zgrat | 3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243

Analysis

max time kernel
114s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe
Size

308KB
MD5

1ee185cb3b4f78f2a24e61798952178b
SHA1

8049b95b5250bad311950a218de4b9727e8f4579
SHA256

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243
SHA512

d16938efe9ec9936266e9c37b9c85b5f26cdfc66cc9c552186c3973ebed1c7e9f0f9f380f39cc113c03e7983dd9188a5e7292115748d78953101cfd359f0a93f
SSDEEP

3072:iOvQ/IaGuDfIeqpMTxV/wP8rjAILNnCDDRvLGmrOAOkGt6+duWA/t/SHUebbxCbO:FQIZe+MFVXx9stvLGtELbMUTKZ1H

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1580-3-0x00000000078C0000-0x0000000007AF6000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-15-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-31-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-33-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-35-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-53-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-55-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-51-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-49-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-47-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-45-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-43-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-41-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-39-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-37-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-29-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-27-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-23-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-21-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-19-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-17-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-25-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-13-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-11-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-9-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-7-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-6-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-57-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-67-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-63-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-69-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-65-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-61-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1580-59-0x00000000078C0000-0x0000000007AF0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\savef = "C:\\Users\\Admin\\AppData\\Roaming\\savef.exe"	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

description pid process target process

PID 1580 set thread context of 3660 1580 3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe RegAsm.exe

description	pid	process	target process
PID 1580 set thread context of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

description	pid	process
Token: SeDebugPrivilege	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe
Token: SeDebugPrivilege	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe

description	pid	process	target process
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe
PID 1580 wrote to memory of 3660	1580	3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe
"C:\Users\Admin\AppData\Local\Temp\3d75eede311931faf4dc46008199f7dc49a42237388ac8471c3a5a07432fb243.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-0-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/1580-1-0x0000000000C50000-0x0000000000CA0000-memory.dmp

Filesize
320KB

Download
memory/1580-2-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-3-0x00000000078C0000-0x0000000007AF6000-memory.dmp

Filesize
2.2MB

Download
memory/1580-4-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/1580-5-0x0000000007B90000-0x0000000007C22000-memory.dmp

Filesize
584KB

Download
memory/1580-15-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-31-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-33-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-35-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-53-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-55-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-51-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-49-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-47-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-45-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-43-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-41-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-39-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-37-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-29-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-27-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-23-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-21-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-19-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-17-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-25-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-13-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-11-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-9-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-7-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-6-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-57-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-67-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-63-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-69-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-65-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-61-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-59-0x00000000078C0000-0x0000000007AF0000-memory.dmp

Filesize
2.2MB

Download
memory/1580-4886-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-4888-0x0000000006450000-0x000000000649C000-memory.dmp

Filesize
304KB

Download
memory/1580-4887-0x00000000063C0000-0x0000000006432000-memory.dmp

Filesize
456KB

Download
memory/1580-4889-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/1580-4890-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/1580-4891-0x00000000064B0000-0x0000000006504000-memory.dmp

Filesize
336KB

Download
memory/1580-4898-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download