zgrat | 3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

General

Target

8EA200D639611B48B5EEC7973C69ED3C.exe
Size

1.6MB
MD5

8ea200d639611b48b5eec7973c69ed3c
SHA1

a1013b8ee4115f2cba29787eded20e5e6079b3c0
SHA256

3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21
SHA512

53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e
SSDEEP

24576:PD9R6DRIuUt0HfUXl+L83+uNhK5ewp6Y9Ly2KUVvqBML1dSk/uyEklP8/0:PDilCH3RNhqewp/92zUMBMOSIkl

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000B90000-0x0000000000D28000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000600000001744c-13.dat	family_zgrat_v1
behavioral1/memory/2376-23-0x0000000001000000-0x0000000001198000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2376	sppsvc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	8EA200D639611B48B5EEC7973C69ED3C.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792	8EA200D639611B48B5EEC7973C69ED3C.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CSC\audiodg.exe	8EA200D639611B48B5EEC7973C69ED3C.exe
File created	C:\Windows\CSC\42af1c969fbb7b	8EA200D639611B48B5EEC7973C69ED3C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2488	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2376	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe
1724	8EA200D639611B48B5EEC7973C69ED3C.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	8EA200D639611B48B5EEC7973C69ED3C.exe
Token: SeDebugPrivilege	2376	sppsvc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2568	1724	8EA200D639611B48B5EEC7973C69ED3C.exe	28
PID 1724 wrote to memory of 2568	1724	8EA200D639611B48B5EEC7973C69ED3C.exe	28
PID 1724 wrote to memory of 2568	1724	8EA200D639611B48B5EEC7973C69ED3C.exe	28
PID 2568 wrote to memory of 2480	2568	cmd.exe	30
PID 2568 wrote to memory of 2480	2568	cmd.exe	30
PID 2568 wrote to memory of 2480	2568	cmd.exe	30
PID 2568 wrote to memory of 2488	2568	cmd.exe	31
PID 2568 wrote to memory of 2488	2568	cmd.exe	31
PID 2568 wrote to memory of 2488	2568	cmd.exe	31
PID 2568 wrote to memory of 2376	2568	cmd.exe	32
PID 2568 wrote to memory of 2376	2568	cmd.exe	32
PID 2568 wrote to memory of 2376	2568	cmd.exe	32
PID 2568 wrote to memory of 2376	2568	cmd.exe	32
PID 2568 wrote to memory of 2376	2568	cmd.exe	32
PID 2376 wrote to memory of 2840	2376	sppsvc.exe	33
PID 2376 wrote to memory of 2840	2376	sppsvc.exe	33
PID 2376 wrote to memory of 2840	2376	sppsvc.exe	33

C:\Users\Admin\AppData\Local\Temp\8EA200D639611B48B5EEC7973C69ED3C.exe
"C:\Users\Admin\AppData\Local\Temp\8EA200D639611B48B5EEC7973C69ED3C.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOZZ8gDh0S.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2480
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2488
- - C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\sppsvc.exe
    "C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2376 -s 1156
      4⤵
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\sppsvc.exe

Filesize
1.6MB

MD5
8ea200d639611b48b5eec7973c69ed3c

SHA1
a1013b8ee4115f2cba29787eded20e5e6079b3c0

SHA256
3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

SHA512
53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOZZ8gDh0S.bat

Filesize
187B

MD5
659825d6641775f407293d5e947f3808

SHA1
1a5b74791007fe4e43207c0311e36a240ca379a2

SHA256
da730b963c7de92a2d5fe40a3337808dc18978f8416bb66b4248f207370bc19a

SHA512
375fe0142d7733f49d5071d7a0c6bd5c11d8d32f0dd4cb68436995255674fd288191347536b304bd299b16581c95532ac37626eb00cbc33619133b86ff0d69cf

Download Submit
memory/1724-20-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x000000001B550000-0x000000001B5D0000-memory.dmp

Filesize
512KB

Download
memory/1724-1-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-0-0x0000000000B90000-0x0000000000D28000-memory.dmp

Filesize
1.6MB

Download
memory/2376-23-0x0000000001000000-0x0000000001198000-memory.dmp

Filesize
1.6MB

Download
memory/2376-24-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-25-0x0000000000F60000-0x0000000000FE0000-memory.dmp

Filesize
512KB

Download
memory/2376-26-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2376-27-0x0000000000F60000-0x0000000000FE0000-memory.dmp

Filesize
512KB

Download
memory/2376-28-0x000007FEF5240000-0x000007FEF5C2C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-29-0x0000000000F60000-0x0000000000FE0000-memory.dmp

Filesize
512KB

Download
memory/2376-30-0x0000000000F60000-0x0000000000FE0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing