zgrat | deec2bd866af640bcaecd5357f54da87dd045c8017a8f8a76ac0068ce43eebaa

General

Target

15052024_1245_Cognex 3512C Doc.js
Size

7KB
MD5

c8b4efbf7ede4e5741be5e2ae2462b3b
SHA1

dc077b682365eef97c0ced977916fcb117743cf6
SHA256

deec2bd866af640bcaecd5357f54da87dd045c8017a8f8a76ac0068ce43eebaa
SHA512

eb98175eb0486b17ac217e5380ec771666d176fde50a3ecf416aafb2cef7b0e91ec8386417519b51f69fa381834571fbaae1f92a9baec0dc53d80515da5446d6
SSDEEP

192:pRn5hokWxcYy0AkSsDX5VF30Ver0O86+ISMquF4dOryL:fnckWx2kSsDX5P3L7+ISMq24dOryL

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2832-42-0x000000001C630000-0x000000001C86E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-48-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-44-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-56-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-60-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-66-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-68-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-72-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-76-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-78-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-82-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-88-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-92-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-98-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-106-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-104-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-102-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-100-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-96-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-94-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-90-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-86-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-84-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-80-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-74-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-70-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-64-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-62-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-58-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-54-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-52-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-50-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-43-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1
behavioral1/memory/2832-46-0x000000001C630000-0x000000001C867000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

4 2176 wscript.exe
7 2176 wscript.exe
9 2176 wscript.exe
12 2176 wscript.exe
14 2176 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

windows.exewindows.exe

pid process

2832 windows.exe
3352 windows.exe
Loads dropped DLL 1 IoCs

Processes:

wscript.exe

pid process

2176 wscript.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

windows.exe

description pid process target process

PID 2832 set thread context of 3352 2832 windows.exe windows.exe
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2176	wscript.exe
7	2176	wscript.exe
9	2176	wscript.exe
12	2176	wscript.exe
14	2176	wscript.exe

pid	process
2832	windows.exe
3352	windows.exe

pid	process
2176	wscript.exe

description	pid	process	target process
PID 2832 set thread context of 3352	2832	windows.exe	windows.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

windows.exe

description pid process

Token: SeDebugPrivilege 2832 windows.exe
Token: SeDebugPrivilege 2832 windows.exe

description	pid	process
Token: SeDebugPrivilege	2832	windows.exe
Token: SeDebugPrivilege	2832	windows.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wscript.exewindows.exe

description	pid	process	target process
PID 2176 wrote to memory of 2832	2176	wscript.exe	windows.exe
PID 2176 wrote to memory of 2832	2176	wscript.exe	windows.exe
PID 2176 wrote to memory of 2832	2176	wscript.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe
PID 2832 wrote to memory of 3352	2832	windows.exe	windows.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\15052024_1245_Cognex 3512C Doc.js"
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
3⤵
- Executes dropped EXE
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
\Users\Admin\AppData\Roaming\windows.exe
Filesize
4.5MB

MD5
ef0124f238734460752a0de9e85501bc

SHA1
8dcbd7b8c753329ffc4a68a4bac8c3ab5ba62dfb

SHA256
4a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644

SHA512
6aa0476b378bf34eb274ef2b62d8cb12f2c5014cae0e02a6ffea55e4c0fd009e07f8816b23bb6ad2ed57a0a8173668ae3c24f94bcecd131348c5347510fcac3c

Download Submit
memory/2832-90-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-4928-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-42-0x000000001C630000-0x000000001C86E000-memory.dmp

Filesize
2.2MB

Download
memory/2832-48-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-44-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-56-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-60-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-66-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-68-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-72-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-76-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-78-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-82-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-88-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-92-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-98-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-106-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-104-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-102-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-100-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-96-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-94-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-4946-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-41-0x0000000001130000-0x00000000015B0000-memory.dmp

Filesize
4.5MB

Download
memory/2832-70-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-80-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-74-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-84-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-64-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-62-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-58-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-54-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-52-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-50-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-43-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-46-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-4923-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-4924-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-4925-0x0000000000E30000-0x0000000000EAA000-memory.dmp

Filesize
488KB

Download
memory/2832-4926-0x0000000000CC0000-0x0000000000D0C000-memory.dmp

Filesize
304KB

Download
memory/2832-4927-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/2832-86-0x000000001C630000-0x000000001C867000-memory.dmp

Filesize
2.2MB

Download
memory/2832-4929-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2832-4930-0x0000000000A60000-0x0000000000AB4000-memory.dmp

Filesize
336KB

Download
memory/2832-40-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/3352-4944-0x0000000140000000-0x000000014006B000-memory.dmp

Filesize
428KB

Download
memory/3352-4945-0x0000000140000000-0x000000014006B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads