zgrat | d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c

Analysis

max time kernel
121s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe
Size

4.8MB
MD5

1bfb3e464fab237ab8b5fe784633d498
SHA1

6d31035c282a17fa67e2f3af31d3b259d0fa1efa
SHA256

d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c
SHA512

52684f0c58267f3faf0b5c0be93cab3e6bd8389009d643018a44d685ec7b775ad71d7271274c555331f2d2a6c343b18fcd586cf628f34b312edc7598330de6c8
SSDEEP

24576:VEusb+7sy6s4p3NrXHIlkDvhz9jbsyXQMPwyHMaD0o6Env67iXiK84ZAShWHuczu:

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/3468-3-0x0000000006F50000-0x00000000071AC000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-15-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-9-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-6-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-19-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-35-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-69-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-61-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-45-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-43-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-41-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-39-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-37-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-33-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-31-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-29-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-27-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-25-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-23-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-21-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-17-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-14-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-11-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-7-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-67-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-65-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-63-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-59-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-57-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-55-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-53-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-51-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-49-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1
behavioral2/memory/3468-47-0x0000000006F50000-0x00000000071A6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mewcs = "C:\\Users\\Admin\\AppData\\Roaming\\Mewcs.exe"	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2264	4060	WerFault.exe	92
212	4060	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe
Token: SeDebugPrivilege	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92
PID 3468 wrote to memory of 4060	3468	d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe	92

C:\Users\Admin\AppData\Local\Temp\d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe
"C:\Users\Admin\AppData\Local\Temp\d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe
  "C:\Users\Admin\AppData\Local\Temp\d7868b348fa0c11af7680fd7867d2faef3225eef37f7cf45ef3347033ca0ff3c.exe"
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 516
    3⤵
    - Program crash
    PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 552
    3⤵
    - Program crash
    PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4060 -ip 4060
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4060 -ip 4060
1⤵
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3468-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/3468-1-0x0000000000730000-0x0000000000C04000-memory.dmp

Filesize
4.8MB

Download
memory/3468-2-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3468-3-0x0000000006F50000-0x00000000071AC000-memory.dmp

Filesize
2.4MB

Download
memory/3468-4-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/3468-5-0x0000000007250000-0x00000000072E2000-memory.dmp

Filesize
584KB

Download
memory/3468-15-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-9-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-6-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-19-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-35-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-69-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-61-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-45-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-43-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-41-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-39-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-37-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-33-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-31-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-29-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-27-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-25-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-23-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-21-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-17-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-14-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-11-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-7-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-67-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-65-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-63-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-59-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-57-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-55-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-53-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-51-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-49-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-47-0x0000000006F50000-0x00000000071A6000-memory.dmp

Filesize
2.3MB

Download
memory/3468-4886-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/3468-4887-0x0000000005CE0000-0x0000000005D7A000-memory.dmp

Filesize
616KB

Download
memory/3468-4888-0x0000000005C20000-0x0000000005C6C000-memory.dmp

Filesize
304KB

Download
memory/3468-4889-0x0000000007340000-0x0000000007394000-memory.dmp

Filesize
336KB

Download
memory/3468-4903-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads