zgrat | 3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

General

Target

8EA200D639611B48B5EEC7973C69ED3C.exe
Size

1.6MB
MD5

8ea200d639611b48b5eec7973c69ed3c
SHA1

a1013b8ee4115f2cba29787eded20e5e6079b3c0
SHA256

3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21
SHA512

53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e
SSDEEP

24576:PD9R6DRIuUt0HfUXl+L83+uNhK5ewp6Y9Ly2KUVvqBML1dSk/uyEklP8/0:PDilCH3RNhqewp/92zUMBMOSIkl

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4504-0-0x0000000000550000-0x00000000006E8000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023293-13.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8EA200D639611B48B5EEC7973C69ED3C.exe

Executes dropped EXE 1 IoCs

pid	Process
4628	SearchApp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\SearchApp.exe	8EA200D639611B48B5EEC7973C69ED3C.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\38384e6a620884	8EA200D639611B48B5EEC7973C69ED3C.exe
File created	C:\Program Files\dotnet\shared\TextInputHost.exe	8EA200D639611B48B5EEC7973C69ED3C.exe
File created	C:\Program Files\dotnet\shared\22eafd247d37c3	8EA200D639611B48B5EEC7973C69ED3C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	8EA200D639611B48B5EEC7973C69ED3C.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4504	8EA200D639611B48B5EEC7973C69ED3C.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe
4628	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4628	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	8EA200D639611B48B5EEC7973C69ED3C.exe
Token: SeDebugPrivilege	4628	SearchApp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4084	4504	8EA200D639611B48B5EEC7973C69ED3C.exe	91
PID 4504 wrote to memory of 4084	4504	8EA200D639611B48B5EEC7973C69ED3C.exe	91
PID 4084 wrote to memory of 1324	4084	cmd.exe	93
PID 4084 wrote to memory of 1324	4084	cmd.exe	93
PID 4084 wrote to memory of 324	4084	cmd.exe	94
PID 4084 wrote to memory of 324	4084	cmd.exe	94
PID 4084 wrote to memory of 4628	4084	cmd.exe	97
PID 4084 wrote to memory of 4628	4084	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\8EA200D639611B48B5EEC7973C69ED3C.exe
"C:\Users\Admin\AppData\Local\Temp\8EA200D639611B48B5EEC7973C69ED3C.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JAFV2JOcd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1324
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:324
- - C:\Recovery\WindowsRE\SearchApp.exe
    "C:\Recovery\WindowsRE\SearchApp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SearchApp.exe

Filesize
1.6MB

MD5
8ea200d639611b48b5eec7973c69ed3c

SHA1
a1013b8ee4115f2cba29787eded20e5e6079b3c0

SHA256
3bcaee9fbb27f5b111fc1bab7ddf995662d0f1bd7251f788cf61e470a663bc21

SHA512
53b24b0f2a0e9047e7f672f8c7dada1ac1f6ab15aa6976515dcca8cfc03afa1bd3fbf788475c9b7d5f8617ad70b32a7974f8f2bd77c9f6c79bcd3b30cdd6763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JAFV2JOcd.bat

Filesize
211B

MD5
f03d7c9ee8ff271fae15725b4521dce4

SHA1
e23a6f30469962b7b171f36acb56963682a0c0a6

SHA256
42cbc2c1ec8bac5175702a7462741ede47693c283e27a915def630c0fa133a53

SHA512
17e40b502fb99ca3fc717a9df8b2a80586968af11abdc9bef5f6d704fffd81a34f8b6abd709dadd045fcfb306ac7ebe45c2b2b0e36fea96041f668646431228d

Download Submit
memory/4504-3-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4504-0-0x0000000000550000-0x00000000006E8000-memory.dmp

Filesize
1.6MB

Download
memory/4504-2-0x000000001B690000-0x000000001B6A0000-memory.dmp

Filesize
64KB

Download
memory/4504-20-0x000000001B400000-0x000000001B456000-memory.dmp

Filesize
344KB

Download
memory/4504-1-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

Filesize
10.8MB

Download
memory/4504-22-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp

Filesize
10.8MB

Download
memory/4628-26-0x00007FF986AC0000-0x00007FF987581000-memory.dmp

Filesize
10.8MB

Download
memory/4628-27-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download
memory/4628-28-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4628-29-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download
memory/4628-30-0x00007FF986AC0000-0x00007FF987581000-memory.dmp

Filesize
10.8MB

Download
memory/4628-31-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download
memory/4628-32-0x000000001B360000-0x000000001B370000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing