zgrat | 0520b688648369e393b8f603c33dcc1f138a7a6239025b276824d6dbe9c517fb

Analysis

max time kernel
152s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d09a6cfe8d762be3b2511a013806b78b.exe
Size

562KB
MD5

d09a6cfe8d762be3b2511a013806b78b
SHA1

31704d8ff3eb5914ef86e5f2f8421865e1485726
SHA256

0520b688648369e393b8f603c33dcc1f138a7a6239025b276824d6dbe9c517fb
SHA512

74894e9184c2f7b7f45d3d3e6c175ce382b1651023f916b3beabf390cb59913c6f272a0087b8f76f99acac5eafb0d3e7138b113f283ba6a23b460817f91f1766
SSDEEP

6144:QC33M/KJCOQtchbHSENHJ74xtpW9V2fxzIwS625ij6txlznqi+NehaXoDzvdf:QC3jhFJ4fM2VS625w6txlzqDUhamT5

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/804-4-0x0000000006240000-0x0000000006350000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-5-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-6-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-8-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-10-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-12-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-14-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-16-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-18-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-20-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-22-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-24-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-26-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-28-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-30-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-32-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-34-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-36-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-40-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-38-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-42-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-44-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-46-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-48-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-50-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-52-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-54-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-56-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-58-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-60-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-62-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-64-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-66-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1
behavioral2/memory/804-68-0x0000000006240000-0x000000000634A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DocUpdaterMS = "C:\\Users\\Admin\\AppData\\Local\\DocUpdaterMS.exe"	d09a6cfe8d762be3b2511a013806b78b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	d09a6cfe8d762be3b2511a013806b78b.exe

C:\Users\Admin\AppData\Local\Temp\d09a6cfe8d762be3b2511a013806b78b.exe
"C:\Users\Admin\AppData\Local\Temp\d09a6cfe8d762be3b2511a013806b78b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-0-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/804-1-0x0000000000E30000-0x0000000000EC2000-memory.dmp

Filesize
584KB

Download
memory/804-2-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/804-3-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/804-4-0x0000000006240000-0x0000000006350000-memory.dmp

Filesize
1.1MB

Download
memory/804-5-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-6-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-8-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-10-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-12-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-14-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-16-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-18-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-20-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-22-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-24-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-26-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-28-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-30-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-32-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-34-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-36-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-40-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-38-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-42-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-44-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-46-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-48-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-50-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-52-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-54-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-56-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-58-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-60-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-62-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-64-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-66-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-68-0x0000000006240000-0x000000000634A000-memory.dmp

Filesize
1.0MB

Download
memory/804-419-0x0000000005BF0000-0x0000000005C00000-memory.dmp

Filesize
64KB

Download
memory/804-1120-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/804-1121-0x0000000006400000-0x000000000649A000-memory.dmp

Filesize
616KB

Download
memory/804-1122-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/804-1123-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads