zgrat | a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c

Analysis

max time kernel
147s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
Size

2.1MB
MD5

d86ddf1a6b51159906020e5efbe1ba92
SHA1

4cae49c47e8bd1a0a945ab076bfbe2917ccc64b4
SHA256

a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c
SHA512

09db2385b34eca95a23cc19ce58a8945705662bfc817f836437bbe260986ea507fa0739da90f9c18d16c3cdf08f33a32bb8332fc11084f5f10df90f74ba9de21
SSDEEP

24576:2TbBv5rUyXVYnL4FjYmL0J1HlbR6a2BbVgnTQcj+7nanx3GWFQjCDl5E85qcMeL9:IBJYEFbLbMnTQZanxSjC3v5+jml

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002340a-10.dat	family_zgrat_v1
behavioral2/memory/2228-13-0x00000000009C0000-0x0000000000B9A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Blockcontainerproviderdhcp.exe

Executes dropped EXE 2 IoCs

pid	Process
2228	Blockcontainerproviderdhcp.exe
1040	SppExtComObj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Java\Java Update\RuntimeBroker.exe	Blockcontainerproviderdhcp.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\9e8d7a4ca61bd9	Blockcontainerproviderdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	Blockcontainerproviderdhcp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe
2228	Blockcontainerproviderdhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1040	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	Blockcontainerproviderdhcp.exe
Token: SeDebugPrivilege	1040	SppExtComObj.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4936	4364	a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe	84
PID 4364 wrote to memory of 4936	4364	a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe	84
PID 4364 wrote to memory of 4936	4364	a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe	84
PID 4936 wrote to memory of 3972	4936	WScript.exe	89
PID 4936 wrote to memory of 3972	4936	WScript.exe	89
PID 4936 wrote to memory of 3972	4936	WScript.exe	89
PID 3972 wrote to memory of 2228	3972	cmd.exe	91
PID 3972 wrote to memory of 2228	3972	cmd.exe	91
PID 2228 wrote to memory of 1112	2228	Blockcontainerproviderdhcp.exe	92
PID 2228 wrote to memory of 1112	2228	Blockcontainerproviderdhcp.exe	92
PID 1112 wrote to memory of 4952	1112	cmd.exe	94
PID 1112 wrote to memory of 4952	1112	cmd.exe	94
PID 1112 wrote to memory of 3888	1112	cmd.exe	95
PID 1112 wrote to memory of 3888	1112	cmd.exe	95
PID 1112 wrote to memory of 1040	1112	cmd.exe	96
PID 1112 wrote to memory of 1040	1112	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
"C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\SavesMonitor\Blockcontainerproviderdhcp.exe
      "C:\SavesMonitor/Blockcontainerproviderdhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Q9JgJ9CBv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4952
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:3888
      - C:\SavesMonitor\SppExtComObj.exe
        
        "C:\SavesMonitor\SppExtComObj.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SavesMonitor\Blockcontainerproviderdhcp.exe

Filesize
1.8MB

MD5
6c43270f19233761545141a2175d00bc

SHA1
2af739400dd238badc0b7e9ce3d45e1eb0023e48

SHA256
27b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4

SHA512
b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6

Download Submit
C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat

Filesize
92B

MD5
a65e78a870380ac9c4ba083569959d4a

SHA1
8d6c9d55106b4ac275b873db16c069a27b79609f

SHA256
d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30

SHA512
9021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44

Download Submit
C:\SavesMonitor\RmK92.vbe

Filesize
208B

MD5
252c8a936c61108036239630f110d0b9

SHA1
765fa5076b12b640ab968cc5279b540e9f161341

SHA256
d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34

SHA512
d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Q9JgJ9CBv.bat

Filesize
160B

MD5
78e8d8483edcb645701131335f100554

SHA1
8c5e77e81f3a65f1ce55d25d1b80a49285c98933

SHA256
77f12cf6b352b01447e8cc17cd25853030c8fe52e00daa3df3d9f629b8b4424f

SHA512
9713875b85f80efb1c2f1d2d04db55c4d5a8d4cdea22f3784d14aaff158d6e09814998ebdafcd9e8a3fbc12356f014ca503f44b0dac41947a1638a2829745b08

Download Submit
memory/1040-47-0x000000001B460000-0x000000001B4CB000-memory.dmp

Filesize
428KB

Download
memory/2228-12-0x00007FF9469E3000-0x00007FF9469E5000-memory.dmp

Filesize
8KB

Download
memory/2228-13-0x00000000009C0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/2228-15-0x0000000001370000-0x000000000137E000-memory.dmp

Filesize
56KB

Download
memory/2228-17-0x0000000002CF0000-0x0000000002D0C000-memory.dmp

Filesize
112KB

Download
memory/2228-18-0x0000000002E90000-0x0000000002EE0000-memory.dmp

Filesize
320KB

Download
memory/2228-20-0x0000000002D10000-0x0000000002D28000-memory.dmp

Filesize
96KB

Download
memory/2228-22-0x0000000001490000-0x000000000149C000-memory.dmp

Filesize
48KB

Download