zgrat | 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

General

Target

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Size

1.6MB
MD5

a2546c042f4e31597a83d5d0732d4730
SHA1

214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA256

8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512

af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
SSDEEP

24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/3664-0-0x0000000000280000-0x0000000000418000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023208-13.dat	family_zgrat_v1
behavioral2/files/0x0006000000023204-24.dat	family_zgrat_v1
behavioral2/files/0x0006000000023204-23.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 4 IoCs

resource	yara_rule
behavioral2/memory/3664-0-0x0000000000280000-0x0000000000418000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023208-13.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023204-24.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023204-23.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Executes dropped EXE 1 IoCs

pid	Process
4188	unsecapp.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Program Files\Windows Photo Viewer\2eb793b00d4289	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\unsecapp.exe	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
File created	C:\Windows\CbsTemp\29c1c3cc0f7685	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe
4188	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4188	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Token: SeDebugPrivilege	4188	unsecapp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 1080	3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	30
PID 3664 wrote to memory of 1080	3664	8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe	30
PID 1080 wrote to memory of 3132	1080	cmd.exe	28
PID 1080 wrote to memory of 3132	1080	cmd.exe	28
PID 1080 wrote to memory of 1612	1080	cmd.exe	27
PID 1080 wrote to memory of 1612	1080	cmd.exe	27
PID 1080 wrote to memory of 4188	1080	cmd.exe	92
PID 1080 wrote to memory of 4188	1080	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qtlKrWatFJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\CbsTemp\unsecapp.exe
    "C:\Windows\CbsTemp\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4188

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1612

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

Filesize
158KB

MD5
8f96a55ce8c8891e6eea3539cbb37849

SHA1
f7aeb2b9cb25c6a4354b31a9d30262969ba9a16d

SHA256
6cbf0e651bb161cfbfe6fcbe3c84502781997b744b0c84b14c99ecb92ea0d989

SHA512
0f83c23241a47f1ee42c7c17bc940122a498ff138517fb9e451da19e620534d4fefe2922c12b62e13a63b787e14b71bcff765efc8f81fd9aa9a1506d314f50e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtlKrWatFJ.bat

Filesize
207B

MD5
80b992c1998dae502fe64427d39824df

SHA1
ae721cc61fe23b9453de29ae43ee4a71ff00a01a

SHA256
ad56ea6425d1cb6533f8ac33fe234bec956488cf3e89e765b8e9dfe37ee70016

SHA512
290051c47821589c0f8b8f8f403461d1a56cda9b1e933616d1364be6f5ddfd0071869810cc11aaaef787d14ff1f18c17b6fbed5e46f4d68cdc1131a7f378796d

Download Submit
C:\Windows\CbsTemp\unsecapp.exe

Filesize
1KB

MD5
f2ea0cb13ddd1e9e57376f8079d97c06

SHA1
9a1bd0a9ecaee75a98da3af4ab0265efccff9736

SHA256
3ae987d0dbd0b5c55772d077e1412a122d6a5de441ab490ac4865e0e8476e5a5

SHA512
ac6ac99f3628bf8d834f114348188aa98f6506344421a4c18f3bc0de2b45fd408c0d248ed7f1e9a459fa63ab36f69637c8a1d6276faa782df507a2ba567a2b9d

Download Submit
C:\Windows\CbsTemp\unsecapp.exe

Filesize
17KB

MD5
c73658bb5200a5ff4ba3658fe668766b

SHA1
9bce8f59c5a2a279f4677b0fb3ab86a162a11ff5

SHA256
46ccd3f60cf5d53b836890993b724c3e45154bc5e9cb7ddb75555d4ddf827b74

SHA512
d9f9c6257abdba9f7eb563231a4acc686d2f80035037571e513bde20bd87626cdd9961bb2eec9d12c13c9d94b9be482ce25ce9def9dd94147c5a7ca5f2e81f3d

Download Submit
memory/3664-3-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3664-2-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/3664-1-0x00007FFF96900000-0x00007FFF973C1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-21-0x00007FFF96900000-0x00007FFF973C1000-memory.dmp

Filesize
10.8MB

Download
memory/3664-0-0x0000000000280000-0x0000000000418000-memory.dmp

Filesize
1.6MB

Download
memory/4188-25-0x00007FFF964A0000-0x00007FFF96F61000-memory.dmp

Filesize
10.8MB

Download
memory/4188-26-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/4188-27-0x00000000017C0000-0x00000000017C1000-memory.dmp

Filesize
4KB

Download
memory/4188-28-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/4188-29-0x00007FFF964A0000-0x00007FFF96F61000-memory.dmp

Filesize
10.8MB

Download
memory/4188-30-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/4188-31-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/4188-32-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download
memory/4188-33-0x000000001BE90000-0x000000001BEA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing