Malware Analysis Report

2024-11-15 08:31

Sample ID 240404-1wz1yaca45
Target tmp
SHA256 d3caae4b8590d11875173d4500b553816949c55042ed95c3c0a5327fc8d7e3f5
Tags
zgrat agilenet evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3caae4b8590d11875173d4500b553816949c55042ed95c3c0a5327fc8d7e3f5

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

zgrat agilenet evasion rat trojan

ZGRat

Detect ZGRat V1

UAC bypass

Drops startup file

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 22:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 22:00

Reported

2024-04-04 22:03

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe' -Force

Network

Country Destination Domain Proto
NL 41.216.183.45:39001 tcp
US 8.8.8.8:53 filebin.net udp
DE 88.99.137.18:443 filebin.net tcp

Files

memory/1736-0-0x000000013F9D0000-0x000000013FAA8000-memory.dmp

memory/1736-1-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

memory/1736-2-0x000000001BC40000-0x000000001BF22000-memory.dmp

memory/1736-3-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-4-0x0000000000780000-0x000000000079C000-memory.dmp

memory/1736-5-0x00000000007E0000-0x0000000000828000-memory.dmp

memory/1736-6-0x0000000000760000-0x0000000000768000-memory.dmp

memory/1736-7-0x0000000002130000-0x00000000021D6000-memory.dmp

memory/1736-8-0x0000000000950000-0x0000000000984000-memory.dmp

memory/1736-9-0x0000000002260000-0x00000000022AA000-memory.dmp

memory/1736-10-0x00000000007A0000-0x00000000007B6000-memory.dmp

memory/1736-11-0x000000001D560000-0x000000001D624000-memory.dmp

memory/1736-12-0x000000001BB00000-0x000000001BBA6000-memory.dmp

memory/1736-14-0x000000001BB00000-0x000000001BBA6000-memory.dmp

memory/3056-20-0x000000001B360000-0x000000001B642000-memory.dmp

memory/3056-21-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/1736-23-0x000000001EB90000-0x000000001EC32000-memory.dmp

memory/3056-24-0x000007FEECC80000-0x000007FEED61D000-memory.dmp

memory/3056-25-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/3056-27-0x000007FEECC80000-0x000007FEED61D000-memory.dmp

memory/3056-26-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/1736-28-0x000000001C400000-0x000000001C480000-memory.dmp

memory/3056-29-0x00000000028D4000-0x00000000028D7000-memory.dmp

memory/1736-32-0x0000000021A70000-0x0000000021B72000-memory.dmp

memory/1736-33-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-34-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-35-0x000000001C400000-0x000000001C480000-memory.dmp

memory/3056-31-0x00000000028DB000-0x0000000002942000-memory.dmp

memory/1736-30-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-36-0x000000001EA90000-0x000000001EAE6000-memory.dmp

memory/1736-37-0x000000001E640000-0x000000001E68C000-memory.dmp

memory/1736-38-0x000007FEF5370000-0x000007FEF5D5C000-memory.dmp

memory/1736-39-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-40-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-41-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-42-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-43-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-44-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-45-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-46-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-47-0x000000001C400000-0x000000001C480000-memory.dmp

memory/1736-48-0x000000001C400000-0x000000001C480000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-04 22:00

Reported

2024-04-04 22:03

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
PID 1296 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe

"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe' -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2244,i,861925222566734100,5228329984880658054,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.161.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
GB 13.87.96.169:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 41.216.183.45:39001 tcp
US 8.8.8.8:53 45.183.216.41.in-addr.arpa udp
GB 13.87.96.169:443 tcp
US 8.8.8.8:53 filebin.net udp
DE 88.99.137.18:443 filebin.net tcp
US 8.8.8.8:53 18.137.99.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 179.110.86.104.in-addr.arpa udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 145.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 184.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 225.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1296-0-0x0000000000290000-0x0000000000368000-memory.dmp

memory/1296-1-0x00007FFA09CB0000-0x00007FFA0A771000-memory.dmp

memory/1296-2-0x000000001DEF0000-0x000000001DF00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrpj5uyn.mn0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1296-12-0x000000001DE90000-0x000000001DEB2000-memory.dmp

memory/1296-13-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-14-0x0000000021550000-0x0000000021614000-memory.dmp

memory/1296-15-0x0000000021640000-0x00000000216E6000-memory.dmp

memory/1296-17-0x0000000023900000-0x00000000239A2000-memory.dmp

memory/4388-18-0x00007FFA09CB0000-0x00007FFA0A771000-memory.dmp

memory/4388-19-0x0000020AA0780000-0x0000020AA0790000-memory.dmp

memory/4388-21-0x0000020AA0780000-0x0000020AA0790000-memory.dmp

memory/1296-22-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-23-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-20-0x0000000024380000-0x0000000024482000-memory.dmp

memory/1296-24-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-35-0x0000000023AB0000-0x0000000023B06000-memory.dmp

memory/1296-36-0x0000000023CA0000-0x0000000023CEC000-memory.dmp

memory/4388-39-0x00007FFA09CB0000-0x00007FFA0A771000-memory.dmp

memory/1296-40-0x00007FFA09CB0000-0x00007FFA0A771000-memory.dmp

memory/1296-41-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-42-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-43-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-44-0x000000001DEF0000-0x000000001DF00000-memory.dmp

memory/1296-45-0x000000001DEF0000-0x000000001DF00000-memory.dmp