zgrat | bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d

Analysis

max time kernel
131s
max time network
143s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe
Size

439KB
MD5

f76cb49209891942d2ca806020803edc
SHA1

1b1ff4a0d1113f28af22594ded0d903d1c18083f
SHA256

bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d
SHA512

36789735351332bc077aa5c0aeed728d2aca7cb4ad21d3c102e4ad5507a8a97775084b7d199c39d1deb36233d8cec7242aac464c4c619a92d76516ed1939b91c
SSDEEP

12288:CeOQHNSzWA5z9nmoKbNlYmF/wclabxQpgEHgFbqgBr:8QH0WA5z9nhg7YmF4claaJu

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1900-3-0x000000001A770000-0x000000001A84C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-4-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-5-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-7-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-9-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-11-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-13-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-15-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-17-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-19-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-21-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-23-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-25-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-27-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-29-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-31-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-33-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-35-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-37-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-39-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-41-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-43-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-45-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-47-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-49-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-51-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-53-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-55-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-57-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-59-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-61-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-63-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-65-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1
behavioral1/memory/1900-67-0x000000001A770000-0x000000001A847000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d = "C:\\Users\\Admin\\AppData\\Roaming\\bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1752	1900	bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe	29
PID 1900 wrote to memory of 1752	1900	bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe	29
PID 1900 wrote to memory of 1752	1900	bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe	29

C:\Users\Admin\AppData\Local\Temp\bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe
"C:\Users\Admin\AppData\Local\Temp\bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d' -Value '"C:\Users\Admin\AppData\Roaming\bbd5434d44d406fa4b6b57a65248414e96a50b8000c2252552e2209fab06125d.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1752-6285-0x000007FEF22A0000-0x000007FEF2C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-6286-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1752-6287-0x000007FEF22A0000-0x000007FEF2C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-6288-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1752-6289-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1752-6293-0x000007FEF22A0000-0x000007FEF2C3D000-memory.dmp

Filesize
9.6MB

Download
memory/1752-6292-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1752-6290-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/1900-33-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-43-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-5-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-7-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-9-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-11-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-13-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-15-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-17-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-19-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-21-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-23-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-25-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-27-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-29-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-31-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-3-0x000000001A770000-0x000000001A84C000-memory.dmp

Filesize
880KB

Download
memory/1900-35-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-37-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-39-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-41-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-4-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-45-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-47-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-49-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-51-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-53-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-55-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-57-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-59-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-61-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-63-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-2-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1900-65-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-67-0x000000001A770000-0x000000001A847000-memory.dmp

Filesize
860KB

Download
memory/1900-6278-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-6279-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1900-6280-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1900-6291-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1900-1-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1900-0-0x0000000000360000-0x00000000003D4000-memory.dmp

Filesize
464KB

Download
memory/1900-6294-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download
memory/1900-6295-0x000000001AFD0000-0x000000001B050000-memory.dmp

Filesize
512KB

Download