zgrat | 0dc7d8248f6ce6c32678640c7451424cd02ceb26b53123d05998e48cce556b04

Analysis

max time kernel
142s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd934c7dd80e3c5281f6912e8e5923e.exe
Size

3.4MB
MD5

ccd934c7dd80e3c5281f6912e8e5923e
SHA1

8312f5101416a5a740a1de07882c662624c16b40
SHA256

0dc7d8248f6ce6c32678640c7451424cd02ceb26b53123d05998e48cce556b04
SHA512

ffec04a0e8d23eaf845a79d32fe0ddd68421c4b4e5103c7081d204b66ab6740c2960797164769c9a65971c257638d4ea4db84a43efaa8ca77145a360e969da88
SSDEEP

98304:yIk/dVyE8L2EQLuGKR70la1O9g5Ws4/ITyH29hH:rk1MPL5QLE7Qa09g+IT9

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 9 IoCs

resource	yara_rule
behavioral1/files/0x000900000001210a-9.dat	family_zgrat_v1
behavioral1/files/0x000900000001210a-12.dat	family_zgrat_v1
behavioral1/files/0x000900000001210a-11.dat	family_zgrat_v1
behavioral1/files/0x000900000001210a-10.dat	family_zgrat_v1
behavioral1/memory/2812-13-0x0000000001090000-0x0000000001424000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000162e0-88.dat	family_zgrat_v1
behavioral1/files/0x0031000000015ce2-113.dat	family_zgrat_v1
behavioral1/files/0x0031000000015ce2-112.dat	family_zgrat_v1
behavioral1/memory/1572-114-0x00000000010F0000-0x0000000001484000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\", \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\", \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\", \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\", \"C:\\Windows\\Vss\\Writers\\System\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\", \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\", \"C:\\Windows\\Vss\\Writers\\System\\sppsvc.exe\", \"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\wininit.exe\""	agentServerComponent.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1068	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1068	schtasks.exe	32

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
2812	agentServerComponent.exe
1572	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2728	cmd.exe
2728	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\wininit.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\System\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Vss\\Writers\\System\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\wininit.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\audiodg.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\\sppsvc.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	agentServerComponent.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\services.exe\""	agentServerComponent.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\jekupp.exe	csc.exe
File created	\??\c:\Windows\System32\CSCE2DB4BAD1407464583D93E4862381E4.TMP	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\System\0a1fd5f707cd16	agentServerComponent.exe
File created	C:\Windows\Vss\Writers\System\sppsvc.exe	agentServerComponent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1288	schtasks.exe
1668	schtasks.exe
2700	schtasks.exe
2848	schtasks.exe
1496	schtasks.exe
1060	schtasks.exe
1648	schtasks.exe
1300	schtasks.exe
2364	schtasks.exe
2596	schtasks.exe
2600	schtasks.exe
2588	schtasks.exe
2284	schtasks.exe
2040	schtasks.exe
2244	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1812	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe
2812	agentServerComponent.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1572	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	agentServerComponent.exe
Token: SeDebugPrivilege	1572	audiodg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1572	audiodg.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 1736	1292	ccd934c7dd80e3c5281f6912e8e5923e.exe	28
PID 1292 wrote to memory of 1736	1292	ccd934c7dd80e3c5281f6912e8e5923e.exe	28
PID 1292 wrote to memory of 1736	1292	ccd934c7dd80e3c5281f6912e8e5923e.exe	28
PID 1292 wrote to memory of 1736	1292	ccd934c7dd80e3c5281f6912e8e5923e.exe	28
PID 1736 wrote to memory of 2728	1736	WScript.exe	29
PID 1736 wrote to memory of 2728	1736	WScript.exe	29
PID 1736 wrote to memory of 2728	1736	WScript.exe	29
PID 1736 wrote to memory of 2728	1736	WScript.exe	29
PID 2728 wrote to memory of 2812	2728	cmd.exe	31
PID 2728 wrote to memory of 2812	2728	cmd.exe	31
PID 2728 wrote to memory of 2812	2728	cmd.exe	31
PID 2728 wrote to memory of 2812	2728	cmd.exe	31
PID 2812 wrote to memory of 1716	2812	agentServerComponent.exe	36
PID 2812 wrote to memory of 1716	2812	agentServerComponent.exe	36
PID 2812 wrote to memory of 1716	2812	agentServerComponent.exe	36
PID 1716 wrote to memory of 2248	1716	csc.exe	38
PID 1716 wrote to memory of 2248	1716	csc.exe	38
PID 1716 wrote to memory of 2248	1716	csc.exe	38
PID 2812 wrote to memory of 1660	2812	agentServerComponent.exe	51
PID 2812 wrote to memory of 1660	2812	agentServerComponent.exe	51
PID 2812 wrote to memory of 1660	2812	agentServerComponent.exe	51
PID 1660 wrote to memory of 2976	1660	cmd.exe	53
PID 1660 wrote to memory of 2976	1660	cmd.exe	53
PID 1660 wrote to memory of 2976	1660	cmd.exe	53
PID 1660 wrote to memory of 1812	1660	cmd.exe	54
PID 1660 wrote to memory of 1812	1660	cmd.exe	54
PID 1660 wrote to memory of 1812	1660	cmd.exe	54
PID 1660 wrote to memory of 1572	1660	cmd.exe	55
PID 1660 wrote to memory of 1572	1660	cmd.exe	55
PID 1660 wrote to memory of 1572	1660	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccd934c7dd80e3c5281f6912e8e5923e.exe
"C:\Users\Admin\AppData\Local\Temp\ccd934c7dd80e3c5281f6912e8e5923e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
      "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yrzdqvq3\yrzdqvq3.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81AE.tmp" "c:\Windows\System32\CSCE2DB4BAD1407464583D93E4862381E4.TMP"
        6⤵
        
        PID:2248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGIk6cJu4x.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2976
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1812
      - C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe
        
        "C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\System\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Recovery\51eff5a2-489a-11ee-a5ee-62b3d3f2749b\audiodg.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES81AE.tmp

Filesize
1KB

MD5
719a1966967eda2a8f8f39761a87ac45

SHA1
50599e0b93224b79da136dd992a1949f2c442943

SHA256
7ed1f5553ab099c446e9e907f86f0d532e05c96c2d49b7e6ce1ee9849ffe80fb

SHA512
4a153527a7dbb7e577d67925598059166c9283bce7f94aaeb215e6724a01a9f408d4c87655affb8ccfbdd90625e01450fbb9cdb6722e112019bd2964c9bb1e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGIk6cJu4x.bat

Filesize
188B

MD5
264e6d6371b106206dcca1b460d90152

SHA1
8c3fb7852ba66132a9e7e2b3b6c3606847818c3c

SHA256
8da1e721396ab5f945671b3c4201561c0ae9f40a72f3ad6529b3b65401c28547

SHA512
7b3c67003b5d2d5b8357af4d0584d7f3a7936faf5cbe3879cd796a2c3d2d9399c2cc7ecb6f074a52eb511d69541c848b8b99c6b60c95a9d97c7f47d88dcf7328

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat

Filesize
93B

MD5
b32388f95a1ac97cfca0a1a41c47604d

SHA1
568a535fd5a9175f4ed27c6716d65f917ca893df

SHA256
49d7bc2b118c854658c90b0fa9c47de42eb9f2426833e86b049bb33733bea5b9

SHA512
bcd9531dfd247542633c9cecacf1a46c7be70173a2ed6845386bd567ea7cb0c49aec4d3ed315ee80aaabd3ca96cee0c6e762e42d85b74b59793a4d766b83edc5

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe

Filesize
211B

MD5
4d658105afcc52322262e2c793a8083a

SHA1
c81a04e2cf3ce5cdeab1c54673d9f9bdf646c43d

SHA256
e6ff322411e42d01aeb523e70b1fa1023d5427e1c6eed2d19a8b2eaa1b26acda

SHA512
a47b97494f1ca7528026adc4aabfbdc73e944e6342beb380022f0f3f72ce8b603517863cf31340068a9ee10229feca3a7e77f34644609c514b5568e49e29c7be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yrzdqvq3\yrzdqvq3.0.cs

Filesize
392B

MD5
2b26b067683fc6d1881a739d2767b06c

SHA1
a12379cf85bf4f6d43974f08528c0eb10fff6504

SHA256
8d9d4200c1a2a2c96feb3356d35f2f0d39e87de447c39f16b6e2775a37f07a0d

SHA512
25c57d10b5e4110ab4bc25d1fda71ef538bc0ea11e75a392fade32abbbe290387bb87526411ffa743ba74bd7c2740ce31867cc18f4e41f8e15a154736b1f3da7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yrzdqvq3\yrzdqvq3.cmdline

Filesize
235B

MD5
129f878f1b2462b5caad5fa58e74b522

SHA1
dd6aa0465031ea0af82a6ce93b6d541050651805

SHA256
08a1d2630b72b7f0e131e49165c0599c7dcb19b897f8cab541fe5ad5532f6279

SHA512
74e4fa32be9d439b9602ff7f19892c126c2f4ba71b1d30ed51439e9630386c38fd28b7ac12e32dbd2fdf61a42d50ac6d7408e63f14ab3670cbec94730262511a

Download Submit
\??\c:\Windows\System32\CSCE2DB4BAD1407464583D93E4862381E4.TMP

Filesize
1KB

MD5
cad45b75304b5d1eab8700ac329e0039

SHA1
f491c8b2f37bc70283b3347ed7e3858e65a2417d

SHA256
ea45cb9b790405e859c9840ab3fdd75f37253050c8c5d5aa9e3cefdd4ccf5569

SHA512
faf2649747d29c38661c2ce8beb52cfb9094e8884454320561baa6ae48fc37cfbc8ca2ee3b1565b650561968e5f6e037dbf3d60b7eee71cf1701d94b73d1b505

Download Submit
\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
memory/1572-115-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/1572-114-0x00000000010F0000-0x0000000001484000-memory.dmp

Filesize
3.6MB

Download
memory/1572-116-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/2812-47-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-59-0x0000000077010000-0x0000000077011000-memory.dmp

Filesize
4KB

Download
memory/2812-28-0x00000000770B0000-0x00000000770B1000-memory.dmp

Filesize
4KB

Download
memory/2812-27-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-31-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2812-29-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/2812-32-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/2812-34-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/2812-35-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-38-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2812-36-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/2812-39-0x0000000077070000-0x0000000077071000-memory.dmp

Filesize
4KB

Download
memory/2812-41-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2812-42-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/2812-44-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2812-24-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2812-48-0x0000000077050000-0x0000000077051000-memory.dmp

Filesize
4KB

Download
memory/2812-46-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2812-49-0x0000000077040000-0x0000000077041000-memory.dmp

Filesize
4KB

Download
memory/2812-51-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/2812-53-0x0000000077030000-0x0000000077031000-memory.dmp

Filesize
4KB

Download
memory/2812-52-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-55-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2812-56-0x0000000077020000-0x0000000077021000-memory.dmp

Filesize
4KB

Download
memory/2812-58-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2812-26-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/2812-61-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/2812-62-0x0000000077000000-0x0000000077001000-memory.dmp

Filesize
4KB

Download
memory/2812-64-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2812-65-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

Filesize
4KB

Download
memory/2812-67-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2812-68-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

Filesize
4KB

Download
memory/2812-70-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2812-71-0x0000000076FD0000-0x0000000076FD1000-memory.dmp

Filesize
4KB

Download
memory/2812-73-0x0000000000EE0000-0x0000000000F3A000-memory.dmp

Filesize
360KB

Download
memory/2812-75-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2812-77-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/2812-79-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2812-22-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/2812-21-0x0000000000440000-0x0000000000466000-memory.dmp

Filesize
152KB

Download
memory/2812-19-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-18-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/2812-81-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/2812-83-0x000000001B2C0000-0x000000001B30E000-memory.dmp

Filesize
312KB

Download
memory/2812-111-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-17-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-16-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2812-15-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/2812-14-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2812-13-0x0000000001090000-0x0000000001424000-memory.dmp

Filesize
3.6MB

Download