zgrat | 4c9a06f79b7bab68122b2d164b63523dceb0205d044c8d230bb758d7fc4729e8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983ffa6d57f86647306da729613df330.exe
Size

984KB
MD5

983ffa6d57f86647306da729613df330
SHA1

9cbc4aa1b4f5566a7d8a9c508edc7cc96772c1c0
SHA256

4c9a06f79b7bab68122b2d164b63523dceb0205d044c8d230bb758d7fc4729e8
SHA512

90d5b58598e2e8a904363058441956df840cf75389bc8f89b28fe70fd8ef2c7c98c70928ac208002550a127affe57668692d18bc0dd5bdab6f5f2095ebdd6313
SSDEEP

12288:vz+MO8FsF87bhQxUKKKVxe8QuWtajt6iLq17BKGUEsLDw:b+MOQW87bhQxtVUwWa6iLe76Ei

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1644-5-0x0000000008220000-0x00000000082A6000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-6-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-7-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-9-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-13-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-15-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-19-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-21-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-23-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-27-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-29-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-31-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-35-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-39-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-45-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-43-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-41-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-51-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-53-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-49-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-61-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-63-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-59-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-69-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-67-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-65-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-57-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-55-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-47-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-37-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-33-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-25-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-17-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1644-11-0x0000000008220000-0x00000000082A0000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Chrome.exe\","	983ffa6d57f86647306da729613df330.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1644	983ffa6d57f86647306da729613df330.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	983ffa6d57f86647306da729613df330.exe
Token: SeDebugPrivilege	1812	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2652	1644	983ffa6d57f86647306da729613df330.exe	28
PID 1644 wrote to memory of 2652	1644	983ffa6d57f86647306da729613df330.exe	28
PID 1644 wrote to memory of 2652	1644	983ffa6d57f86647306da729613df330.exe	28
PID 1644 wrote to memory of 2652	1644	983ffa6d57f86647306da729613df330.exe	28
PID 1644 wrote to memory of 2892	1644	983ffa6d57f86647306da729613df330.exe	29
PID 1644 wrote to memory of 2892	1644	983ffa6d57f86647306da729613df330.exe	29
PID 1644 wrote to memory of 2892	1644	983ffa6d57f86647306da729613df330.exe	29
PID 1644 wrote to memory of 2892	1644	983ffa6d57f86647306da729613df330.exe	29
PID 1644 wrote to memory of 2660	1644	983ffa6d57f86647306da729613df330.exe	30
PID 1644 wrote to memory of 2660	1644	983ffa6d57f86647306da729613df330.exe	30
PID 1644 wrote to memory of 2660	1644	983ffa6d57f86647306da729613df330.exe	30
PID 1644 wrote to memory of 2660	1644	983ffa6d57f86647306da729613df330.exe	30
PID 1644 wrote to memory of 2640	1644	983ffa6d57f86647306da729613df330.exe	31
PID 1644 wrote to memory of 2640	1644	983ffa6d57f86647306da729613df330.exe	31
PID 1644 wrote to memory of 2640	1644	983ffa6d57f86647306da729613df330.exe	31
PID 1644 wrote to memory of 2640	1644	983ffa6d57f86647306da729613df330.exe	31
PID 1644 wrote to memory of 1924	1644	983ffa6d57f86647306da729613df330.exe	32
PID 1644 wrote to memory of 1924	1644	983ffa6d57f86647306da729613df330.exe	32
PID 1644 wrote to memory of 1924	1644	983ffa6d57f86647306da729613df330.exe	32
PID 1644 wrote to memory of 1924	1644	983ffa6d57f86647306da729613df330.exe	32
PID 1644 wrote to memory of 2148	1644	983ffa6d57f86647306da729613df330.exe	33
PID 1644 wrote to memory of 2148	1644	983ffa6d57f86647306da729613df330.exe	33
PID 1644 wrote to memory of 2148	1644	983ffa6d57f86647306da729613df330.exe	33
PID 1644 wrote to memory of 2148	1644	983ffa6d57f86647306da729613df330.exe	33
PID 1644 wrote to memory of 2352	1644	983ffa6d57f86647306da729613df330.exe	34
PID 1644 wrote to memory of 2352	1644	983ffa6d57f86647306da729613df330.exe	34
PID 1644 wrote to memory of 2352	1644	983ffa6d57f86647306da729613df330.exe	34
PID 1644 wrote to memory of 2352	1644	983ffa6d57f86647306da729613df330.exe	34
PID 1644 wrote to memory of 2648	1644	983ffa6d57f86647306da729613df330.exe	35
PID 1644 wrote to memory of 2648	1644	983ffa6d57f86647306da729613df330.exe	35
PID 1644 wrote to memory of 2648	1644	983ffa6d57f86647306da729613df330.exe	35
PID 1644 wrote to memory of 2648	1644	983ffa6d57f86647306da729613df330.exe	35
PID 1644 wrote to memory of 2152	1644	983ffa6d57f86647306da729613df330.exe	36
PID 1644 wrote to memory of 2152	1644	983ffa6d57f86647306da729613df330.exe	36
PID 1644 wrote to memory of 2152	1644	983ffa6d57f86647306da729613df330.exe	36
PID 1644 wrote to memory of 2152	1644	983ffa6d57f86647306da729613df330.exe	36
PID 1644 wrote to memory of 2160	1644	983ffa6d57f86647306da729613df330.exe	37
PID 1644 wrote to memory of 2160	1644	983ffa6d57f86647306da729613df330.exe	37
PID 1644 wrote to memory of 2160	1644	983ffa6d57f86647306da729613df330.exe	37
PID 1644 wrote to memory of 2160	1644	983ffa6d57f86647306da729613df330.exe	37
PID 1644 wrote to memory of 888	1644	983ffa6d57f86647306da729613df330.exe	38
PID 1644 wrote to memory of 888	1644	983ffa6d57f86647306da729613df330.exe	38
PID 1644 wrote to memory of 888	1644	983ffa6d57f86647306da729613df330.exe	38
PID 1644 wrote to memory of 888	1644	983ffa6d57f86647306da729613df330.exe	38
PID 2652 wrote to memory of 1812	2652	WScript.exe	39
PID 2652 wrote to memory of 1812	2652	WScript.exe	39
PID 2652 wrote to memory of 1812	2652	WScript.exe	39
PID 2652 wrote to memory of 1812	2652	WScript.exe	39

C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
"C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Wstvstiulknlrmkszuhfp.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  C:\Users\Admin\AppData\Local\Temp\983ffa6d57f86647306da729613df330.exe
  2⤵
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Wstvstiulknlrmkszuhfp.vbs

Filesize
174B

MD5
9ddcc4f0461d539fcb94a37a1eb1e0ba

SHA1
930e0dd65c6ed6e710809940f9ac4d0747d3ab43

SHA256
7b4862f9628d5d53ea11f559eb7dbc5c53068cf4b7c3c499334f2537c91131cc

SHA512
7585d527b8bacc8c500816001e271eb70015f8782fb97264c7e35642d88ba6aa51a952f602275334763ab9fcb3b045780fe76dcf094c5cade865e8bb8efdb913

Download Submit
memory/1644-49-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-2491-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-3-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-4-0x00000000020A0000-0x00000000020FE000-memory.dmp

Filesize
376KB

Download
memory/1644-5-0x0000000008220000-0x00000000082A6000-memory.dmp

Filesize
536KB

Download
memory/1644-6-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-7-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-9-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-13-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-15-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-19-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-21-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-23-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-27-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-29-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-31-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-35-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-39-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-45-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-43-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-41-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-51-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-53-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-2-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/1644-69-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-63-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-59-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-61-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-67-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-65-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-57-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-55-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-47-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-37-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-33-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-25-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-17-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-11-0x0000000008220000-0x00000000082A0000-memory.dmp

Filesize
512KB

Download
memory/1644-394-0x0000000004710000-0x0000000004750000-memory.dmp

Filesize
256KB

Download
memory/1644-2485-0x0000000004260000-0x0000000004268000-memory.dmp

Filesize
32KB

Download
memory/1644-1-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-0-0x00000000003B0000-0x00000000004AC000-memory.dmp

Filesize
1008KB

Download
memory/1812-2494-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-2495-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-2496-0x00000000029B0000-0x00000000029F0000-memory.dmp

Filesize
256KB

Download
memory/1812-2497-0x00000000029B0000-0x00000000029F0000-memory.dmp

Filesize
256KB

Download
memory/1812-2498-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download