zgrat | 420e81d42c5661eb857403570125ed35817db3771dc83782b1f5eb94e1d482d1

Analysis

max time kernel
129s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
Size

1.7MB
MD5

7c12d48df8f08a95701197c514269a50
SHA1

4f99360c54ad2cce0afe14ddb37697f6777795c8
SHA256

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f
SHA512

37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d
SSDEEP

24576:YciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD5bdGjPIT9z:YsgB2yoQ4k/ECW5Gu5xdGjPIT9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1204-1-0x0000000000930000-0x0000000000AE2000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023420-19.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

Executes dropped EXE 1 IoCs

Processes:

taskhostw.exe

pid	Process
3932	taskhostw.exe

Drops file in Program Files directory 3 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\RuntimeBroker.exe	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
File created	C:\Program Files\Microsoft Office\root\backgroundTaskHost.exe	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
File created	C:\Program Files\Microsoft Office\root\eddb19405b7ce1	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

Drops file in Windows directory 2 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\taskhostw.exe	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
File created	C:\Windows\Microsoft.NET\Framework\ea9f0e6c9e2dcd	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

pid	Process
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhostw.exe

pid	Process
3932	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exetaskhostw.exe

description	pid	Process
Token: SeDebugPrivilege	1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
Token: SeDebugPrivilege	3932	taskhostw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.execmd.exe

description	pid	Process	procid_target
PID 1204 wrote to memory of 1760	1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe	85
PID 1204 wrote to memory of 1760	1204	6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe	85
PID 1760 wrote to memory of 688	1760	cmd.exe	88
PID 1760 wrote to memory of 688	1760	cmd.exe	88
PID 1760 wrote to memory of 3748	1760	cmd.exe	89
PID 1760 wrote to memory of 3748	1760	cmd.exe	89
PID 1760 wrote to memory of 3932	1760	cmd.exe	93
PID 1760 wrote to memory of 3932	1760	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe
"C:\Users\Admin\AppData\Local\Temp\6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddPghUJzXO.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:688
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3748
- - C:\Windows\Microsoft.NET\Framework\taskhostw.exe
    "C:\Windows\Microsoft.NET\Framework\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ddPghUJzXO.bat

Filesize
176B

MD5
19fc392824f34b625adca2380632e69b

SHA1
8d314c0f9e78f4150a376258d8ee95acc467a5b3

SHA256
ddc055bd9f2d09a824152fd37b9589f93372134448cae3793a78d13b4d746307

SHA512
2472b47149dbc7f8761366eefd656dbb7d12d4aa23b4ba38d68c209ba0f8343e316c82278d26473f9bbb0b40a8afb2a98852f2b4ecad274e0b0a6b8cea75f173

Download Submit
C:\Users\Public\Pictures\RuntimeBroker.exe

Filesize
1.7MB

MD5
7c12d48df8f08a95701197c514269a50

SHA1
4f99360c54ad2cce0afe14ddb37697f6777795c8

SHA256
6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

SHA512
37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

Download Submit
memory/1204-6-0x0000000002C10000-0x0000000002C2C000-memory.dmp

Filesize
112KB

Download
memory/1204-24-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-4-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-0-0x00007FFBF0A03000-0x00007FFBF0A05000-memory.dmp

Filesize
8KB

Download
memory/1204-7-0x000000001B670000-0x000000001B6C0000-memory.dmp

Filesize
320KB

Download
memory/1204-8-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-11-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-14-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-2-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-3-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-25-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-28-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/1204-1-0x0000000000930000-0x0000000000AE2000-memory.dmp

Filesize
1.7MB

Download
memory/3932-33-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download
memory/3932-34-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download
memory/3932-35-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download
memory/3932-37-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download
memory/3932-38-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download
memory/3932-39-0x00007FFBF0380000-0x00007FFBF0E41000-memory.dmp

Filesize
10.8MB

Download