zgrat | e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf

Analysis

max time kernel
293s
max time network
291s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe
Size

1.8MB
MD5

a67fdb51541686d28c98b68b6bef896f
SHA1

9eb2a81d09bdc9a6a1cec563ec213d3bc21f353a
SHA256

e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf
SHA512

6085a8b96228c0837cf8659fe753857859ff3b834f10d73fc878146a2b736844ec70e7aca360b1f8d0ee288fa974fbf8ca15ac49a898bbe3b226854b03472c15
SSDEEP

49152:YI42I10MaEU0AFAjfzyrobPfo2yp0MIEq:YMv4zvyroETFIEq

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/216-21-0x0000000000E40000-0x0000000001200000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
3572	work.exe
216	podwal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe
216	podwal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeBackupPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe
Token: SeSecurityPrivilege	216	podwal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
216	podwal.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2956	4892	e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe	73
PID 4892 wrote to memory of 2956	4892	e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe	73
PID 4892 wrote to memory of 2956	4892	e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe	73
PID 2956 wrote to memory of 3572	2956	cmd.exe	76
PID 2956 wrote to memory of 3572	2956	cmd.exe	76
PID 2956 wrote to memory of 3572	2956	cmd.exe	76
PID 3572 wrote to memory of 216	3572	work.exe	77
PID 3572 wrote to memory of 216	3572	work.exe	77
PID 3572 wrote to memory of 216	3572	work.exe	77

C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe
"C:\Users\Admin\AppData\Local\Temp\e953ddb924a32ab5a78488d75e8f753832293eece41b98eb7227651dfe7ed8cf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.5MB

MD5
a1350f68fccdf680e99b49fe741c69e1

SHA1
537254d87a0ab447673c0ebdc6875b6cd510f93c

SHA256
fb54da30664d062a1f8f850002addffabc6a86758aaa6d0119770007bd2fe923

SHA512
b5799b96ae49adee077859d9b73b684e37d33f5d09c5fc5040d00d371e0dd62a3e5b8e0cc505d5090df8fc779a6f1c7d59e1689da46e64c1020a2f8503d41299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podwal.exe

Filesize
1.2MB

MD5
4e6930393bf1cb3337d7b3cdf2049476

SHA1
2588e74150491e169e897e43d7572d7e131f8d24

SHA256
d55be1d28b389d4f5c7540d7278fcf47943fa123817a8b85fc8d6350f1aa454e

SHA512
e8f9840a8af147275534594199846ed5d276780f7738cb2ae75a97117fbbaa52daf870258bb861b2ca372863853e4b7985f9002fa903b76037645c3695f68018

Download Submit
memory/216-20-0x0000000000E40000-0x0000000001200000-memory.dmp

Filesize
3.8MB

Download
memory/216-21-0x0000000000E40000-0x0000000001200000-memory.dmp

Filesize
3.8MB

Download
memory/216-22-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/216-23-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/216-24-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/216-25-0x0000000008950000-0x0000000008F56000-memory.dmp

Filesize
6.0MB

Download
memory/216-26-0x0000000008500000-0x000000000860A000-memory.dmp

Filesize
1.0MB

Download
memory/216-27-0x0000000008440000-0x0000000008452000-memory.dmp

Filesize
72KB

Download
memory/216-28-0x00000000084A0000-0x00000000084DE000-memory.dmp

Filesize
248KB

Download
memory/216-29-0x0000000008610000-0x000000000865B000-memory.dmp

Filesize
300KB

Download
memory/216-32-0x0000000000E40000-0x0000000001200000-memory.dmp

Filesize
3.8MB

Download