zgrat | 0f9c56f62484b2bbf14f9b7b76efa84e0fa0a179b0787e98e3dc9a02b9f6054e

Analysis

max time kernel
135s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enigma Temp.exe
Size

13.5MB
MD5

330a39ccb7e57bac11f25d600c5aa463
SHA1

c22bac47bb741f63600c97c7669f2e48bf1567ab
SHA256

0f9c56f62484b2bbf14f9b7b76efa84e0fa0a179b0787e98e3dc9a02b9f6054e
SHA512

fda91e66009f1ccd88514efb56c272a1866c74496175f55573cd244b044e8cbe812fa8f98d7a5859254970c3d8898b34968e1649c3a59b7ba5b7e9ddc744efce
SSDEEP

393216:Rf50Nu9En2liECzJ3USGsfg6W2oBqtMpYbA4:x6GsLBusfg6fbqpY

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e31-25.dat	family_zgrat_v1
behavioral2/memory/456-34-0x00000000000D0000-0x0000000000268000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	bridgesurrogateagentCrtdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Enigma Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Enigma Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Enigma Temp.exe

Executes dropped EXE 4 IoCs

pid	Process
3060	Enigma Spoofer.exe
456	bridgesurrogateagentCrtdll.exe
2432	Enigma Spoofer.exe
4948	sppsvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\66fc9ff0ee96c2	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f	bridgesurrogateagentCrtdll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe	bridgesurrogateagentCrtdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	bridgesurrogateagentCrtdll.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	sppsvc.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1708	PING.EXE
2952	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1524	Enigma Temp.exe
1524	Enigma Temp.exe
1524	Enigma Temp.exe
1524	Enigma Temp.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
456	bridgesurrogateagentCrtdll.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe
4948	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	bridgesurrogateagentCrtdll.exe
Token: SeDebugPrivilege	3060	Enigma Spoofer.exe
Token: SeDebugPrivilege	2432	Enigma Spoofer.exe
Token: SeDebugPrivilege	4948	sppsvc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3060	1524	Enigma Temp.exe	85
PID 1524 wrote to memory of 3060	1524	Enigma Temp.exe	85
PID 1524 wrote to memory of 3060	1524	Enigma Temp.exe	85
PID 1524 wrote to memory of 456	1524	Enigma Temp.exe	86
PID 1524 wrote to memory of 456	1524	Enigma Temp.exe	86
PID 456 wrote to memory of 3720	456	bridgesurrogateagentCrtdll.exe	87
PID 456 wrote to memory of 3720	456	bridgesurrogateagentCrtdll.exe	87
PID 3720 wrote to memory of 1164	3720	cmd.exe	89
PID 3720 wrote to memory of 1164	3720	cmd.exe	89
PID 3720 wrote to memory of 2952	3720	cmd.exe	90
PID 3720 wrote to memory of 2952	3720	cmd.exe	90
PID 3060 wrote to memory of 3968	3060	Enigma Spoofer.exe	96
PID 3060 wrote to memory of 3968	3060	Enigma Spoofer.exe	96
PID 3060 wrote to memory of 3968	3060	Enigma Spoofer.exe	96
PID 3968 wrote to memory of 4676	3968	cmd.exe	98
PID 3968 wrote to memory of 4676	3968	cmd.exe	98
PID 3968 wrote to memory of 4676	3968	cmd.exe	98
PID 3060 wrote to memory of 2432	3060	Enigma Spoofer.exe	101
PID 3060 wrote to memory of 2432	3060	Enigma Spoofer.exe	101
PID 3060 wrote to memory of 2432	3060	Enigma Spoofer.exe	101
PID 2432 wrote to memory of 396	2432	Enigma Spoofer.exe	102
PID 2432 wrote to memory of 396	2432	Enigma Spoofer.exe	102
PID 2432 wrote to memory of 396	2432	Enigma Spoofer.exe	102
PID 396 wrote to memory of 1948	396	cmd.exe	104
PID 396 wrote to memory of 1948	396	cmd.exe	104
PID 396 wrote to memory of 1948	396	cmd.exe	104
PID 3720 wrote to memory of 4948	3720	cmd.exe	108
PID 3720 wrote to memory of 4948	3720	cmd.exe	108
PID 4948 wrote to memory of 3572	4948	sppsvc.exe	111
PID 4948 wrote to memory of 3572	4948	sppsvc.exe	111
PID 3572 wrote to memory of 1008	3572	cmd.exe	113
PID 3572 wrote to memory of 1008	3572	cmd.exe	113
PID 3572 wrote to memory of 1708	3572	cmd.exe	114
PID 3572 wrote to memory of 1708	3572	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Enigma Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Enigma Temp.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
      4⤵
      PID:4676
- - C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v "Fortnite (TrueType)" /t REG_SZ /d "C:\Enigma\Font\5.ttf" /f
        5⤵
        
        PID:1948
- C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe
  "C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oIGEOYMPQg.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1164
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2952
  - - C:\Users\Admin\SendTo\sppsvc.exe
      "C:\Users\Admin\SendTo\sppsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1008
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ENIGMA\FONT\5.TTF

Filesize
40KB

MD5
51569595124f88e0f8b2ac16d472c178

SHA1
66acb9b0321ff2a3e169eb61cf3836f10da76bb4

SHA256
b33178f9cf3d9e80bb1220567680d26c832f74885dfe2fb4afec094d6801c863

SHA512
a4bc617f5fd0c44576c7bbaa05e1c87b5e49969c29ae6aceb43189907f009caab5e8bf80dc6b44d845cd4284b7e852e5a30749492ef0b436d647671d76ef08e8

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\66fc9ff0ee96c2

Filesize
815B

MD5
22c126d5cf3d4e56d41ab802db99c7d5

SHA1
e3c84d23f69a9f4a3c976075feacfb4cd3ca55d1

SHA256
1ae5da2d65cdb5c9aaa6ce587f981867ded860b299ff2d1cc72ebe9b636c1572

SHA512
27421d5873a9d8d68208b6f8730f1c10c37c7419819140147f015759d7b817a98f03f53f9f7a9f0c7b33485b9a6ddc5cf2b442a08ceae01e17d1dba84a3bd2e8

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f

Filesize
722B

MD5
e5adba3247ca1db1d0abf295bb08f820

SHA1
48b204c53b753bcf9f49b5212fb14a29ec088115

SHA256
7191ba2819c116db89fa8e008cefdd0f94c281a2de00f9c7b9cffc06bd57d65e

SHA512
fcd5907cefc2e868c6951a7fb3808102ab126700b9915f94ca99784fce6ce35a2b9ebcd4cb56ccab945556a1c837c366d639c9143997f8b3234f97468b4a8ec9

Download Submit
C:\ProgramData\KeyAuth\debug\Enigma Spoofer\May_11_2024_logs.txt

Filesize
880B

MD5
05e8f6f68f3d458c59d89c4dd43dd7ed

SHA1
523ac38e22ca6ca7909b4ae69ec102259f2032b8

SHA256
ddde6c550e1cb51c29c960aa081edf8d030ac3730f51c9a294d3c23db1a3837d

SHA512
1bdf50430d4a6bc9098450dd46d152acae1c26317832daf8650d22da5d74c39c89918171cae4c85ca9fda6dc36f45a8134f7eaaecd70bd80bcdbe4e8e2ffd84a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Enigma Spoofer.exe.log

Filesize
1KB

MD5
e3a620d14252731f026fbea838281a58

SHA1
f4381464bae731d83bcca69a7b92350eb8fa358a

SHA256
01420c2fc380ab71ac17f1c254ca1ab0d5c65d59ccabe50969b1e4592a01f421

SHA512
aca51146e7058be6d0d87b113d076ad3df6b22e2569f4de2b85b02c6f601947814c260b16916f66052e1c50e98abe0ff8fac6cc37f1098664b63203ea69cfe81

Download Submit
C:\Users\Admin\AppData\Local\Temp\99bbdbd32ba65b

Filesize
84B

MD5
4c7deb496e2caac726a0f3281f6a12b5

SHA1
22f08da1289d69efe21e46583b2d589bd5cdae29

SHA256
1de69486a50f3c98dcea47c4ba8b1e4407fef5fde5d6f58660ef9ecf1b615730

SHA512
28309d1d7169a3f6795577fa44d4bc086121d4266af61d4c905d48729bc2a0d6c8532c77af999034f8daf6da4e658cb679900adfc787999ad8c56cddb3f3e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Enigma Spoofer.exe

Filesize
7.3MB

MD5
f1fd79171f827a3f4a9c4a218cb418b8

SHA1
de7167406f15488f352ebf89baf52d59f3c89675

SHA256
b4219e46557eea00c0feeeb0826051a1bd101b6960b600afd73ab8e0f51fe501

SHA512
1d96631359d2f60443df74a3e247d2e8aae9f3a7a23864a2af6aaa1804bd2182e336409e450068282b5d7a456b0883659f69035805b06c2b2a611d884b8f25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
217B

MD5
0e24a05b1eebb524d717e29a8022e4f6

SHA1
6897e468aaf068cfec4d85db9b50552ffc2f904b

SHA256
d1f922b7b719c9652ffdea4fc14aa53707beb2126771b326b1d6dd4182d58412

SHA512
3932570ff89b69f068a5f4b689c941a8c7787523a019c7e4af8f9e75bf8b02b78df5ec792fc4c14845ee233c71989ce35bff46fe94092bc38fba1e67448462b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgesurrogateagentCrtdll.exe

Filesize
1.6MB

MD5
9ba0957ffbb353c1049ebc0b95f8ee1f

SHA1
fb11f43950536c6949ba4c1158ba77de95f34e54

SHA256
55915d123ddb434090027502f8eb49f8e94de176905f28d733c914ab9f316359

SHA512
da975fec40d1a9d43eb716faaaef84e9f4fa9051525db62fdcd8f7383bc33c8e13ee6a6ad80580eabb00db5630fb9f0aa343ffa96634bc1f48df4dd124b379e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\oIGEOYMPQg.bat

Filesize
160B

MD5
81c7dd8e6f4af4a8eb26f97147fb70ba

SHA1
b888447affa1500fa08615e7bbd5c1fbc11c6ee2

SHA256
71471190d213031a35be627ad8d6437306a3b8ebc4470c198d92612d3dc0b155

SHA512
21f1f2cd9a168a1b31c38368c5b468a45627f30aed714bc6caeabe99968f7088f989bce2c2a9638b17ab87246ee87139d6073bafd24f31c16b90bbd93b07239d

Download Submit
C:\Users\Default\5940a34987c991

Filesize
199B

MD5
3cd75d0bc6dce9e43f55f4fd911d841c

SHA1
ffbd85198544c8df3f77dbbfbfe369dd17f12be2

SHA256
cd902c18556e1a6a56f10736cc05a07337268336da60c143785f7e2f09220250

SHA512
c7a33dae4739b8a6635d4ea1daf730d160700fd2eb4228645c16445c665c9fac79b3b212e46fade56e0bc8b2bfea6adc963324b1f177b5deb67e15630ebcb0be

Download Submit
C:\Users\Public\Documents\886983d96e3d3e

Filesize
264B

MD5
3b5f26bd4182babffdeea7bfa170bdcc

SHA1
1b61b3e8f0b82b322ec17d3537b79a65afacce1c

SHA256
867246ad30d9b35d1724c9fd2ed5e362b6db7eb14e1ea24bce55b9fb362c6449

SHA512
c9f27eaef65e8730e38a5dffb648264a63810a05b7c6dddf36b7de6f820a2f25b504ed45cf9e5476d058fc1fc966d6f008cd4bd1134ccf96cea5fd3f0c206223

Download Submit
memory/456-37-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/456-38-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/456-34-0x00000000000D0000-0x0000000000268000-memory.dmp

Filesize
1.6MB

Download
memory/456-32-0x00007FFCDFA73000-0x00007FFCDFA75000-memory.dmp

Filesize
8KB

Download
memory/1524-8-0x0000000000408000-0x0000000001012000-memory.dmp

Filesize
12.0MB

Download
memory/1524-2-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1524-35-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/1524-6-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1524-41-0x0000000000408000-0x0000000001012000-memory.dmp

Filesize
12.0MB

Download
memory/1524-0-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1524-5-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1524-10-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/1524-7-0x0000000000400000-0x0000000001D91000-memory.dmp

Filesize
25.6MB

Download
memory/1524-1-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1524-4-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1524-3-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2432-76-0x000000000B930000-0x000000000B9CC000-memory.dmp

Filesize
624KB

Download
memory/2432-72-0x0000000008D80000-0x00000000090D4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-39-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/3060-63-0x00000000086A0000-0x00000000086C2000-memory.dmp

Filesize
136KB

Download
memory/3060-64-0x00000000086D0000-0x0000000008A24000-memory.dmp

Filesize
3.3MB

Download
memory/3060-62-0x00000000085A0000-0x0000000008652000-memory.dmp

Filesize
712KB

Download
memory/3060-61-0x0000000007F40000-0x0000000007F52000-memory.dmp

Filesize
72KB

Download
memory/3060-54-0x00000000060C0000-0x0000000006496000-memory.dmp

Filesize
3.8MB

Download
memory/3060-43-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/3060-66-0x0000000008A90000-0x0000000008ACC000-memory.dmp

Filesize
240KB

Download
memory/3060-40-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/3060-36-0x0000000000300000-0x0000000000A54000-memory.dmp

Filesize
7.3MB

Download
memory/3060-33-0x000000007397E000-0x000000007397F000-memory.dmp

Filesize
4KB

Download
memory/4948-80-0x000000001BB70000-0x000000001BC72000-memory.dmp

Filesize
1.0MB

Download
memory/4948-99-0x000000001BB70000-0x000000001BC72000-memory.dmp

Filesize
1.0MB

Download