zgrat | 7a6e7ce0b1d27034eb2743bb25305b2ac9a9a950b3ccbb43d5d3c5ba2d43122d

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sentinel.exe
Size

1.7MB
MD5

a991bca8b1b12edcef7ea9365083910a
SHA1

c2a87723dc3a20162e84062fd3420c07be74f56c
SHA256

7a6e7ce0b1d27034eb2743bb25305b2ac9a9a950b3ccbb43d5d3c5ba2d43122d
SHA512

edf63d41a1b2bdc5db90bbc33254a400c3ab182fd8eea530c326907208857a3a58fe5fa379934daf41423576f8b589a41541c62f302cbf04028251fe6faa7e4f
SSDEEP

24576:6Z8lPrl9NaJd9N11gdlCaGApu8Fk1VM+q2fv3BrUIQxgcEQXwBNtr91L8Cu:bPpuW7G98FkPMYv3Br6ZDStp9

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2476-3-0x0000000004980000-0x0000000004A60000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2716 2476 WerFault.exe Sentinel.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Sentinel.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sentinel.exe

pid	pid_target	process	target process
2716	2476	WerFault.exe	Sentinel.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sentinel.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	2844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2844	AUDIODG.EXE
Token: 33	2844	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2844	AUDIODG.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Sentinel.exe

description	pid	process	target process
PID 2476 wrote to memory of 2716	2476	Sentinel.exe	WerFault.exe
PID 2476 wrote to memory of 2716	2476	Sentinel.exe	WerFault.exe
PID 2476 wrote to memory of 2716	2476	Sentinel.exe	WerFault.exe
PID 2476 wrote to memory of 2716	2476	Sentinel.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Sentinel.exe
"C:\Users\Admin\AppData\Local\Temp\Sentinel.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872
  2⤵
  - Program crash
  PID:2716

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-0-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2476-1-0x0000000000B60000-0x0000000000D10000-memory.dmp

Filesize
1.7MB

Download
memory/2476-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-3-0x0000000004980000-0x0000000004A60000-memory.dmp

Filesize
896KB

Download
memory/2476-4-0x00000000047C0000-0x000000000485C000-memory.dmp

Filesize
624KB

Download
memory/2476-5-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2476-6-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2476-7-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2476-8-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2476-9-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/2476-10-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download