zgrat | 913b985da938b934ff7a3174ba08045b21b7fac60748bc618dd34ecbc0b8b658

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a440481c46ddfcd031fa591392d1cfaa.exe
Size

2.3MB
MD5

a440481c46ddfcd031fa591392d1cfaa
SHA1

249d6439c00bcbe7cc0500b589fb45eb8deaeb85
SHA256

913b985da938b934ff7a3174ba08045b21b7fac60748bc618dd34ecbc0b8b658
SHA512

00a7665d217408efa90e223cff0f6a9a2672797657bda1acaf81da596adef1bff346f5aa557e93455cb3d9ec87d1594b3fe5e61f112cd20b6b0766d2511f0ae7
SSDEEP

49152:d5H9+Jlsn35Q9LLr4aUT8vHtePTN9DNyNTVGqlzC7Vnp:d5H9+IIIbyHte7DYNpzleVp

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2364-0-0x0000000001290000-0x00000000014E0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000015e07-51.dat	family_zgrat_v1
behavioral1/memory/3064-61-0x0000000000940000-0x0000000000B90000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
3064	lsass.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe	a440481c46ddfcd031fa591392d1cfaa.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3	a440481c46ddfcd031fa591392d1cfaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe
2364	a440481c46ddfcd031fa591392d1cfaa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	a440481c46ddfcd031fa591392d1cfaa.exe
Token: SeDebugPrivilege	3064	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2596	2364	a440481c46ddfcd031fa591392d1cfaa.exe	28
PID 2364 wrote to memory of 2596	2364	a440481c46ddfcd031fa591392d1cfaa.exe	28
PID 2364 wrote to memory of 2596	2364	a440481c46ddfcd031fa591392d1cfaa.exe	28
PID 2596 wrote to memory of 2436	2596	cmd.exe	30
PID 2596 wrote to memory of 2436	2596	cmd.exe	30
PID 2596 wrote to memory of 2436	2596	cmd.exe	30
PID 2596 wrote to memory of 2444	2596	cmd.exe	31
PID 2596 wrote to memory of 2444	2596	cmd.exe	31
PID 2596 wrote to memory of 2444	2596	cmd.exe	31
PID 2596 wrote to memory of 3064	2596	cmd.exe	32
PID 2596 wrote to memory of 3064	2596	cmd.exe	32
PID 2596 wrote to memory of 3064	2596	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\a440481c46ddfcd031fa591392d1cfaa.exe
"C:\Users\Admin\AppData\Local\Temp\a440481c46ddfcd031fa591392d1cfaa.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epASOGWtut.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2436
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2444
- - C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\lsass.exe
    "C:\Recovery\1cc83c02-d10e-11ee-94d5-decc1f73fbe3\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epASOGWtut.bat

Filesize
234B

MD5
b43126bb1d250fd46366ac57e1e93c80

SHA1
b635d93dc5be28390d53273e6400646ee3ac96d6

SHA256
4cfa0d67626f04cde8ad035f08e81dd23f1605d28b423336d090ac02cd7a1994

SHA512
5a24147fb39a36251ba69f0d5e6d2ffd1557308971c50e610d7395a1d03ad2a6af457dee3e9462e50dc769dccd9d1d538a4e6c0c7c62c5b237ca1cd62fb1e860

Download Submit
C:\Users\Admin\smss.exe

Filesize
2.3MB

MD5
a440481c46ddfcd031fa591392d1cfaa

SHA1
249d6439c00bcbe7cc0500b589fb45eb8deaeb85

SHA256
913b985da938b934ff7a3174ba08045b21b7fac60748bc618dd34ecbc0b8b658

SHA512
00a7665d217408efa90e223cff0f6a9a2672797657bda1acaf81da596adef1bff346f5aa557e93455cb3d9ec87d1594b3fe5e61f112cd20b6b0766d2511f0ae7

Download Submit
memory/2364-0-0x0000000001290000-0x00000000014E0000-memory.dmp

Filesize
2.3MB

Download
memory/2364-1-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-2-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-3-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2364-4-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-5-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2364-6-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-8-0x0000000000A00000-0x0000000000A26000-memory.dmp

Filesize
152KB

Download
memory/2364-10-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2364-11-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/2364-13-0x0000000000A30000-0x0000000000A4C000-memory.dmp

Filesize
112KB

Download
memory/2364-14-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2364-15-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2364-19-0x0000000000A50000-0x0000000000A68000-memory.dmp

Filesize
96KB

Download
memory/2364-20-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/2364-21-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2364-23-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/2364-25-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/2364-28-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2364-27-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/2364-30-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2364-29-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2364-31-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-34-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2364-32-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2364-35-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-37-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download
memory/2364-38-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/2364-40-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2364-41-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2364-42-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2364-58-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-61-0x0000000000940000-0x0000000000B90000-memory.dmp

Filesize
2.3MB

Download
memory/3064-62-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-63-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3064-64-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/3064-65-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/3064-67-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/3064-68-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/3064-70-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/3064-72-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/3064-74-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/3064-76-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/3064-78-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/3064-83-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-84-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/3064-86-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/3064-87-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/3064-88-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/3064-89-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/3064-90-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/3064-91-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/3064-92-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download