zgrat | 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

General

Target

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Size

1.9MB
MD5

14f6f2650e4115f846437a021780ad79
SHA1

11825457804c1aec20dfb7049bc9d21e409e8094
SHA256

08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14
SHA512

97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8
SSDEEP

24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score

10^/10

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231fa-10.dat	family_zgrat_v1
behavioral2/memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231fa-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	ComContainerServercomponentDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1640	ComContainerServercomponentDll.exe
3372	csrss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\56085415360792	ComContainerServercomponentDll.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\wininit.exe	ComContainerServercomponentDll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Panther\setup.exe\csrss.exe	ComContainerServercomponentDll.exe
File created	C:\Windows\Panther\setup.exe\886983d96e3d3e	ComContainerServercomponentDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	ComContainerServercomponentDll.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3844	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4948	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
1640	ComContainerServercomponentDll.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe
3372	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3372	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	ComContainerServercomponentDll.exe
Token: SeDebugPrivilege	3372	csrss.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 4552	4844	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	85
PID 4844 wrote to memory of 4552	4844	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	85
PID 4844 wrote to memory of 4552	4844	08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe	85
PID 4552 wrote to memory of 4560	4552	WScript.exe	91
PID 4552 wrote to memory of 4560	4552	WScript.exe	91
PID 4552 wrote to memory of 4560	4552	WScript.exe	91
PID 4560 wrote to memory of 3844	4560	cmd.exe	93
PID 4560 wrote to memory of 3844	4560	cmd.exe	93
PID 4560 wrote to memory of 3844	4560	cmd.exe	93
PID 4560 wrote to memory of 1640	4560	cmd.exe	94
PID 4560 wrote to memory of 1640	4560	cmd.exe	94
PID 1640 wrote to memory of 4264	1640	ComContainerServercomponentDll.exe	97
PID 1640 wrote to memory of 4264	1640	ComContainerServercomponentDll.exe	97
PID 4264 wrote to memory of 1240	4264	cmd.exe	99
PID 4264 wrote to memory of 1240	4264	cmd.exe	99
PID 4264 wrote to memory of 4948	4264	cmd.exe	100
PID 4264 wrote to memory of 4948	4264	cmd.exe	100
PID 4264 wrote to memory of 3372	4264	cmd.exe	101
PID 4264 wrote to memory of 3372	4264	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
"C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3844
  - - C:\chainCrt\ComContainerServercomponentDll.exe
      "C:\chainCrt/ComContainerServercomponentDll.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zZzZ568Pmt.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4264
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1240
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4948
      - C:\Windows\Panther\setup.exe\csrss.exe
        
        "C:\Windows\Panther\setup.exe\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zZzZ568Pmt.bat

Filesize
166B

MD5
4365ebf6f637bfa2f624db69b063bab6

SHA1
0a5972cbf68f5eeaea79fa86f3616bd299a92f3e

SHA256
c2626dbddc1a5d7aa66d4988878fa6d0e230c209df6f6b437f85e0064fdf03b8

SHA512
86c3aa39197f293644997de1bc91df8eaba9819952a765305938730e7cd1a2ef92939524c0bbdb593800d09f7f52d51c13c66ab5aa3efa3e5b7196e8290d3ac9

Download Submit
C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat

Filesize
219B

MD5
2c6552d7067705b8adc060be796cc726

SHA1
f1f4ca6df3799590d29048d8c0ef8c377b72b29a

SHA256
8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

SHA512
969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

Download Submit
C:\chainCrt\ComContainerServercomponentDll.exe

Filesize
1.6MB

MD5
c85bd715ac92063c07314d1ce33bb5a1

SHA1
36d690ccafaf3bcf312cb6055b1c33d18631cc01

SHA256
a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

SHA512
d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

Download Submit
C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe

Filesize
222B

MD5
864c2b2879ddb78e052cd8710b7c74e2

SHA1
065354d8ea5079825a29f4f9fb5a8f9fdddd660e

SHA256
fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

SHA512
08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

Download Submit
memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp

Filesize
1.6MB

Download
memory/1640-13-0x00007FF8C50E0000-0x00007FF8C5BA1000-memory.dmp

Filesize
10.8MB

Download
memory/1640-14-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1640-15-0x000000001B370000-0x000000001B380000-memory.dmp

Filesize
64KB

Download
memory/1640-32-0x00007FF8C50E0000-0x00007FF8C5BA1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-36-0x00007FF8C5030000-0x00007FF8C5AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-37-0x000000001BAF0000-0x000000001BAF1000-memory.dmp

Filesize
4KB

Download
memory/3372-38-0x00007FF8C5030000-0x00007FF8C5AF1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing