zgrat | bdd500e8d7fadf83d80b3e1e6affbf60af92dff9d0b902b353e6ddad657445da

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 10:04

Target

cb1fef1a16b7fc3851b569ffb51e17d9.exe
Size

353KB
MD5

cb1fef1a16b7fc3851b569ffb51e17d9
SHA1

00373b44ad8558dd23832f3aba6b031acbad706e
SHA256

bdd500e8d7fadf83d80b3e1e6affbf60af92dff9d0b902b353e6ddad657445da
SHA512

0e1650bc41854d87dbef66870e300b52b6bf5fdd66af7753098d3711acea1deae18241cad26b7839bcfbd4a0eccadbec3502b613046cc0a1de3b1b3649d8d016
SSDEEP

6144:36wEc0lyFFVFCTkeiNRTD2dWlKItfK6ioAjVQ5qvfJX73aAtxzxCmJ1X3XCjC6:KwEZuFVk4eiHCiKWfooAjGovfND5xzxP

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/2292-0-0x0000000000160000-0x00000000001BE000-memory.dmp	family_zgrat_v1

Suspicious behavior: EnumeratesProcesses 10 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3176	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	105
PID 2292 wrote to memory of 3176	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	105
PID 2292 wrote to memory of 3176	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	105
PID 2292 wrote to memory of 3032	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	106
PID 2292 wrote to memory of 3032	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	106
PID 2292 wrote to memory of 3032	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	106
PID 2292 wrote to memory of 4404	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	107
PID 2292 wrote to memory of 4404	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	107
PID 2292 wrote to memory of 4404	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	107
PID 2292 wrote to memory of 3204	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	108
PID 2292 wrote to memory of 3204	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	108
PID 2292 wrote to memory of 3204	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	108
PID 2292 wrote to memory of 680	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	109
PID 2292 wrote to memory of 680	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	109
PID 2292 wrote to memory of 680	2292	cb1fef1a16b7fc3851b569ffb51e17d9.exe	109

C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe
"C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:3176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:3204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:680

memory/2292-1-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2292-0-0x0000000000160000-0x00000000001BE000-memory.dmp

Filesize
376KB

Download
memory/2292-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/2292-3-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2292-5-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download