zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000820000-0x00000000009B8000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000165e4-13.dat	family_zgrat_v1
behavioral1/files/0x0007000000015c8d-22.dat	family_zgrat_v1
behavioral1/memory/2148-24-0x0000000000210000-0x00000000003A8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 4 IoCs

resource	yara_rule
behavioral1/memory/2304-0-0x0000000000820000-0x00000000009B8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00060000000165e4-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0007000000015c8d-22.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2148-24-0x0000000000210000-0x00000000003A8000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2148	dwm.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\spoolsv.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File opened for modification	C:\Windows\es-ES\spoolsv.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Windows\es-ES\f3b6ecef712a24	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Windows\DigitalLocker\en-US\explorer.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Windows\DigitalLocker\en-US\7a0fd90576e088	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe
2148	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2148	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	2148	dwm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2576	2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	27
PID 2304 wrote to memory of 2576	2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	27
PID 2304 wrote to memory of 2576	2304	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	27
PID 2576 wrote to memory of 2668	2576	cmd.exe	29
PID 2576 wrote to memory of 2668	2576	cmd.exe	29
PID 2576 wrote to memory of 2668	2576	cmd.exe	29
PID 2576 wrote to memory of 3032	2576	cmd.exe	30
PID 2576 wrote to memory of 3032	2576	cmd.exe	30
PID 2576 wrote to memory of 3032	2576	cmd.exe	30
PID 2576 wrote to memory of 2148	2576	cmd.exe	33
PID 2576 wrote to memory of 2148	2576	cmd.exe	33
PID 2576 wrote to memory of 2148	2576	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1KLtM6QMuz.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3032
- - C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
    "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe

Filesize
941KB

MD5
0527dc0b6638b27724e16ba6d080fb23

SHA1
1810c7fe43010a2cb0282fa7ab43702abb931e4e

SHA256
6d9938a71a7423e8210894676ca8ef474345e3c5d8bbc61d736695375b125d71

SHA512
04b9cb28b521b641d1bcedce676a4c81b1aa9e45ce911542975711ee25417800db1c050ab4e706584efa4be2d18425553fcae86b06e2cf4ad10453ffe25c66a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1KLtM6QMuz.bat

Filesize
232B

MD5
66f3285303daf6b16fef0748a0696fde

SHA1
bc769f3cc0c4d2624d0d092e0c255f1b7d9dd2df

SHA256
88a297ed2db9c067f130358fb66248c328891621055c8eedf430b8cbef0245f9

SHA512
b2f9e3aff0bde64b49cbd503a2398a012ec586b7dbc122ee6bebd9fe4e90e6208328009b8ecc3fde919f926ce3e3432105ad876c34af241ee448e419131b802e

Download Submit
C:\Windows\DigitalLocker\en-US\explorer.exe

Filesize
1.6MB

MD5
a2546c042f4e31597a83d5d0732d4730

SHA1
214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3

SHA256
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

SHA512
af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215

Download Submit
memory/2148-23-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-28-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2148-32-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2148-31-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2148-30-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2148-29-0x000007FEF4E60000-0x000007FEF584C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-24-0x0000000000210000-0x00000000003A8000-memory.dmp

Filesize
1.6MB

Download
memory/2148-25-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2148-26-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2148-27-0x000000001B450000-0x000000001B4D0000-memory.dmp

Filesize
512KB

Download
memory/2304-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x0000000000820000-0x00000000009B8000-memory.dmp

Filesize
1.6MB

Download
memory/2304-1-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-20-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-2-0x000000001A8C0000-0x000000001A940000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing