zgrat | 64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e77c7eaf29e7cc81d6a5870545509a3.exe
Size

2.0MB
MD5

0e77c7eaf29e7cc81d6a5870545509a3
SHA1

e56496e200c3246c149b41bd826b9e762fa5e534
SHA256

64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e
SHA512

bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18
SSDEEP

49152:R6K39H/NzGjGzMErFiEntNARL3AVtsk53gEdMJ9O:R6KnjrLntNAR2tPfO

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/452-1-0x0000000000100000-0x000000000030E000-memory.dmp family_zgrat_v1
C:\Windows\Registration\RuntimeBroker.exe family_zgrat_v1
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 0e77c7eaf29e7cc81d6a5870545509a3.exe
Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2792 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

resource	yara_rule
behavioral2/memory/452-1-0x0000000000100000-0x000000000030E000-memory.dmp	family_zgrat_v1
C:\Windows\Registration\RuntimeBroker.exe	family_zgrat_v1

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	0e77c7eaf29e7cc81d6a5870545509a3.exe

pid	process
2792	RuntimeBroker.exe

Drops file in Program Files directory 2 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\56085415360792	0e77c7eaf29e7cc81d6a5870545509a3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe	0e77c7eaf29e7cc81d6a5870545509a3.exe

Drops file in Windows directory 5 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exe

description	ioc	process
File created	C:\Windows\Logs\NetSetup\smss.exe	0e77c7eaf29e7cc81d6a5870545509a3.exe
File created	C:\Windows\Logs\NetSetup\69ddcba757bf72	0e77c7eaf29e7cc81d6a5870545509a3.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\RuntimeBroker.exe	0e77c7eaf29e7cc81d6a5870545509a3.exe
File created	C:\Windows\Registration\RuntimeBroker.exe	0e77c7eaf29e7cc81d6a5870545509a3.exe
File created	C:\Windows\Registration\9e8d7a4ca61bd9	0e77c7eaf29e7cc81d6a5870545509a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 0e77c7eaf29e7cc81d6a5870545509a3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	0e77c7eaf29e7cc81d6a5870545509a3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exe

pid	process
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe
452	0e77c7eaf29e7cc81d6a5870545509a3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

2792 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.exeRuntimeBroker.exe

description pid process

Token: SeDebugPrivilege 452 0e77c7eaf29e7cc81d6a5870545509a3.exe
Token: SeDebugPrivilege 2792 RuntimeBroker.exe

pid	process
2792	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	452	0e77c7eaf29e7cc81d6a5870545509a3.exe
Token: SeDebugPrivilege	2792	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0e77c7eaf29e7cc81d6a5870545509a3.execmd.exe

description	pid	process	target process
PID 452 wrote to memory of 2980	452	0e77c7eaf29e7cc81d6a5870545509a3.exe	cmd.exe
PID 452 wrote to memory of 2980	452	0e77c7eaf29e7cc81d6a5870545509a3.exe	cmd.exe
PID 2980 wrote to memory of 4184	2980	cmd.exe	chcp.com
PID 2980 wrote to memory of 4184	2980	cmd.exe	chcp.com
PID 2980 wrote to memory of 2312	2980	cmd.exe	w32tm.exe
PID 2980 wrote to memory of 2312	2980	cmd.exe	w32tm.exe
PID 2980 wrote to memory of 2792	2980	cmd.exe	RuntimeBroker.exe
PID 2980 wrote to memory of 2792	2980	cmd.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe
"C:\Users\Admin\AppData\Local\Temp\0e77c7eaf29e7cc81d6a5870545509a3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KMLwiImDmk.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4184

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2312

C:\Recovery\WindowsRE\RuntimeBroker.exe
"C:\Recovery\WindowsRE\RuntimeBroker.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KMLwiImDmk.bat
Filesize
215B

MD5
e712ee35d679c412149df1720a419353

SHA1
ecefef3b21625d17dc50948f6db94e1cf6fa5d5a

SHA256
89e57be4649ac3702d1076a4b56c10706cdaa00a79cc06c44a05c66002503f84

SHA512
4d4d39a727e6d9fbc02b122c5dceb510b0887c793e8a8b35dbd4b13f2ee0332120c8448c2ec3d7bc6f41a7904b6cc12914bc8f283a3b9a3d94ef5d13852f1d28

Download Submit
C:\Windows\Registration\RuntimeBroker.exe
Filesize
2.0MB

MD5
0e77c7eaf29e7cc81d6a5870545509a3

SHA1
e56496e200c3246c149b41bd826b9e762fa5e534

SHA256
64839df979829a8230b50891466a04e1d428f70d928205709668205669115a5e

SHA512
bf85986eb8b47fc7211a6b6b48121ae0de6718c73612a4059f3bf8570a47b5848a0619c056a9b55df2760f2c5e5f30ca5a19a5d091750af8ad7bb81c5f015e18

Download Submit
memory/452-10-0x0000000002390000-0x000000000239E000-memory.dmp

Filesize
56KB

Download
memory/452-18-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/452-4-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-6-0x000000001AE20000-0x000000001AE46000-memory.dmp

Filesize
152KB

Download
memory/452-7-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-8-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-13-0x000000001AF80000-0x000000001AF9C000-memory.dmp

Filesize
112KB

Download
memory/452-11-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-1-0x0000000000100000-0x000000000030E000-memory.dmp

Filesize
2.1MB

Download
memory/452-14-0x000000001B430000-0x000000001B480000-memory.dmp

Filesize
320KB

Download
memory/452-16-0x000000001AFA0000-0x000000001AFB8000-memory.dmp

Filesize
96KB

Download
memory/452-3-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-19-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-21-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/452-22-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-2-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-37-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-41-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-40-0x00007FFA34030000-0x00007FFA34AF1000-memory.dmp

Filesize
10.8MB

Download
memory/452-0-0x00007FFA34033000-0x00007FFA34035000-memory.dmp

Filesize
8KB

Download
memory/2792-52-0x000000001BF80000-0x000000001BFEB000-memory.dmp

Filesize
428KB

Download