zgrat | 14b67f3273192e061b04c05bb81aea8794f58a856b762006fb2359f55230327c

Analysis

max time kernel
129s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ghghgfhgfh.exe
Size

666KB
MD5

d8cec9abef1a3d395031b4528a39203f
SHA1

4a0603a98dd87ea78acb3b90613f1b9cc7c5e7f3
SHA256

14b67f3273192e061b04c05bb81aea8794f58a856b762006fb2359f55230327c
SHA512

7106cc6f72cf54f368fc6052f6043024c6cff6711efdadf4bc696889cecb950f31f1c3b6caebb07bf4be605885d3aa0509078d20e705c698dd2f81b6cc31634c
SSDEEP

12288:OPjMEqtt7uY2R7e9Q6bfCo8VZAr671FAAb7qNf72wkfuXdwuKhS5Ec7sTxKR9gVq:yqtt7zRpbfCo8VZK671FAOqNf725futL

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/2676-15-0x000000001AC90000-0x000000001AD94000-memory.dmp	family_zgrat_v1
behavioral1/memory/2460-35-0x000000001AB60000-0x000000001AC64000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 3 IoCs

pid	Process
2776	ghghgfhgfh.exe
2164	ghghgfhgfh.exe
1788	ghghgfhgfh.exe

Loads dropped DLL 1 IoCs

pid	Process
2592	taskeng.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2676	1460	ghghgfhgfh.exe	28
PID 2776 set thread context of 2460	2776	ghghgfhgfh.exe	38
PID 2164 set thread context of 1952	2164	ghghgfhgfh.exe	50
PID 1788 set thread context of 2880	1788	ghghgfhgfh.exe	59

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2532	schtasks.exe
2208	schtasks.exe
1708	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2676	vbc.exe
2676	vbc.exe
2676	vbc.exe
2676	vbc.exe
2676	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2676	1460	ghghgfhgfh.exe	28
PID 1460 wrote to memory of 2516	1460	ghghgfhgfh.exe	29
PID 1460 wrote to memory of 2516	1460	ghghgfhgfh.exe	29
PID 1460 wrote to memory of 2516	1460	ghghgfhgfh.exe	29
PID 1460 wrote to memory of 2548	1460	ghghgfhgfh.exe	30
PID 1460 wrote to memory of 2548	1460	ghghgfhgfh.exe	30
PID 1460 wrote to memory of 2548	1460	ghghgfhgfh.exe	30
PID 1460 wrote to memory of 2536	1460	ghghgfhgfh.exe	31
PID 1460 wrote to memory of 2536	1460	ghghgfhgfh.exe	31
PID 1460 wrote to memory of 2536	1460	ghghgfhgfh.exe	31
PID 2548 wrote to memory of 2532	2548	cmd.exe	35
PID 2548 wrote to memory of 2532	2548	cmd.exe	35
PID 2548 wrote to memory of 2532	2548	cmd.exe	35
PID 2592 wrote to memory of 2776	2592	taskeng.exe	37
PID 2592 wrote to memory of 2776	2592	taskeng.exe	37
PID 2592 wrote to memory of 2776	2592	taskeng.exe	37
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2460	2776	ghghgfhgfh.exe	38
PID 2776 wrote to memory of 2436	2776	ghghgfhgfh.exe	39
PID 2776 wrote to memory of 2436	2776	ghghgfhgfh.exe	39
PID 2776 wrote to memory of 2436	2776	ghghgfhgfh.exe	39
PID 2776 wrote to memory of 2916	2776	ghghgfhgfh.exe	40
PID 2776 wrote to memory of 2916	2776	ghghgfhgfh.exe	40
PID 2776 wrote to memory of 2916	2776	ghghgfhgfh.exe	40
PID 2776 wrote to memory of 2456	2776	ghghgfhgfh.exe	41
PID 2776 wrote to memory of 2456	2776	ghghgfhgfh.exe	41
PID 2776 wrote to memory of 2456	2776	ghghgfhgfh.exe	41
PID 2916 wrote to memory of 2208	2916	cmd.exe	43
PID 2916 wrote to memory of 2208	2916	cmd.exe	43
PID 2916 wrote to memory of 2208	2916	cmd.exe	43
PID 2592 wrote to memory of 2164	2592	taskeng.exe	49
PID 2592 wrote to memory of 2164	2592	taskeng.exe	49
PID 2592 wrote to memory of 2164	2592	taskeng.exe	49
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1952	2164	ghghgfhgfh.exe	50
PID 2164 wrote to memory of 1688	2164	ghghgfhgfh.exe	51
PID 2164 wrote to memory of 1688	2164	ghghgfhgfh.exe	51
PID 2164 wrote to memory of 1688	2164	ghghgfhgfh.exe	51
PID 2164 wrote to memory of 2380	2164	ghghgfhgfh.exe	52
PID 2164 wrote to memory of 2380	2164	ghghgfhgfh.exe	52
PID 2164 wrote to memory of 2380	2164	ghghgfhgfh.exe	52
PID 2164 wrote to memory of 1632	2164	ghghgfhgfh.exe	53
PID 2164 wrote to memory of 1632	2164	ghghgfhgfh.exe	53
PID 2164 wrote to memory of 1632	2164	ghghgfhgfh.exe	53
PID 2380 wrote to memory of 1708	2380	cmd.exe	55
PID 2380 wrote to memory of 1708	2380	cmd.exe	55
PID 2380 wrote to memory of 1708	2380	cmd.exe	55
PID 2592 wrote to memory of 1788	2592	taskeng.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ghghgfhgfh.exe
"C:\Users\Admin\AppData\Local\Temp\ghghgfhgfh.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\ghghgfhgfh"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2532
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ghghgfhgfh.exe" "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe"
  2⤵
  PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {0039B306-5DC3-43BF-9EBF-C53227C6F71D} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\ghghgfhgfh"
    3⤵
    PID:2436
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:2208
- - C:\Windows\system32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe" "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe"
    3⤵
    PID:2456
- C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:1952
- - C:\Windows\system32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\ghghgfhgfh"
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1708
- - C:\Windows\system32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe" "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe"
    3⤵
    PID:1632
- C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\ghghgfhgfh"
    3⤵
    PID:2080
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
    3⤵
    PID:1728
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:896
- - C:\Windows\system32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe" "C:\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe"
    3⤵
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\ghghgfhgfh\ghghgfhgfh.exe

Filesize
666KB

MD5
d8cec9abef1a3d395031b4528a39203f

SHA1
4a0603a98dd87ea78acb3b90613f1b9cc7c5e7f3

SHA256
14b67f3273192e061b04c05bb81aea8794f58a856b762006fb2359f55230327c

SHA512
7106cc6f72cf54f368fc6052f6043024c6cff6711efdadf4bc696889cecb950f31f1c3b6caebb07bf4be605885d3aa0509078d20e705c698dd2f81b6cc31634c

Download Submit
memory/1460-0-0x0000000000190000-0x000000000023A000-memory.dmp

Filesize
680KB

Download
memory/1460-1-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1460-2-0x000000001AF10000-0x000000001AF90000-memory.dmp

Filesize
512KB

Download
memory/1460-12-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-73-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-64-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/1788-63-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1788-62-0x0000000001060000-0x000000000110A000-memory.dmp

Filesize
680KB

Download
memory/1952-58-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-59-0x000000001ACF0000-0x000000001AD70000-memory.dmp

Filesize
512KB

Download
memory/1952-60-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-56-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-51-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/2164-57-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2164-47-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-41-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-28-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2460-33-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-34-0x000000001AC60000-0x000000001ACE0000-memory.dmp

Filesize
512KB

Download
memory/2460-35-0x000000001AB60000-0x000000001AC64000-memory.dmp

Filesize
1.0MB

Download
memory/2460-45-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-16-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/2676-6-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2676-39-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-40-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-37-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-42-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-43-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-44-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-3-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2676-4-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2676-5-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2676-38-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2676-17-0x00000000004D0000-0x000000000051C000-memory.dmp

Filesize
304KB

Download
memory/2676-15-0x000000001AC90000-0x000000001AD94000-memory.dmp

Filesize
1.0MB

Download
memory/2676-11-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-8-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2776-22-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-23-0x0000000000CC0000-0x0000000000D6A000-memory.dmp

Filesize
680KB

Download
memory/2776-24-0x0000000000420000-0x00000000004A0000-memory.dmp

Filesize
512KB

Download
memory/2776-36-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-74-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-75-0x000000001AD60000-0x000000001ADE0000-memory.dmp

Filesize
512KB

Download