zgrat | 27c5032cc5ece6baf23e8f6fd333cd46d1193ea31793ce9c8b4cbd19fd1ff5bd

Analysis

max time kernel
17s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bitguard_Pro_4.4_Cracked_by_31Cracks.zip
Size

8.1MB
MD5

ae74146566d2f7a90966ed650859119f
SHA1

d7978e13772877074857d9d5fc5d46abff749863
SHA256

27c5032cc5ece6baf23e8f6fd333cd46d1193ea31793ce9c8b4cbd19fd1ff5bd
SHA512

5105cbccdd4df4cc5d1a22871c3fe05e82598069460f140f836a96630644f1a85baf0a55ec51f21f8182254b51af03302a67299909fe68f2309755e7a82ab906
SSDEEP

196608:HV5fUcEm7lBJEcWF35vsVYeSCS3/2dMT9zUmPBVvQzgW:XPEmpBJEh3Z0SCfdaRYzJ

Score

10^/10

zgrat discovery rat

Malware Config

Signatures

Detect ZGRat V2 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0009000000016df8-4.dat	family_zgrat_v2
behavioral1/memory/2260-14-0x00000000011D0000-0x0000000001450000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

Processes:

BitGuard.exe

pid	Process
2260	BitGuard.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BitGuard.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitGuard.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7zFM.exe

pid	Process
1728	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
1728	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	1728	7zFM.exe
Token: 35	1728	7zFM.exe
Token: SeSecurityPrivilege	1728	7zFM.exe
Token: SeSecurityPrivilege	1728	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exe

pid	Process
1728	7zFM.exe
1728	7zFM.exe
1728	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7zFM.exe

description	pid	Process	procid_target
PID 1728 wrote to memory of 2260	1728	7zFM.exe	30
PID 1728 wrote to memory of 2260	1728	7zFM.exe	30
PID 1728 wrote to memory of 2260	1728	7zFM.exe	30
PID 1728 wrote to memory of 2260	1728	7zFM.exe	30

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bitguard_Pro_4.4_Cracked_by_31Cracks.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\7zO0C6E6B86\BitGuard.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0C6E6B86\BitGuard.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0C6E6B86\BitGuard.exe

Filesize
2.5MB

MD5
0a03f1c39ecec04d044b661a7feb4b67

SHA1
ef7acf458e42d7a5a3d963455fb4f828c494abea

SHA256
6deee133a5f12c4705a9d3961d71b68309a6ddf4f2966733e59eaba3ae237e7d

SHA512
939b52e5a77ba415dd6bdbcedc33a6655c908bbe2d7876da02e1cfe0e30a58b794b7dc1117329d0dd62120389079e9412e9659c685497bc4ff16c9e8861bcdd1

Download Submit
memory/2260-14-0x00000000011D0000-0x0000000001450000-memory.dmp

Filesize
2.5MB

Download
memory/2260-15-0x00000000010B0000-0x00000000011D4000-memory.dmp

Filesize
1.1MB

Download
memory/2260-16-0x0000000000A00000-0x0000000000A1C000-memory.dmp

Filesize
112KB

Download