zgrat | 7c97de359b3788f96bdf5f96ca32222997e58d30fc66bec7cc09ed677c2b5cb8

Resubmissions

29-04-2024 23:03

240429-215bwsdf2t 10

29-04-2024 22:56

240429-2wntcade5z 10

Analysis

max time kernel
18s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 22:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

29e2855576ec4417c8a639d62d9208d6.exe
Size

1.6MB
MD5

29e2855576ec4417c8a639d62d9208d6
SHA1

6310c6a5c3f6391638774b582bb2a249dc532c7f
SHA256

7c97de359b3788f96bdf5f96ca32222997e58d30fc66bec7cc09ed677c2b5cb8
SHA512

86e3979b4221c1a5916a4ad176ae1a12ebd9f306597c725acdb5bb346c0a0837eb5b733d4fe44a5442faa1e9cbfc86aed1dff6d528833826df16cdd866a0d4a2
SSDEEP

24576:PlhKoLLcuRdxPWwOfGlHrUgRURSbVZT8YrvKo9+T6BZ2/Y+K/NB8ohtAq:HzcifO0rUtSbxNBDpNBLA

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/648-0-0x0000000000DC0000-0x0000000000F58000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023b8b-13.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	29e2855576ec4417c8a639d62d9208d6.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	lsass.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Cosa\Microsoft\fontdrvhost.exe	29e2855576ec4417c8a639d62d9208d6.exe
File created	C:\Windows\Provisioning\Cosa\Microsoft\5b884080fd4f94	29e2855576ec4417c8a639d62d9208d6.exe
File created	C:\Windows\Boot\PCAT\RuntimeBroker.exe	29e2855576ec4417c8a639d62d9208d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	29e2855576ec4417c8a639d62d9208d6.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe
648	29e2855576ec4417c8a639d62d9208d6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	29e2855576ec4417c8a639d62d9208d6.exe
Token: SeDebugPrivilege	2444	lsass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 3224	648	29e2855576ec4417c8a639d62d9208d6.exe	83
PID 648 wrote to memory of 3224	648	29e2855576ec4417c8a639d62d9208d6.exe	83
PID 3224 wrote to memory of 3016	3224	cmd.exe	85
PID 3224 wrote to memory of 3016	3224	cmd.exe	85
PID 3224 wrote to memory of 2520	3224	cmd.exe	86
PID 3224 wrote to memory of 2520	3224	cmd.exe	86
PID 3224 wrote to memory of 2444	3224	cmd.exe	90
PID 3224 wrote to memory of 2444	3224	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\29e2855576ec4417c8a639d62d9208d6.exe
"C:\Users\Admin\AppData\Local\Temp\29e2855576ec4417c8a639d62d9208d6.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wY8jobNDYB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3016
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2520
- - C:\Recovery\WindowsRE\lsass.exe
    "C:\Recovery\WindowsRE\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat"
      4⤵
      PID:4228
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:776
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KWBHRiM3K6.bat

Filesize
207B

MD5
6a5b03e26cc93e42f74aa2d4505c75ab

SHA1
56ad83c3145d1412ae714d3dfaab4a67eaacbe4d

SHA256
6a08bcff8c1250d35a965311b4c5bda309572ee2693f9e41b315ba47ceced96e

SHA512
001883b0693da50b6039110b5669c35999488dee8de44cd4dce045a8944eb196a35b25bd05f2d7191369493dfb214d7685ed56d0fb62b3963d4da324d02e02cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wY8jobNDYB.bat

Filesize
207B

MD5
42a93f700c62450ebb92a4b617fd03cd

SHA1
1e762ad95f1630abdef591e0627724ec3f205940

SHA256
06010abca82ddefe62e7d8589b3b66cab0b289c26ee69def3d635becb1bfbb56

SHA512
3be3cb7ee8b0e22dfc81c65f88e7853485b686b617cd71ebab44d031819e9e8ceb52e5b2c56603bb34f9d1420dd414e5c281fc188c90380d876d537f106b7047

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.6MB

MD5
29e2855576ec4417c8a639d62d9208d6

SHA1
6310c6a5c3f6391638774b582bb2a249dc532c7f

SHA256
7c97de359b3788f96bdf5f96ca32222997e58d30fc66bec7cc09ed677c2b5cb8

SHA512
86e3979b4221c1a5916a4ad176ae1a12ebd9f306597c725acdb5bb346c0a0837eb5b733d4fe44a5442faa1e9cbfc86aed1dff6d528833826df16cdd866a0d4a2

Download Submit
memory/648-0-0x0000000000DC0000-0x0000000000F58000-memory.dmp

Filesize
1.6MB

Download
memory/648-3-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/648-2-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/648-1-0x00007FF881CB0000-0x00007FF882771000-memory.dmp

Filesize
10.8MB

Download
memory/648-21-0x00007FF881CB0000-0x00007FF882771000-memory.dmp

Filesize
10.8MB

Download
memory/2444-25-0x00007FF881CB0000-0x00007FF882771000-memory.dmp

Filesize
10.8MB

Download
memory/2444-26-0x000000001BD70000-0x000000001BD71000-memory.dmp

Filesize
4KB

Download
memory/2444-32-0x00007FF881CB0000-0x00007FF882771000-memory.dmp

Filesize
10.8MB

Download