zgrat | fed9532d889a3bd4b334723d2cb24a10092849b909b98b9d05f7a9406f52eb6e

General

Target

DCRatBuild.exe
Size

1.9MB
MD5

7abdb3ff3b9522408a34c7e5e446eb9e
SHA1

2d75a1467e5492178c0d6b61aaacb947077a2f34
SHA256

fed9532d889a3bd4b334723d2cb24a10092849b909b98b9d05f7a9406f52eb6e
SHA512

07d12c5aede0dbb0023a92f2fdb8abb87e8356a72f6f5205b45c7995d8769fcfd1eea494e1487b037add693034b49e746cf1d09cf1834a2b6fccf7ec3f49a71a
SSDEEP

24576:2TbBv5rUyXVn5NfDu8W7Yqe7KA/cKI3a/WsmZG/5wyO4BHyXb2LCTVYa7nMuU3F7:IBJ5Na8WcHZssaG/6+SLEgoM/M4QnL1

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002342c-10.dat	family_zgrat_v1
behavioral2/memory/5056-12-0x0000000000230000-0x00000000003C8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	blockportserver.exe

Executes dropped EXE 2 IoCs

pid	Process
5056	blockportserver.exe
1532	upfc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe	blockportserver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9e8d7a4ca61bd9	blockportserver.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\SQM\dllhost.exe	blockportserver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	blockportserver.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2868	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
5056	blockportserver.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe
1532	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1532	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	blockportserver.exe
Token: SeDebugPrivilege	1532	upfc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1616	3052	DCRatBuild.exe	83
PID 3052 wrote to memory of 1616	3052	DCRatBuild.exe	83
PID 3052 wrote to memory of 1616	3052	DCRatBuild.exe	83
PID 1616 wrote to memory of 2392	1616	WScript.exe	88
PID 1616 wrote to memory of 2392	1616	WScript.exe	88
PID 1616 wrote to memory of 2392	1616	WScript.exe	88
PID 2392 wrote to memory of 5056	2392	cmd.exe	90
PID 2392 wrote to memory of 5056	2392	cmd.exe	90
PID 5056 wrote to memory of 4436	5056	blockportserver.exe	91
PID 5056 wrote to memory of 4436	5056	blockportserver.exe	91
PID 4436 wrote to memory of 1456	4436	cmd.exe	93
PID 4436 wrote to memory of 1456	4436	cmd.exe	93
PID 4436 wrote to memory of 2868	4436	cmd.exe	94
PID 4436 wrote to memory of 2868	4436	cmd.exe	94
PID 4436 wrote to memory of 1532	4436	cmd.exe	95
PID 4436 wrote to memory of 1532	4436	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Chainperfnetcommon\pKoQVEExJLsdb7SQwjSZ7f6gXBmc7fp.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Chainperfnetcommon\RD58Lnhi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Chainperfnetcommon\blockportserver.exe
      "C:\Chainperfnetcommon/blockportserver.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1BvsbKsI2N.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1456
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2868
      - C:\Chainperfnetcommon\upfc.exe
        
        "C:\Chainperfnetcommon\upfc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Chainperfnetcommon\RD58Lnhi.bat

Filesize
77B

MD5
8507114752a46e6f20eadd1ea30cf65f

SHA1
3ca2c354ca8db72e768fb5781f714b9b17b41b95

SHA256
dde1c2987bcb7765ca4fff9d693cfeec7948027800eaa4178522dbf68c36fd43

SHA512
379ba3095964eef30b67781fa28941344f70a17d9c9d997a5b5f1f82f120c868c900255e2b981e7fdd96d9d14f7e7efaa75f7077373d2e5e5bcf4d36cc367bd2

Download Submit
C:\Chainperfnetcommon\blockportserver.exe

Filesize
1.6MB

MD5
42b89f14d26a9833ecd2ad4c984fb2d4

SHA1
65be4eb93e2802ee07f0f57ba436bcd44b4a172a

SHA256
1392ac924d80024164414964f0f93721a55b7500b58df2b557495fed1682b1ad

SHA512
e7d8357d4a9e497a268797514d60f2c301da0896f9ed53c1eaed17c13a6f2af9e878667dba30f653a0a7b7f8221383413dafcc2fc889eab6d1ebdd88836b07f0

Download Submit
C:\Chainperfnetcommon\pKoQVEExJLsdb7SQwjSZ7f6gXBmc7fp.vbe

Filesize
204B

MD5
7c1f9061bb5096ccbee09b0f07f5e0f2

SHA1
a025a0c1a71423b2a2c9995bcc91bf4e7585e06e

SHA256
137a2a52e6ae961ed935ec31bfc291ddc653bc22c7955a7aef3c91bc7241a249

SHA512
dd6cd561635481c8ef85271a25f12b0c364dc5fbb54231fd072634c1f42615c5b599710fdfee2ba3306de98d37b63ad33e8a7079c0bdbceea845b462d058caf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1BvsbKsI2N.bat

Filesize
158B

MD5
933628ce48034441c6b7188a04467eb2

SHA1
8d81d4b150f8b14db2303448032d3ac76e27a26b

SHA256
f875294a1c8709f11035425b6ea4f4c54303658f0b74c84e609b46322223afaa

SHA512
f343c52a112d5e9285a7d972f26eadfc6395a6b9059ddc62495f777308498cbb48da3074a89ea48e0d00289d37aee10371f30988ea20a5a4314ae39393b725c5

Download Submit
memory/5056-12-0x0000000000230000-0x00000000003C8000-memory.dmp

Filesize
1.6MB

Download
memory/5056-13-0x00007FFE76EB0000-0x00007FFE77971000-memory.dmp

Filesize
10.8MB

Download
memory/5056-30-0x00007FFE76EB0000-0x00007FFE77971000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing