zgrat | 36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711

Analysis

max time kernel
149s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe
Size

7.1MB
MD5

45d20d471e6f3f8f088d489d62058f23
SHA1

d261d037781fb5e7124a40df3d2e32e4d694c2c4
SHA256

36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711
SHA512

3e04852233147146e76684ebcc335e6281413796cf148d34234b86753a3f2b2afb2e58853d44873dc43f9578639ef55f35aab98aaee7dda718f6cfaeb4e4a02e
SSDEEP

49152:OcaZULgYNoMBuTzmK2tR6ddPIDPSh0VOze+7gzp/Y4RtLHfoKOIuiXzQEcnFIfWO:TaZU5NM7g5fofI3N8FV3Q

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4892-1-0x0000000000360000-0x0000000000A70000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Loads dropped DLL 1 IoCs

pid	Process
4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4724	powershell.exe
4724	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	RegSvcs.exe
Token: SeDebugPrivilege	4724	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 2876	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	80
PID 4892 wrote to memory of 4724	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	81
PID 4892 wrote to memory of 4724	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	81
PID 4892 wrote to memory of 4724	4892	36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe	81

C:\Users\Admin\AppData\Local\Temp\36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe
"C:\Users\Admin\AppData\Local\Temp\36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xckp5a35.cck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2876-42-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-108-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/2876-93-0x00000000064C0000-0x00000000064CA000-memory.dmp

Filesize
40KB

Download
memory/2876-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-36-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-38-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-80-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/2876-44-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-45-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-47-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-30-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-34-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-28-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4724-74-0x0000000006770000-0x00000000067BC000-memory.dmp

Filesize
304KB

Download
memory/4724-94-0x00000000077D0000-0x0000000007874000-memory.dmp

Filesize
656KB

Download
memory/4724-107-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4724-104-0x0000000007E80000-0x0000000007EA2000-memory.dmp

Filesize
136KB

Download
memory/4724-103-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/4724-102-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/4724-101-0x0000000007D40000-0x0000000007D55000-memory.dmp

Filesize
84KB

Download
memory/4724-100-0x0000000007D30000-0x0000000007D3E000-memory.dmp

Filesize
56KB

Download
memory/4724-99-0x0000000007D00000-0x0000000007D11000-memory.dmp

Filesize
68KB

Download
memory/4724-98-0x0000000007D80000-0x0000000007E16000-memory.dmp

Filesize
600KB

Download
memory/4724-97-0x0000000007B70000-0x0000000007B7A000-memory.dmp

Filesize
40KB

Download
memory/4724-96-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/4724-95-0x0000000008130000-0x00000000087AA000-memory.dmp

Filesize
6.5MB

Download
memory/4724-92-0x0000000006D50000-0x0000000006D6E000-memory.dmp

Filesize
120KB

Download
memory/4724-82-0x0000000006D10000-0x0000000006D44000-memory.dmp

Filesize
208KB

Download
memory/4724-83-0x0000000071C20000-0x0000000071C6C000-memory.dmp

Filesize
304KB

Download
memory/4724-81-0x000000007F040000-0x000000007F050000-memory.dmp

Filesize
64KB

Download
memory/4724-75-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4724-73-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/4724-72-0x00000000062E0000-0x0000000006637000-memory.dmp

Filesize
3.3MB

Download
memory/4724-63-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/4724-55-0x0000000002F30000-0x0000000002F66000-memory.dmp

Filesize
216KB

Download
memory/4724-62-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/4724-57-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4724-58-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4724-59-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/4724-60-0x0000000005C40000-0x000000000626A000-memory.dmp

Filesize
6.2MB

Download
memory/4724-61-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/4892-2-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-21-0x0000000006880000-0x0000000006980000-memory.dmp

Filesize
1024KB

Download
memory/4892-4-0x0000000005C40000-0x00000000061E6000-memory.dmp

Filesize
5.6MB

Download
memory/4892-52-0x0000000006A20000-0x0000000006AB2000-memory.dmp

Filesize
584KB

Download
memory/4892-50-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-0-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4892-49-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-3-0x00000000054A0000-0x000000000553C000-memory.dmp

Filesize
624KB

Download
memory/4892-48-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-5-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4892-6-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-7-0x00000000071F0000-0x000000000748C000-memory.dmp

Filesize
2.6MB

Download
memory/4892-53-0x00000000065A0000-0x00000000065C0000-memory.dmp

Filesize
128KB

Download
memory/4892-56-0x0000000074DB0000-0x0000000075561000-memory.dmp

Filesize
7.7MB

Download
memory/4892-17-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-9-0x0000000007490000-0x00000000077E7000-memory.dmp

Filesize
3.3MB

Download
memory/4892-10-0x00000000061F0000-0x0000000006382000-memory.dmp

Filesize
1.6MB

Download
memory/4892-16-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-8-0x0000000007870000-0x0000000007C4A000-memory.dmp

Filesize
3.9MB

Download
memory/4892-20-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-19-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/4892-18-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-24-0x0000000006880000-0x0000000006980000-memory.dmp

Filesize
1024KB

Download
memory/4892-22-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-23-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/4892-1-0x0000000000360000-0x0000000000A70000-memory.dmp

Filesize
7.1MB

Download