zgrat | 361e15470617b73a383df0887f3a4c2ad40cae5fef3f6c1ba5459ea31fdf1536

Analysis

max time kernel
137s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
Size

1.4MB
MD5

759cb47cafa914af4368b18c46b8b060
SHA1

c946424b3e2f7d0f3cd7e169618564b99c4787c4
SHA256

361e15470617b73a383df0887f3a4c2ad40cae5fef3f6c1ba5459ea31fdf1536
SHA512

52e0921436eb4892c363b5270c1aad098c6ee5fb8677d8378fcd4c149be2387333829694364e007a7360f4e0b94d04787f94785a530b03cc30f72f905eab7fd5
SSDEEP

24576:yj/VhzUkpM4pU6/L1ukbhB5SVTfQdK2J+3x2yrk/okgOuojNUDuo6Uo0JJl34ExI:W/PzrpM4p3IAkVjGJ+Eyruokdv5u6492

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012674-6.dat	family_zgrat_v1
behavioral1/files/0x00080000000143e5-27.dat	family_zgrat_v1
behavioral1/memory/2716-31-0x00000000001D0000-0x0000000000368000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2532	DCRatBuild.exe
2716	blockProviderMonitorCommon.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cmd.exe
2692	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2752	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
964	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe
2716	blockProviderMonitorCommon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
Token: SeDebugPrivilege	2716	blockProviderMonitorCommon.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2532	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2532	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2532	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2532	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2796	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	30
PID 2984 wrote to memory of 2796	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	30
PID 2984 wrote to memory of 2796	2984	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	30
PID 2796 wrote to memory of 2752	2796	cmd.exe	32
PID 2796 wrote to memory of 2752	2796	cmd.exe	32
PID 2796 wrote to memory of 2752	2796	cmd.exe	32
PID 2532 wrote to memory of 2552	2532	DCRatBuild.exe	33
PID 2532 wrote to memory of 2552	2532	DCRatBuild.exe	33
PID 2532 wrote to memory of 2552	2532	DCRatBuild.exe	33
PID 2532 wrote to memory of 2552	2532	DCRatBuild.exe	33
PID 2552 wrote to memory of 2692	2552	WScript.exe	34
PID 2552 wrote to memory of 2692	2552	WScript.exe	34
PID 2552 wrote to memory of 2692	2552	WScript.exe	34
PID 2552 wrote to memory of 2692	2552	WScript.exe	34
PID 2692 wrote to memory of 2716	2692	cmd.exe	36
PID 2692 wrote to memory of 2716	2692	cmd.exe	36
PID 2692 wrote to memory of 2716	2692	cmd.exe	36
PID 2692 wrote to memory of 2716	2692	cmd.exe	36
PID 2716 wrote to memory of 1488	2716	blockProviderMonitorCommon.exe	39
PID 2716 wrote to memory of 1488	2716	blockProviderMonitorCommon.exe	39
PID 2716 wrote to memory of 1488	2716	blockProviderMonitorCommon.exe	39
PID 1488 wrote to memory of 1720	1488	cmd.exe	41
PID 1488 wrote to memory of 1720	1488	cmd.exe	41
PID 1488 wrote to memory of 1720	1488	cmd.exe	41
PID 1488 wrote to memory of 964	1488	cmd.exe	42
PID 1488 wrote to memory of 964	1488	cmd.exe	42
PID 1488 wrote to memory of 964	1488	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\containerBrowserBrokerMonitorcommon\L9Ebm5vBaZZqGzEgqQR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\containerBrowserBrokerMonitorcommon\AcEKSEAO.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\containerBrowserBrokerMonitorcommon\blockProviderMonitorCommon.exe
        
        "C:\containerBrowserBrokerMonitorcommon/blockProviderMonitorCommon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:964
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B8A.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.9MB

MD5
e2f66b7847dacb87c85f898ece1adfe8

SHA1
1098b34dae2ff2ba5c01860fd71d02e4792d2dd2

SHA256
10e525db36f507465079a07aaac24ec847b345342d30cc44cf1ebfee3a973b86

SHA512
16ec79611128b855a27f8e47f344ebd72ea4e8c6bb5500d9d1b4b53471aeaaf1b09c2a4eb1614b7487bb44999771a88fc0f2b5b5011cc7650c4638114b63a49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
201B

MD5
c36aaac82179df33f733700edd16867c

SHA1
ac593a2843e7ac95bde3ce8e20ea2b2f52681b32

SHA256
c9cb0f8fc8b6cc7d93b58fe27f15b27395337de3209cdc24d7d2e1a7c215a26e

SHA512
3f0d1db089a9fcb7cccf82b24f2fb90e3921e396011600b42125bfe44d56fed9dc51ffbe13736b82161424d18c2f8ed4030beeb49ae8f3f0fb04e7bece09faca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B8A.tmp.bat

Filesize
199B

MD5
98e967f6b4694de5825701e0fd5137d4

SHA1
351e017dcc56d0326e6d91f571c0b69081e36224

SHA256
30df7ffe13996f7a515c1b0136e3fd04e415ff89448838cad5b76a0883d62ca1

SHA512
57c7e9bba43d2cb58f61e2d69916be670822fb8ea9d9c67db5bd4db7108eae1ff84dcadfd8ca2a2cd34f68a9565212c0287943519d7cd25c24c9cdec16e0f9b4

Download Submit
C:\containerBrowserBrokerMonitorcommon\AcEKSEAO.bat

Filesize
129B

MD5
f814b2b6b8b280d176c6d72aa1c4a934

SHA1
af5b3654c7bce06a2f8b2b5ba3c03ef289f7677e

SHA256
7997ae4d868c75b0466c49eb4d1d1d72e33cc2c6ba8224816852fd622450be56

SHA512
722bdaf76f8c43666ade47be092f5115bacf6af14bc62af904cf887e0a2ea4c45c4e3f6c8c462eb13a8e52b5a643757aff0a2c45fe9d5dd4ad12e4d890b4d2b0

Download Submit
C:\containerBrowserBrokerMonitorcommon\L9Ebm5vBaZZqGzEgqQR.vbe

Filesize
222B

MD5
c66dd4f3a1f07ddef7c8a18a980d982e

SHA1
6ba656ab6b4bce1b83be4fd1ecd4a0bca4cc35b7

SHA256
df0eef4ca676550345a74f07b0a382cde241327b6e5cadaca325a320d4fa64f0

SHA512
834714b3f2434d693198df1891b5c84c5dcd41eb43603c8f2dbb66a9b053cb6ac4e2394b16e3178f8ffeeb5b2caa9fb652d67ea47137095bd08012d648c5913a

Download Submit
\containerBrowserBrokerMonitorcommon\blockProviderMonitorCommon.exe

Filesize
1.6MB

MD5
6469b6665249d28cc0eb21e2d849a968

SHA1
b4a71ccef3a73d89c57a610cfd992c74d4fa1d69

SHA256
aaba3a9e2ee1b2e9566e76b150f3afadedadbb110e9c566375deee22eebb8df0

SHA512
38092f3c4a57e0acc9ffdbf1a6f81cc1eeb897c19e959185199e208fe53687b6940b7d0019640181e57459bfe97785e4ab2b37adef66fcb1abae38c974dc9e0d

Download Submit
memory/2716-31-0x00000000001D0000-0x0000000000368000-memory.dmp

Filesize
1.6MB

Download
memory/2984-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2984-1-0x0000000000B60000-0x0000000000CC2000-memory.dmp

Filesize
1.4MB

Download
memory/2984-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2984-17-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download