zgrat | c402225260a6957be61c61d21b616ab8b05ea54ad7275d03d48058a452336e98

Analysis

max time kernel
48s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 02:36

Target

pdfsuite20.exe
Size

2.1MB
MD5

b19273b509ae959bda415ae05f5a8b0a
SHA1

07c4866abe4a511ec27dd1da58d8a87e8c595e1c
SHA256

c402225260a6957be61c61d21b616ab8b05ea54ad7275d03d48058a452336e98
SHA512

bb04013f2b1d7e3416a74b7cf9ac973d5b4659c46e2c52a182cdc992a86b9ecfc9ea04001b87fb03c73d6275029171dfed92f5f828a7be2bdbfbff8dee5d43fa
SSDEEP

49152:fks2qyONHO7x4VmiooUj7oHMRMDdbsiy91fQPlt:fkDqxNWmmiooUjUH2OU91foT

Score

10^/10

zgrat rat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/620-1-0x0000000000640000-0x0000000000852000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 620 set thread context of 4868	620	pdfsuite20.exe	95

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95
PID 620 wrote to memory of 4868	620	pdfsuite20.exe	95

C:\Users\Admin\AppData\Local\Temp\pdfsuite20.exe
"C:\Users\Admin\AppData\Local\Temp\pdfsuite20.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3760 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4748

memory/620-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/620-1-0x0000000000640000-0x0000000000852000-memory.dmp

Filesize
2.1MB

Download
memory/620-2-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/620-3-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/620-6-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4868-7-0x0000000000400000-0x00000000005E7000-memory.dmp

Filesize
1.9MB

Download