zgrat | f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246

Analysis

max time kernel
128s
max time network
142s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe
Size

420KB
MD5

4637890c14f37ece8321cf079192acd2
SHA1

8ab20768d020d40988fb848eeabb8efb16459330
SHA256

f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246
SHA512

977fac279c2e4852689cc4f65f4ef15cba035ac6b88d5b87e297ab2a8b73c12a6f29b3c58e5bacaedd86c1a4a8d2fcc175054a7eb273bdc9f11819c6631470cd
SSDEEP

6144:IbUCjzAieqUWBh4HtbcOdSTzUhDUKtNNhmQiBgZCxahmGatV48Mzr0YRDmX7:niDlh4HVcOiUxr3hmhC7h9warjR4

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2784-3-0x00000000006E0000-0x00000000007B6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-5-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-7-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-11-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-9-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-13-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-15-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-19-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-17-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-23-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-25-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-29-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-33-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-31-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-37-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-39-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-43-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-45-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-49-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-51-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-53-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-57-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-61-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-59-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-63-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-67-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-65-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-55-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-47-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-41-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-35-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-27-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-21-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2784-4-0x00000000006E0000-0x00000000007B0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe
Token: SeDebugPrivilege	2980	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2980	2784	f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe	29
PID 2784 wrote to memory of 2980	2784	f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe	29
PID 2784 wrote to memory of 2980	2784	f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe	29
PID 2784 wrote to memory of 2980	2784	f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe	29

C:\Users\Admin\AppData\Local\Temp\f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe
"C:\Users\Admin\AppData\Local\Temp\f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246' -Value '"C:\Users\Admin\AppData\Local\Temp\f762e754543decaa05f5a48eb894db18c2396feac1f983dc732b17e5563cf246.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2784-51-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-1-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2784-3-0x00000000006E0000-0x00000000007B6000-memory.dmp

Filesize
856KB

Download
memory/2784-5-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-7-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-11-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-9-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-13-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-15-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-19-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-17-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-23-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-25-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-29-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-33-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-31-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-37-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-39-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-43-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-0-0x0000000000180000-0x00000000001F0000-memory.dmp

Filesize
448KB

Download
memory/2784-45-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-49-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-53-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-57-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-61-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-59-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-63-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-67-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-65-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-55-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-47-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-41-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-35-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-27-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-21-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-4-0x00000000006E0000-0x00000000007B0000-memory.dmp

Filesize
832KB

Download
memory/2784-6084-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/2784-6083-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-6080-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2980-6081-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2980-6082-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-6079-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-6078-0x0000000070CC0000-0x000000007126B000-memory.dmp

Filesize
5.7MB

Download