zgrat | 086bcb65380fa0e4d23c07fbff58863949f8158b87d07cd6eac6485d99b3bf0d

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe
Size

2.8MB
MD5

7f1e688e77760ad29c560404a2fb9d2f
SHA1

7c06e05c8e13d01df26653cbe12695af139c5854
SHA256

086bcb65380fa0e4d23c07fbff58863949f8158b87d07cd6eac6485d99b3bf0d
SHA512

e841524c36ec9f550bbd299fbd33bbf15587dde922c747ae719bea03c387e62bbb9a73fdee0188dfb1586cca5b9dc81745144e633ed3dcb661434ab1c87e393e
SSDEEP

49152:lAfXmQ/GT5+pDEuOwHLHE83/G9+SbSyCfHtl8/ioefjKxAd2jVAeIXT:2+4GT0OSL04Dl8/gcAsJAeIj

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4752-3-0x0000000005150000-0x0000000005384000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-6-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-7-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-9-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-11-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-13-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-15-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-17-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-19-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-21-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-23-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-25-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-27-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-29-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-31-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-33-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-35-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-37-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-39-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-41-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-43-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-45-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-47-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-49-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-51-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-53-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-55-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-57-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-59-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-61-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-63-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-65-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-67-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1
behavioral2/memory/4752-69-0x0000000005150000-0x000000000537E000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe

description pid process target process

PID 4752 set thread context of 1304 4752 SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe MSBuild.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4624 1304 WerFault.exe MSBuild.exe

description	pid	process	target process
PID 4752 set thread context of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe

pid	pid_target	process	target process
4624	1304	WerFault.exe	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe

description	pid	process
Token: SeDebugPrivilege	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe
Token: SeDebugPrivilege	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe

description	pid	process	target process
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe
PID 4752 wrote to memory of 1304	4752	SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CoinminerX-gen.23583.11262.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 192
    3⤵
    - Program crash
    PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1304 -ip 1304
1⤵
PID:3644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4752-0-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-1-0x00000000004E0000-0x00000000007B4000-memory.dmp

Filesize
2.8MB

Download
memory/4752-2-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4752-3-0x0000000005150000-0x0000000005384000-memory.dmp

Filesize
2.2MB

Download
memory/4752-4-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/4752-5-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4752-6-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-7-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-9-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-11-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-13-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-15-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-17-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-19-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-21-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-23-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-25-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-27-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-29-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-31-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-33-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-35-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-37-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-39-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-41-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-43-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-45-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-47-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-49-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-51-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-53-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-55-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-57-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-59-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-61-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-63-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-65-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-67-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-69-0x0000000005150000-0x000000000537E000-memory.dmp

Filesize
2.2MB

Download
memory/4752-1695-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-1880-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/4752-4888-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4752-4889-0x0000000000E40000-0x0000000000EB0000-memory.dmp

Filesize
448KB

Download
memory/4752-4890-0x0000000000EB0000-0x0000000000EFC000-memory.dmp

Filesize
304KB

Download
memory/4752-4891-0x00000000056F0000-0x0000000005744000-memory.dmp

Filesize
336KB

Download
memory/4752-4903-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download