	family_zgrat_v1
behavioral2/memory/2896-12-0x0000000000200000-0x000000000039A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023171-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/2896-12-0x0000000000200000-0x000000000039A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	ComContainerServercomponentDll.exe

Executes dropped EXE 2 IoCs

pid	Process
2896	ComContainerServercomponentDll.exe
1544	WaaSMedicAgent.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	ComContainerServercomponentDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72	ComContainerServercomponentDll.exe
File created	C:\Program Files\ModifiableWindowsApps\sihost.exe	ComContainerServercomponentDll.exe
File created	C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe	ComContainerServercomponentDll.exe
File created	C:\Program Files (x86)\Windows Mail\c82b8037eab33d	ComContainerServercomponentDll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\WaaSMedicAgent.exe	ComContainerServercomponentDll.exe
File opened for modification	C:\Windows\ModemLogs\WaaSMedicAgent.exe	ComContainerServercomponentDll.exe
File created	C:\Windows\ModemLogs\c82b8037eab33d	ComContainerServercomponentDll.exe
File created	C:\Windows\ServiceState\EventLog\dllhost.exe	ComContainerServercomponentDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	ComContainerServercomponentDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4872	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2728	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
2896	ComContainerServercomponentDll.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe
1544	WaaSMedicAgent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1544	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	ComContainerServercomponentDll.exe
Token: SeDebugPrivilege	1544	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 2312	4740	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	86
PID 4740 wrote to memory of 2312	4740	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	86
PID 4740 wrote to memory of 2312	4740	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	86
PID 2312 wrote to memory of 1772	2312	WScript.exe	91
PID 2312 wrote to memory of 1772	2312	WScript.exe	91
PID 2312 wrote to memory of 1772	2312	WScript.exe	91
PID 1772 wrote to memory of 4872	1772	cmd.exe	93
PID 1772 wrote to memory of 4872	1772	cmd.exe	93
PID 1772 wrote to memory of 4872	1772	cmd.exe	93
PID 1772 wrote to memory of 2896	1772	cmd.exe	94
PID 1772 wrote to memory of 2896	1772	cmd.exe	94
PID 2896 wrote to memory of 3376	2896	ComContainerServercomponentDll.exe	96
PID 2896 wrote to memory of 3376	2896	ComContainerServercomponentDll.exe	96
PID 3376 wrote to memory of 2140	3376	cmd.exe	98
PID 3376 wrote to memory of 2140	3376	cmd.exe	98
PID 3376 wrote to memory of 2728	3376	cmd.exe	99
PID 3376 wrote to memory of 2728	3376	cmd.exe	99
PID 3376 wrote to memory of 1544	3376	cmd.exe	102
PID 3376 wrote to memory of 1544	3376	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
"C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4872
  - - C:\chainCrt\ComContainerServercomponentDll.exe
      "C:\chainCrt/ComContainerServercomponentDll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V19AEvYqm3.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3376
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2140
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2728
      - C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe
        
        "C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\V19AEvYqm3.bat

Filesize
182B

MD5
afb686f26c0f5ee5e727fc0e068716a7

SHA1
2cc44d0721e8da132d73638aa74fa72e2345c6a1

SHA256
5eec6115cae81e74ff4df4d6669dbab16e84dae92e5a20be4ca7e083f25236c5

SHA512
ff4cc992a55e1e3c50bfe6e052e74395eb2365eed9cecbd5eb9303176722a7b165ea9394355bfa256f1587a1d0760c70c25d976099412a697421d252df194f53

Download Submit
C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat

Filesize
219B

MD5
2c6552d7067705b8adc060be796cc726

SHA1
f1f4ca6df3799590d29048d8c0ef8c377b72b29a

SHA256
8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

SHA512
969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

Download Submit
C:\chainCrt\ComContainerServercomponentDll.exe

Filesize
1.6MB

MD5
c85bd715ac92063c07314d1ce33bb5a1

SHA1
36d690ccafaf3bcf312cb6055b1c33d18631cc01

SHA256
a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

SHA512
d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

Download Submit
C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe

Filesize
222B

MD5
864c2b2879ddb78e052cd8710b7c74e2

SHA1
065354d8ea5079825a29f4f9fb5a8f9fdddd660e

SHA256
fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

SHA512
08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

Download Submit
memory/1544-38-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1544-42-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1544-41-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1544-40-0x00007FFF79E00000-0x00007FFF7A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-39-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1544-36-0x00007FFF79E00000-0x00007FFF7A8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-37-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/2896-13-0x00007FFF79FD0000-0x00007FFF7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/2896-32-0x00007FFF79FD0000-0x00007FFF7AA91000-memory.dmp

Filesize
10.8MB

Download
memory/2896-15-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2896-14-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/2896-12-0x0000000000200000-0x000000000039A000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing