zgrat | 1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe
Size

1.9MB
MD5

2f12651489989cc02775433ade30799c
SHA1

e07f6c5cddc29edce812fa42724f07f565a7728f
SHA256

1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702
SHA512

ac42fbdf5425a4cfe37af4931a0fcb3733f74e7869b45fff7ba1bf1e8b33ffa8fe2b93980fc0a0d5b3b59e38e33a7cbc597fc28a22b9aa5afac7e29b14f2cd49
SSDEEP

49152:IBJunqwC2ZpjeWCeemRYiEtOCTpdBAeeAY:yOGqdeWx6iMOCTpded

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x0031000000015d24-9.dat	family_zgrat_v1
behavioral1/memory/2520-13-0x00000000009F0000-0x0000000000BFC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2732-47-0x0000000001220000-0x000000000142C000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2876	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2876	schtasks.exe	32

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/files/0x0031000000015d24-9.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2520-13-0x00000000009F0000-0x0000000000BFC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2732-47-0x0000000001220000-0x000000000142C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 2 IoCs

pid	Process
2520	mscom.exe
2732	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	cmd.exe
2584	cmd.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\services.exe	mscom.exe
File opened for modification	C:\Program Files\Windows Portable Devices\services.exe	mscom.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	mscom.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	mscom.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	mscom.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Panther\UnattendGC\services.exe	mscom.exe
File created	C:\Windows\Panther\UnattendGC\c5b4cb5e9653cc	mscom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2192	schtasks.exe
1536	schtasks.exe
1720	schtasks.exe
1644	schtasks.exe
1500	schtasks.exe
1860	schtasks.exe
1844	schtasks.exe
1556	schtasks.exe
2384	schtasks.exe
2120	schtasks.exe
1868	schtasks.exe
1028	schtasks.exe
760	schtasks.exe
2152	schtasks.exe
1668	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
840	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe
2520	mscom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	mscom.exe
Token: SeDebugPrivilege	2732	services.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	services.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3048	2204	1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe	28
PID 2204 wrote to memory of 3048	2204	1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe	28
PID 2204 wrote to memory of 3048	2204	1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe	28
PID 2204 wrote to memory of 3048	2204	1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe	28
PID 3048 wrote to memory of 2584	3048	WScript.exe	29
PID 3048 wrote to memory of 2584	3048	WScript.exe	29
PID 3048 wrote to memory of 2584	3048	WScript.exe	29
PID 3048 wrote to memory of 2584	3048	WScript.exe	29
PID 2584 wrote to memory of 2520	2584	cmd.exe	31
PID 2584 wrote to memory of 2520	2584	cmd.exe	31
PID 2584 wrote to memory of 2520	2584	cmd.exe	31
PID 2584 wrote to memory of 2520	2584	cmd.exe	31
PID 2520 wrote to memory of 1420	2520	mscom.exe	48
PID 2520 wrote to memory of 1420	2520	mscom.exe	48
PID 2520 wrote to memory of 1420	2520	mscom.exe	48
PID 1420 wrote to memory of 1364	1420	cmd.exe	50
PID 1420 wrote to memory of 1364	1420	cmd.exe	50
PID 1420 wrote to memory of 1364	1420	cmd.exe	50
PID 1420 wrote to memory of 840	1420	cmd.exe	51
PID 1420 wrote to memory of 840	1420	cmd.exe	51
PID 1420 wrote to memory of 840	1420	cmd.exe	51
PID 1420 wrote to memory of 2732	1420	cmd.exe	52
PID 1420 wrote to memory of 2732	1420	cmd.exe	52
PID 1420 wrote to memory of 2732	1420	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe
"C:\Users\Admin\AppData\Local\Temp\1f36770f712ddc39232583723f0c43d4f11d680fae143f79a8158d6a0f015702.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\perfNet\3avxEvz443e8fK5hO0euPJUAURE3dMdoo4.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\perfNet\2Ry7Kk5ZsbIxjy4EHSdRm6lA5qf0cEB8qgrvpCqSPa.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\perfNet\mscom.exe
      "C:\perfNet/mscom.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oyy1S0ZviZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1364
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:840
      - C:\Program Files\Windows Portable Devices\services.exe
        
        "C:\Program Files\Windows Portable Devices\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\perfNet\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\perfNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\perfNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\UnattendGC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oyy1S0ZviZ.bat

Filesize
182B

MD5
e0743b00187b9e20b1424fd360cd4442

SHA1
7145b2c07f1311ef021906aef6e16bba4c6fc5ac

SHA256
cc398c5c0983b1d4576af8d0e807ce3539db120f36e0fa3814a252fca7399727

SHA512
c585f07af97cd56b7bb484a784bd97688f1f5d18fffeda81cba850c848b164143b8f92fcfd0e458e26d2f201283812f8776edd848dc642974f8b95e2f00f5e47

Download Submit
C:\perfNet\2Ry7Kk5ZsbIxjy4EHSdRm6lA5qf0cEB8qgrvpCqSPa.bat

Filesize
80B

MD5
ec8794c7e2e95913910fbd015673af21

SHA1
b78fcf173a7c04c6e380f43f46994427ba34facb

SHA256
af0e1c35fb89eeb787d8a66e95850e16c3e4101c08bd405429e4818a878b2010

SHA512
b99cf41f8b4806397e2a17889b687a7b91366e917aaad00b2dd3fa1819fe0bef68699d01f9b14208ad76d35e9310e79c5137ceed58d9f5a1609ac89e7b36b730

Download Submit
C:\perfNet\3avxEvz443e8fK5hO0euPJUAURE3dMdoo4.vbe

Filesize
228B

MD5
93b1feeffa519c911b37d8f6b71a4365

SHA1
d09a173ce2653fe61efd5e35fcbc8ddc10f2218a

SHA256
3a47a541817337a14cd5873cf8c1cfb8f229ef192e92a657335cc90a896a738d

SHA512
1ddacbbec74946869ec67a1275866096f007443993909499e89b064e3adfee69f77f187578c6d55b86ec0820ecdbe08119b9899317c8e1e5202396240aeaeed2

Download Submit
\perfNet\mscom.exe

Filesize
2.0MB

MD5
9de6f58850c3f3e04cd1d7a836cf9094

SHA1
cd08f280a6a5b65fa96421b1111ba0e4a01e3ce0

SHA256
278b07211495ebf53014aeee5241b246a2aa5273e39150e625d9a6b9c04d419d

SHA512
ec5540950c861d5cb0e43d133e4c7376dae04b91afcae791f3fa4489fc8f5e9c65b55d9e34dd196ea8c715a4a72af96a98e93d31f52e63c81539b92fba5935e5

Download Submit
memory/2520-19-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/2520-17-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2520-15-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2520-21-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2520-23-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2520-25-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2520-27-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2520-29-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2520-13-0x00000000009F0000-0x0000000000BFC000-memory.dmp

Filesize
2.0MB

Download
memory/2732-47-0x0000000001220000-0x000000000142C000-memory.dmp

Filesize
2.0MB

Download