zgrat | a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

General

Target

Fzonsvup.exe
Size

633KB
MD5

1c762a2cd186f1cde4b9e5d743eca3b5
SHA1

a0eff9fa7b5ada96c8acf483de9519a9e2548d80
SHA256

a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8
SHA512

d43eec5905f9715c6b342232c2432ba1e91abe4ee514ccdc45706a7ffede2a1cf5589c0da7a0f5d6c70a8a26afad9394aa93222f475be4797607d7c0208d154a
SSDEEP

12288:NgJ7AuurlRyI4mfcYmFlEBJo8S21j7YIwIPfZ3FjILSdAsBJWWZ8lz/:NgJ7ABrlCTBFlEBJNYpIZ3Fw0AEJWWZM

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-3-0x000000001B8D0000-0x000000001B9D4000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Target.exeyormgzrwlry.exe

pid process

2508 Target.exe
2728 yormgzrwlry.exe
Loads dropped DLL 7 IoCs

Processes:

taskeng.exeTarget.exeWerFault.exe

pid process

2652 taskeng.exe
2508 Target.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
1636 WerFault.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Target.exe

pid process

2508 Target.exe
2508 Target.exe
2508 Target.exe
2508 Target.exe
2508 Target.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Fzonsvup.exeTarget.exeyormgzrwlry.exe

description pid process

Token: SeDebugPrivilege 2132 Fzonsvup.exe
Token: SeDebugPrivilege 2508 Target.exe
Token: SeDebugPrivilege 2728 yormgzrwlry.exe

pid	process
2508	Target.exe
2728	yormgzrwlry.exe

pid	process
2652	taskeng.exe
2508	Target.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe

pid	process
2508	Target.exe
2508	Target.exe
2508	Target.exe
2508	Target.exe
2508	Target.exe

description	pid	process
Token: SeDebugPrivilege	2132	Fzonsvup.exe
Token: SeDebugPrivilege	2508	Target.exe
Token: SeDebugPrivilege	2728	yormgzrwlry.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

taskeng.exeTarget.exeyormgzrwlry.exe

description	pid	process	target process
PID 2652 wrote to memory of 2508	2652	taskeng.exe	Target.exe
PID 2652 wrote to memory of 2508	2652	taskeng.exe	Target.exe
PID 2652 wrote to memory of 2508	2652	taskeng.exe	Target.exe
PID 2508 wrote to memory of 2728	2508	Target.exe	yormgzrwlry.exe
PID 2508 wrote to memory of 2728	2508	Target.exe	yormgzrwlry.exe
PID 2508 wrote to memory of 2728	2508	Target.exe	yormgzrwlry.exe
PID 2728 wrote to memory of 1636	2728	yormgzrwlry.exe	WerFault.exe
PID 2728 wrote to memory of 1636	2728	yormgzrwlry.exe	WerFault.exe
PID 2728 wrote to memory of 1636	2728	yormgzrwlry.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe
"C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\taskeng.exe
taskeng.exe {58B22CD6-81AD-4A1D-9648-76824F31A48F} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
  C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\yormgzrwlry.exe
    "C:\Users\Admin\AppData\Local\Temp\yormgzrwlry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2728 -s 604
      4⤵
      Loads dropped DLL
      PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\yormgzrwlry.exe

Filesize
2.9MB

MD5
f561ee026ad652bed5d2dbca19b0f6da

SHA1
42a9d231a9c44331ac6f6327de9e3fa7d796c3d4

SHA256
c35d5fb22d47e276e38fde699fc3b1e88e60a708d85b6ebea69815dec5d4883e

SHA512
52de39805c40f30f2ab7aebd6f143cc1d5ecd6bb95b767a45d4c212f48ee16df6425309463d2cc8703dfa0cb796b42fafb75dfd7836f65ee09e13c9318c31e4e

Download Submit
\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe

Filesize
633KB

MD5
1c762a2cd186f1cde4b9e5d743eca3b5

SHA1
a0eff9fa7b5ada96c8acf483de9519a9e2548d80

SHA256
a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

SHA512
d43eec5905f9715c6b342232c2432ba1e91abe4ee514ccdc45706a7ffede2a1cf5589c0da7a0f5d6c70a8a26afad9394aa93222f475be4797607d7c0208d154a

Download Submit
memory/2132-0-0x000000013F870000-0x000000013F912000-memory.dmp

Filesize
648KB

Download
memory/2132-1-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2132-2-0x000000001B850000-0x000000001B8D0000-memory.dmp

Filesize
512KB

Download
memory/2132-3-0x000000001B8D0000-0x000000001B9D4000-memory.dmp

Filesize
1.0MB

Download
memory/2132-4-0x0000000002100000-0x0000000002156000-memory.dmp

Filesize
344KB

Download
memory/2132-5-0x0000000002160000-0x00000000021AC000-memory.dmp

Filesize
304KB

Download
memory/2132-6-0x000000001B7E0000-0x000000001B834000-memory.dmp

Filesize
336KB

Download
memory/2132-9-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-17-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-34-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-16-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-18-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-19-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-14-0x000000013FF70000-0x0000000140012000-memory.dmp

Filesize
648KB

Download
memory/2508-36-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-35-0x000000001B580000-0x000000001B600000-memory.dmp

Filesize
512KB

Download
memory/2508-15-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-33-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-27-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download
memory/2728-26-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-25-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2728-37-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-38-0x000000001B100000-0x000000001B180000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing