zgrat | 6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

General

Target

7C12D48DF8F08A95701197C514269A50.exe
Size

1.7MB
MD5

7c12d48df8f08a95701197c514269a50
SHA1

4f99360c54ad2cce0afe14ddb37697f6777795c8
SHA256

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f
SHA512

37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d
SSDEEP

24576:YciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD5bdGjPIT9z:YsgB2yoQ4k/ECW5Gu5xdGjPIT9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2432-1-0x0000000000AE0000-0x0000000000C92000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00070000000149f5-16.dat	family_zgrat_v1
behavioral1/memory/2588-27-0x0000000000A30000-0x0000000000BE2000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid	Process
2588	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

7C12D48DF8F08A95701197C514269A50.exeservices.exe

pid	Process
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2432	7C12D48DF8F08A95701197C514269A50.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe
2588	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid	Process
2588	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7C12D48DF8F08A95701197C514269A50.exeservices.exe

description	pid	Process
Token: SeDebugPrivilege	2432	7C12D48DF8F08A95701197C514269A50.exe
Token: SeDebugPrivilege	2588	services.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7C12D48DF8F08A95701197C514269A50.execmd.exe

description	pid	Process	procid_target
PID 2432 wrote to memory of 2668	2432	7C12D48DF8F08A95701197C514269A50.exe	28
PID 2432 wrote to memory of 2668	2432	7C12D48DF8F08A95701197C514269A50.exe	28
PID 2432 wrote to memory of 2668	2432	7C12D48DF8F08A95701197C514269A50.exe	28
PID 2668 wrote to memory of 2696	2668	cmd.exe	30
PID 2668 wrote to memory of 2696	2668	cmd.exe	30
PID 2668 wrote to memory of 2696	2668	cmd.exe	30
PID 2668 wrote to memory of 2672	2668	cmd.exe	31
PID 2668 wrote to memory of 2672	2668	cmd.exe	31
PID 2668 wrote to memory of 2672	2668	cmd.exe	31
PID 2668 wrote to memory of 2588	2668	cmd.exe	32
PID 2668 wrote to memory of 2588	2668	cmd.exe	32
PID 2668 wrote to memory of 2588	2668	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\7C12D48DF8F08A95701197C514269A50.exe
"C:\Users\Admin\AppData\Local\Temp\7C12D48DF8F08A95701197C514269A50.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AS7XwQsXhA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2696
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2672
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AS7XwQsXhA.bat

Filesize
251B

MD5
76cf4ee223d3a4899edee4b7ee0c019d

SHA1
76c8dd22d2a3eb1f5e2bc61f56120e0e0f7b0dde

SHA256
fc752792fd2227ca2f1413411b1fca657c540c50e951e04752ee7c7d03a4534e

SHA512
e71fea328772e924035a16c28460e80906a52cfc78cc028066201fba2c41cee7dd081c7778e829bf71def6e37fc5eacd8afce68b2bd690ffb0611b4fb0ed9f08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\taskhost.exe

Filesize
1.7MB

MD5
7c12d48df8f08a95701197c514269a50

SHA1
4f99360c54ad2cce0afe14ddb37697f6777795c8

SHA256
6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

SHA512
37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

Download Submit
memory/2432-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000000AE0000-0x0000000000C92000-memory.dmp

Filesize
1.7MB

Download
memory/2432-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-3-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-4-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-6-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2432-11-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-21-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-24-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-27-0x0000000000A30000-0x0000000000BE2000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads