zgrat | b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

Analysis

max time kernel
89s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WmiPrvSE.exe
Size

1.9MB
MD5

d67f722b73a3cbef568a2e3124a4bc04
SHA1

27e0a75a646fb2869b31eab2f34f1de4db7e35e6
SHA256

b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303
SHA512

c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb
SSDEEP

24576:AEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOb7XYFtRKdcaB:rj8ZbkNF0m/0vV1eKghUYFtML/sJ

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/1348-0-0x0000000000CB0000-0x0000000000EA2000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000002321c-34.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	1736	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1736	schtasks.exe	86

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 1 IoCs

pid	Process
1440	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\9e8d7a4ca61bd9	WmiPrvSE.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe	WmiPrvSE.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6203df4a6bafc7	WmiPrvSE.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	WmiPrvSE.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94	WmiPrvSE.exe
File created	C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe	WmiPrvSE.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe	WmiPrvSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2828	schtasks.exe
4364	schtasks.exe
2744	schtasks.exe
3504	schtasks.exe
2232	schtasks.exe
3156	schtasks.exe
2864	schtasks.exe
840	schtasks.exe
1420	schtasks.exe
432	schtasks.exe
1748	schtasks.exe
4952	schtasks.exe
4040	schtasks.exe
2284	schtasks.exe
1932	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	WmiPrvSE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe
1348	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	WmiPrvSE.exe
Token: SeDebugPrivilege	1440	lsass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 4124	1348	WmiPrvSE.exe	102
PID 1348 wrote to memory of 4124	1348	WmiPrvSE.exe	102
PID 4124 wrote to memory of 844	4124	cmd.exe	104
PID 4124 wrote to memory of 844	4124	cmd.exe	104
PID 4124 wrote to memory of 4696	4124	cmd.exe	105
PID 4124 wrote to memory of 4696	4124	cmd.exe	105
PID 4124 wrote to memory of 1440	4124	cmd.exe	109
PID 4124 wrote to memory of 1440	4124	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yslbGAH7fW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:844
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4696
- - C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Download\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\odt\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\odt\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yslbGAH7fW.bat

Filesize
236B

MD5
b5dda3d2a2834e4be8da535ac288d1aa

SHA1
b51f708787f76cb3f47722fc6573015e992f63a1

SHA256
ef2f77d67e4b625debf824e5980e888b912373df03e2a9f0ff84e7f694b33d2e

SHA512
2bc35906f9fd22c40a74a1292e9d5716de6fbdaaf125dfa317a7659e75a6a579febd4b9c5850fc229da527b804ff33891abd38b70034f3e70a63f17c68f0d412

Download Submit
C:\odt\TextInputHost.exe

Filesize
1.9MB

MD5
d67f722b73a3cbef568a2e3124a4bc04

SHA1
27e0a75a646fb2869b31eab2f34f1de4db7e35e6

SHA256
b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

SHA512
c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

Download Submit
memory/1348-21-0x00000000030E0000-0x00000000030EE000-memory.dmp

Filesize
56KB

Download
memory/1348-25-0x00007FF8BB4E0000-0x00007FF8BB4E1000-memory.dmp

Filesize
4KB

Download
memory/1348-5-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/1348-6-0x00007FF8BB540000-0x00007FF8BB5FE000-memory.dmp

Filesize
760KB

Download
memory/1348-7-0x00007FF8BB530000-0x00007FF8BB531000-memory.dmp

Filesize
4KB

Download
memory/1348-8-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1348-9-0x00007FF8BB540000-0x00007FF8BB5FE000-memory.dmp

Filesize
760KB

Download
memory/1348-12-0x00007FF8BB520000-0x00007FF8BB521000-memory.dmp

Filesize
4KB

Download
memory/1348-11-0x00000000030F0000-0x000000000310C000-memory.dmp

Filesize
112KB

Download
memory/1348-13-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/1348-16-0x00007FF8BB510000-0x00007FF8BB511000-memory.dmp

Filesize
4KB

Download
memory/1348-15-0x000000001BB00000-0x000000001BB18000-memory.dmp

Filesize
96KB

Download
memory/1348-18-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/1348-19-0x00007FF8BB500000-0x00007FF8BB501000-memory.dmp

Filesize
4KB

Download
memory/1348-0-0x0000000000CB0000-0x0000000000EA2000-memory.dmp

Filesize
1.9MB

Download
memory/1348-22-0x00007FF8BB4F0000-0x00007FF8BB4F1000-memory.dmp

Filesize
4KB

Download
memory/1348-3-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1348-2-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

Filesize
4KB

Download
memory/1348-24-0x0000000003110000-0x000000000311E000-memory.dmp

Filesize
56KB

Download
memory/1348-42-0x00007FF89CE00000-0x00007FF89D8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1348-43-0x00007FF8BB540000-0x00007FF8BB5FE000-memory.dmp

Filesize
760KB

Download
memory/1348-1-0x00007FF89CE00000-0x00007FF89D8C1000-memory.dmp

Filesize
10.8MB

Download
memory/1440-48-0x00007FF89CD50000-0x00007FF89D811000-memory.dmp

Filesize
10.8MB

Download
memory/1440-49-0x000000001B480000-0x000000001B481000-memory.dmp

Filesize
4KB

Download
memory/1440-51-0x00007FF8BB540000-0x00007FF8BB5FE000-memory.dmp

Filesize
760KB

Download
memory/1440-52-0x00007FF8BB530000-0x00007FF8BB531000-memory.dmp

Filesize
4KB

Download
memory/1440-53-0x00007FF8BB520000-0x00007FF8BB521000-memory.dmp

Filesize
4KB

Download
memory/1440-57-0x00007FF8BB510000-0x00007FF8BB511000-memory.dmp

Filesize
4KB

Download
memory/1440-58-0x00007FF8BB500000-0x00007FF8BB501000-memory.dmp

Filesize
4KB

Download
memory/1440-59-0x00007FF8BB4F0000-0x00007FF8BB4F1000-memory.dmp

Filesize
4KB

Download
memory/1440-62-0x00007FF8BB4E0000-0x00007FF8BB4E1000-memory.dmp

Filesize
4KB

Download
memory/1440-63-0x00007FF89CD50000-0x00007FF89D811000-memory.dmp

Filesize
10.8MB

Download
memory/1440-64-0x00007FF8BB540000-0x00007FF8BB5FE000-memory.dmp

Filesize
760KB

Download