zgrat | 0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201

General

Target

0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
Size

728KB
MD5

757ab1271ec61441cfda6aa5bb8e58fa
SHA1

a0b4f93b4926fc1d77e20c9c705e05c6606b7aac
SHA256

0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201
SHA512

dd07566fe433ffb1bff8c4b6c27174e4660e6f70369051e809b11af211dbaf6bba285d8403663f2d8dd72463d8017b3646d5fb5c704ad1866ca10af41d2b325b
SSDEEP

12288:eorh5aElioPvWRJyYBN2wxaVkse5m5+VojHf:5t3WR0YB8wxaVkseg8o/

Score

10^/10

zgrat defense_evasion discovery privilege_escalation rat

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/1604-4-0x0000000000790000-0x00000000007E6000-memory.dmp	family_zgrat_v2

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Zgrat family
zgrat

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0004000000004ed7-8.dat	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
2064	AdvancedRun.exe
844	AdvancedRun.exe
328	AdvancedRun.exe
2228	AdvancedRun.exe

Loads dropped DLL 8 IoCs

pid	Process
1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
2064	AdvancedRun.exe
2064	AdvancedRun.exe
1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
328	AdvancedRun.exe
328	AdvancedRun.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2064	AdvancedRun.exe
328	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	1604	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2064	AdvancedRun.exe
2064	AdvancedRun.exe
844	AdvancedRun.exe
844	AdvancedRun.exe
328	AdvancedRun.exe
328	AdvancedRun.exe
2228	AdvancedRun.exe
2228	AdvancedRun.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
Token: SeDebugPrivilege	2064	AdvancedRun.exe
Token: SeImpersonatePrivilege	2064	AdvancedRun.exe
Token: SeDebugPrivilege	844	AdvancedRun.exe
Token: SeImpersonatePrivilege	844	AdvancedRun.exe
Token: SeDebugPrivilege	328	AdvancedRun.exe
Token: SeImpersonatePrivilege	328	AdvancedRun.exe
Token: SeDebugPrivilege	2228	AdvancedRun.exe
Token: SeImpersonatePrivilege	2228	AdvancedRun.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2064	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	31
PID 1604 wrote to memory of 2064	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	31
PID 1604 wrote to memory of 2064	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	31
PID 1604 wrote to memory of 2064	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	31
PID 2064 wrote to memory of 844	2064	AdvancedRun.exe	32
PID 2064 wrote to memory of 844	2064	AdvancedRun.exe	32
PID 2064 wrote to memory of 844	2064	AdvancedRun.exe	32
PID 2064 wrote to memory of 844	2064	AdvancedRun.exe	32
PID 1604 wrote to memory of 328	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	33
PID 1604 wrote to memory of 328	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	33
PID 1604 wrote to memory of 328	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	33
PID 1604 wrote to memory of 328	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	33
PID 328 wrote to memory of 2228	328	AdvancedRun.exe	34
PID 328 wrote to memory of 2228	328	AdvancedRun.exe	34
PID 328 wrote to memory of 2228	328	AdvancedRun.exe	34
PID 328 wrote to memory of 2228	328	AdvancedRun.exe	34
PID 1604 wrote to memory of 2148	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	35
PID 1604 wrote to memory of 2148	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	35
PID 1604 wrote to memory of 2148	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	35
PID 1604 wrote to memory of 2148	1604	0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe	35

C:\Users\Admin\AppData\Local\Temp\0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe
"C:\Users\Admin\AppData\Local\Temp\0310539fe235574543f2e741ec52c1e57b19de25078e0959fe3d6d49cc037201.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2064
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:328
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 328
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 768
  2⤵
  - Program crash
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/1604-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/1604-1-0x0000000001050000-0x000000000110C000-memory.dmp

Filesize
752KB

Download
memory/1604-2-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-3-0x0000000000530000-0x000000000057C000-memory.dmp

Filesize
304KB

Download
memory/1604-4-0x0000000000790000-0x00000000007E6000-memory.dmp

Filesize
344KB

Download
memory/1604-5-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-6-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/1604-25-0x0000000074B90000-0x000000007527E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads