zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000002322c-13.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002322c-13.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Executes dropped EXE 1 IoCs

pid	Process
3636	spoolsv.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\55b276f4edf653	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\f3b6ecef712a24	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3636	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	3636	spoolsv.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 5104	3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	82
PID 3616 wrote to memory of 5104	3616	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	82
PID 5104 wrote to memory of 3640	5104	cmd.exe	84
PID 5104 wrote to memory of 3640	5104	cmd.exe	84
PID 5104 wrote to memory of 1528	5104	cmd.exe	85
PID 5104 wrote to memory of 1528	5104	cmd.exe	85
PID 5104 wrote to memory of 3636	5104	cmd.exe	86
PID 5104 wrote to memory of 3636	5104	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ClIATBb7pK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3640
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1528
- - C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
    "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.6MB

MD5
a2546c042f4e31597a83d5d0732d4730

SHA1
214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3

SHA256
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

SHA512
af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215

Download Submit
C:\Users\Admin\AppData\Local\Temp\ClIATBb7pK.bat

Filesize
235B

MD5
95e715032ef99b0028d877f5738a0650

SHA1
c7bfb7de9912ef9a2bebe41eea72c1acbcd4172b

SHA256
fa3e83cc89224e0175b471999c4c3af4ccad0814b4fd06e6ca5dce95f93854bd

SHA512
9090f0f5128a18de8d7ccd231deb7b9d081ca12ac7ab336d3261cb093160db578d646d8c5358da40d60cad41499897a0eef49e5cfb5bd74c09b2f96627b2119d

Download Submit
memory/3616-21-0x00007FF88F3D0000-0x00007FF88FE91000-memory.dmp

Filesize
10.8MB

Download
memory/3616-3-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/3616-2-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3616-1-0x00007FF88F3D0000-0x00007FF88FE91000-memory.dmp

Filesize
10.8MB

Download
memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp

Filesize
1.6MB

Download
memory/3636-25-0x00007FF88F0A0000-0x00007FF88FB61000-memory.dmp

Filesize
10.8MB

Download
memory/3636-27-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3636-26-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/3636-28-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/3636-29-0x00007FF88F0A0000-0x00007FF88FB61000-memory.dmp

Filesize
10.8MB

Download
memory/3636-30-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download
memory/3636-31-0x000000001AD90000-0x000000001ADA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing