zgrat | 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Size

1.9MB
MD5

14f6f2650e4115f846437a021780ad79
SHA1

11825457804c1aec20dfb7049bc9d21e409e8094
SHA256

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14
SHA512

97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8
SSDEEP

24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score

10^/10

zgrat evasion rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122e0-10.dat	family_zgrat_v1
behavioral1/memory/2708-13-0x0000000000E40000-0x0000000000FDA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2496-35-0x0000000001330000-0x00000000014CA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122e0-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2708-13-0x0000000000E40000-0x0000000000FDA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2496-35-0x0000000001330000-0x00000000014CA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2708	ComContainerServercomponentDll.exe
2496	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	cmd.exe
2088	cmd.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\System.exe	ComContainerServercomponentDll.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	ComContainerServercomponentDll.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	ComContainerServercomponentDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2628	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe
2708	ComContainerServercomponentDll.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	ComContainerServercomponentDll.exe
Token: SeDebugPrivilege	2496	System.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2792	2252	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	28
PID 2252 wrote to memory of 2792	2252	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	28
PID 2252 wrote to memory of 2792	2252	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	28
PID 2252 wrote to memory of 2792	2252	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	28
PID 2792 wrote to memory of 2088	2792	WScript.exe	29
PID 2792 wrote to memory of 2088	2792	WScript.exe	29
PID 2792 wrote to memory of 2088	2792	WScript.exe	29
PID 2792 wrote to memory of 2088	2792	WScript.exe	29
PID 2088 wrote to memory of 2628	2088	cmd.exe	31
PID 2088 wrote to memory of 2628	2088	cmd.exe	31
PID 2088 wrote to memory of 2628	2088	cmd.exe	31
PID 2088 wrote to memory of 2628	2088	cmd.exe	31
PID 2088 wrote to memory of 2708	2088	cmd.exe	32
PID 2088 wrote to memory of 2708	2088	cmd.exe	32
PID 2088 wrote to memory of 2708	2088	cmd.exe	32
PID 2088 wrote to memory of 2708	2088	cmd.exe	32
PID 2708 wrote to memory of 2704	2708	ComContainerServercomponentDll.exe	33
PID 2708 wrote to memory of 2704	2708	ComContainerServercomponentDll.exe	33
PID 2708 wrote to memory of 2704	2708	ComContainerServercomponentDll.exe	33
PID 2704 wrote to memory of 2648	2704	cmd.exe	35
PID 2704 wrote to memory of 2648	2704	cmd.exe	35
PID 2704 wrote to memory of 2648	2704	cmd.exe	35
PID 2704 wrote to memory of 2780	2704	cmd.exe	36
PID 2704 wrote to memory of 2780	2704	cmd.exe	36
PID 2704 wrote to memory of 2780	2704	cmd.exe	36
PID 2704 wrote to memory of 2496	2704	cmd.exe	37
PID 2704 wrote to memory of 2496	2704	cmd.exe	37
PID 2704 wrote to memory of 2496	2704	cmd.exe	37
PID 2496 wrote to memory of 2236	2496	System.exe	38
PID 2496 wrote to memory of 2236	2496	System.exe	38
PID 2496 wrote to memory of 2236	2496	System.exe	38

C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
"C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2628
  - - C:\chainCrt\ComContainerServercomponentDll.exe
      "C:\chainCrt/ComContainerServercomponentDll.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0FDpY6TP3Y.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2648
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2780
      - C:\Program Files\Windows Portable Devices\System.exe
        
        "C:\Program Files\Windows Portable Devices\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2496 -s 1124
        7⤵
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0FDpY6TP3Y.bat

Filesize
228B

MD5
810c026cbf6259bcc761f640bdb39bf6

SHA1
ae706c0ff27025803051d4e2c72c9c1e42ce7632

SHA256
eaf9b2b501516bf6e98a839d33ae690a42de4c43c405de30093b2df1068b1c1e

SHA512
b2e548da0a2e9b5cfe8769113758225d71b039e74bb0aeccce6660631ce11c16fa9233e7826eb512659dd7e86c9e28ce8a8316e72fa0442a97e8ff1b98c2489f

Download Submit
C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat

Filesize
219B

MD5
2c6552d7067705b8adc060be796cc726

SHA1
f1f4ca6df3799590d29048d8c0ef8c377b72b29a

SHA256
8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

SHA512
969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

Download Submit
C:\chainCrt\ComContainerServercomponentDll.exe

Filesize
1.6MB

MD5
c85bd715ac92063c07314d1ce33bb5a1

SHA1
36d690ccafaf3bcf312cb6055b1c33d18631cc01

SHA256
a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

SHA512
d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

Download Submit
C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe

Filesize
222B

MD5
864c2b2879ddb78e052cd8710b7c74e2

SHA1
065354d8ea5079825a29f4f9fb5a8f9fdddd660e

SHA256
fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

SHA512
08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

Download Submit
memory/2496-38-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-42-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download
memory/2496-41-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download
memory/2496-40-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-39-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download
memory/2496-36-0x000007FEF5130000-0x000007FEF5B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-37-0x000000001AAD0000-0x000000001AB50000-memory.dmp

Filesize
512KB

Download
memory/2496-35-0x0000000001330000-0x00000000014CA000-memory.dmp

Filesize
1.6MB

Download
memory/2708-14-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-32-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2708-16-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2708-15-0x000000001A7D0000-0x000000001A850000-memory.dmp

Filesize
512KB

Download
memory/2708-13-0x0000000000E40000-0x0000000000FDA000-memory.dmp

Filesize
1.6MB

Download