zgrat | 361e15470617b73a383df0887f3a4c2ad40cae5fef3f6c1ba5459ea31fdf1536

General

Target

759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
Size

1.4MB
MD5

759cb47cafa914af4368b18c46b8b060
SHA1

c946424b3e2f7d0f3cd7e169618564b99c4787c4
SHA256

361e15470617b73a383df0887f3a4c2ad40cae5fef3f6c1ba5459ea31fdf1536
SHA512

52e0921436eb4892c363b5270c1aad098c6ee5fb8677d8378fcd4c149be2387333829694364e007a7360f4e0b94d04787f94785a530b03cc30f72f905eab7fd5
SSDEEP

24576:yj/VhzUkpM4pU6/L1ukbhB5SVTfQdK2J+3x2yrk/okgOuojNUDuo6Uo0JJl34ExI:W/PzrpM4p3IAkVjGJ+Eyruokdv5u6492

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023298-7.dat	family_zgrat_v1
behavioral2/files/0x000900000002338b-26.dat	family_zgrat_v1
behavioral2/memory/4436-28-0x0000000000E60000-0x0000000000FF8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	blockProviderMonitorCommon.exe

Executes dropped EXE 2 IoCs

pid	Process
3320	DCRatBuild.exe
4436	blockProviderMonitorCommon.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4460	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	blockProviderMonitorCommon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2828	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe
4436	blockProviderMonitorCommon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
Token: SeDebugPrivilege	4436	blockProviderMonitorCommon.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 3320	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	89
PID 2260 wrote to memory of 3320	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	89
PID 2260 wrote to memory of 3320	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	89
PID 2260 wrote to memory of 2140	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	90
PID 2260 wrote to memory of 2140	2260	759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe	90
PID 2140 wrote to memory of 4460	2140	cmd.exe	92
PID 2140 wrote to memory of 4460	2140	cmd.exe	92
PID 3320 wrote to memory of 1792	3320	DCRatBuild.exe	95
PID 3320 wrote to memory of 1792	3320	DCRatBuild.exe	95
PID 3320 wrote to memory of 1792	3320	DCRatBuild.exe	95
PID 1792 wrote to memory of 1020	1792	WScript.exe	102
PID 1792 wrote to memory of 1020	1792	WScript.exe	102
PID 1792 wrote to memory of 1020	1792	WScript.exe	102
PID 1020 wrote to memory of 4436	1020	cmd.exe	104
PID 1020 wrote to memory of 4436	1020	cmd.exe	104
PID 4436 wrote to memory of 736	4436	blockProviderMonitorCommon.exe	113
PID 4436 wrote to memory of 736	4436	blockProviderMonitorCommon.exe	113
PID 736 wrote to memory of 3292	736	cmd.exe	115
PID 736 wrote to memory of 3292	736	cmd.exe	115
PID 736 wrote to memory of 2828	736	cmd.exe	116
PID 736 wrote to memory of 2828	736	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\759cb47cafa914af4368b18c46b8b060_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\containerBrowserBrokerMonitorcommon\L9Ebm5vBaZZqGzEgqQR.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\containerBrowserBrokerMonitorcommon\AcEKSEAO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\containerBrowserBrokerMonitorcommon\blockProviderMonitorCommon.exe
        
        "C:\containerBrowserBrokerMonitorcommon/blockProviderMonitorCommon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3EED.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.9MB

MD5
e2f66b7847dacb87c85f898ece1adfe8

SHA1
1098b34dae2ff2ba5c01860fd71d02e4792d2dd2

SHA256
10e525db36f507465079a07aaac24ec847b345342d30cc44cf1ebfee3a973b86

SHA512
16ec79611128b855a27f8e47f344ebd72ea4e8c6bb5500d9d1b4b53471aeaaf1b09c2a4eb1614b7487bb44999771a88fc0f2b5b5011cc7650c4638114b63a49e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
201B

MD5
a783a4a0c705af4bc3e67a41caaa269a

SHA1
a6a1b902cf439fdd12cad31411c34cf3a3875182

SHA256
3ff5c1c78519f15dc51b75ec4c1296e018bde43599a2ac5681ad6332766637df

SHA512
21415f8929f57a91abe14de1853d8e298f4d194270e132d088b613f07e746c7c833797e2e1635c6adc966b956c0a16e012677d34e8e60ba1f83e72d20958bffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EED.tmp.bat

Filesize
199B

MD5
1c8053d53b6ec18bd84158207eb7ac1c

SHA1
491f267be5f1dc791b1be5e5cfc9849d34b4e460

SHA256
eb3611c1e914e2e230f33f264aa9f67c604726ff89dbb012d327e194fe7b7eee

SHA512
85efcfc9749790bfcf3d0b49ce483cef16c11033464c428b216622907470e061a0c77d68cbd29d229ca7fdb7755ec56b8c3eca1416b64e03f83360a51cbfafb5

Download Submit
C:\containerBrowserBrokerMonitorcommon\AcEKSEAO.bat

Filesize
129B

MD5
f814b2b6b8b280d176c6d72aa1c4a934

SHA1
af5b3654c7bce06a2f8b2b5ba3c03ef289f7677e

SHA256
7997ae4d868c75b0466c49eb4d1d1d72e33cc2c6ba8224816852fd622450be56

SHA512
722bdaf76f8c43666ade47be092f5115bacf6af14bc62af904cf887e0a2ea4c45c4e3f6c8c462eb13a8e52b5a643757aff0a2c45fe9d5dd4ad12e4d890b4d2b0

Download Submit
C:\containerBrowserBrokerMonitorcommon\L9Ebm5vBaZZqGzEgqQR.vbe

Filesize
222B

MD5
c66dd4f3a1f07ddef7c8a18a980d982e

SHA1
6ba656ab6b4bce1b83be4fd1ecd4a0bca4cc35b7

SHA256
df0eef4ca676550345a74f07b0a382cde241327b6e5cadaca325a320d4fa64f0

SHA512
834714b3f2434d693198df1891b5c84c5dcd41eb43603c8f2dbb66a9b053cb6ac4e2394b16e3178f8ffeeb5b2caa9fb652d67ea47137095bd08012d648c5913a

Download Submit
C:\containerBrowserBrokerMonitorcommon\blockProviderMonitorCommon.exe

Filesize
1.6MB

MD5
6469b6665249d28cc0eb21e2d849a968

SHA1
b4a71ccef3a73d89c57a610cfd992c74d4fa1d69

SHA256
aaba3a9e2ee1b2e9566e76b150f3afadedadbb110e9c566375deee22eebb8df0

SHA512
38092f3c4a57e0acc9ffdbf1a6f81cc1eeb897c19e959185199e208fe53687b6940b7d0019640181e57459bfe97785e4ab2b37adef66fcb1abae38c974dc9e0d

Download Submit
memory/2260-1-0x0000000000570000-0x00000000006D2000-memory.dmp

Filesize
1.4MB

Download
memory/2260-0-0x00007FF950D53000-0x00007FF950D55000-memory.dmp

Filesize
8KB

Download
memory/2260-2-0x00007FF950D50000-0x00007FF951811000-memory.dmp

Filesize
10.8MB

Download
memory/2260-13-0x00007FF950D50000-0x00007FF951811000-memory.dmp

Filesize
10.8MB

Download
memory/4436-28-0x0000000000E60000-0x0000000000FF8000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing