zgrat | b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f

Analysis

max time kernel
185s
max time network
300s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
30/10/2023, 04:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
Size

3.6MB
MD5

ae6fa9bafb66f9f7abef04452e02bc1c
SHA1

9ef051f253f58a97df773d3ab14654320191a08d
SHA256

b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f
SHA512

098dd73c9f75fd90ceb897f487d80c556456246ced0880057a317dd07c96900ab217cff500e363aa27e2debdde639f0be492ae84eabfd55846cbbf2b8cbd238c
SSDEEP

49152:IBJ7Cz5hm/qbhLLVAaM0+aSp0a+utgmvaIQLk7vsFMT2QbZCsL5A+rTpeZicE:ypCz5hvLqa3fSp0a+u6mt6cZnFDeEf

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/files/0x000800000001abec-11.dat	family_zgrat_v1
behavioral1/files/0x000800000001abec-13.dat	family_zgrat_v1
behavioral1/memory/3644-14-0x0000000000730000-0x0000000000A7A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000600000001abf2-88.dat	family_zgrat_v1
behavioral1/files/0x001b00000001abed-116.dat	family_zgrat_v1
behavioral1/files/0x001b00000001abed-117.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\ChainProvider\\csrss.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\ChainProvider\\csrss.exe\", \"C:\\Windows\\Panther\\System.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\", \"C:\\ChainProvider\\csrss.exe\", \"C:\\Windows\\Panther\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\csrss.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\""	BridgeWin.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3512	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3512	schtasks.exe	75

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
3644	BridgeWin.exe
4376	ApplicationFrameHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Panther\\System.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Panther\\System.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\csrss.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\csrss.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "\"C:\\Program Files\\Windows Photo Viewer\\it-IT\\ApplicationFrameHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ChainProvider\\csrss.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\OfficeClickToRun.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ChainProvider\\csrss.exe\""	BridgeWin.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCEDDE70DA43924B42A2B9B2995041F149.TMP	csc.exe
File created	\??\c:\Windows\System32\p0key-.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\it-IT\6dd19aba3e2428	BridgeWin.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe	BridgeWin.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\e6c9b481da804f	BridgeWin.exe
File created	C:\Program Files\Java\jdk-1.8\lib\csrss.exe	BridgeWin.exe
File created	C:\Program Files\Java\jdk-1.8\lib\886983d96e3d3e	BridgeWin.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe	BridgeWin.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe	BridgeWin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Panther\System.exe	BridgeWin.exe
File created	C:\Windows\Panther\27d1bcfc3c54e0	BridgeWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2500	schtasks.exe
916	schtasks.exe
1308	schtasks.exe
2904	schtasks.exe
1548	schtasks.exe
3684	schtasks.exe
2960	schtasks.exe
3716	schtasks.exe
704	schtasks.exe
4192	schtasks.exe
5012	schtasks.exe
3516	schtasks.exe
3368	schtasks.exe
4320	schtasks.exe
4804	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000_Classes\Local Settings	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000_Classes\Local Settings	BridgeWin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe
3644	BridgeWin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4376	ApplicationFrameHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	BridgeWin.exe
Token: SeDebugPrivilege	4376	ApplicationFrameHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	ApplicationFrameHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4732	1484	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	71
PID 1484 wrote to memory of 4732	1484	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	71
PID 1484 wrote to memory of 4732	1484	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	71
PID 4732 wrote to memory of 4396	4732	WScript.exe	72
PID 4732 wrote to memory of 4396	4732	WScript.exe	72
PID 4732 wrote to memory of 4396	4732	WScript.exe	72
PID 4396 wrote to memory of 3644	4396	cmd.exe	74
PID 4396 wrote to memory of 3644	4396	cmd.exe	74
PID 3644 wrote to memory of 3692	3644	BridgeWin.exe	79
PID 3644 wrote to memory of 3692	3644	BridgeWin.exe	79
PID 3692 wrote to memory of 1800	3692	csc.exe	81
PID 3692 wrote to memory of 1800	3692	csc.exe	81
PID 3644 wrote to memory of 4416	3644	BridgeWin.exe	94
PID 3644 wrote to memory of 4416	3644	BridgeWin.exe	94
PID 4416 wrote to memory of 1048	4416	cmd.exe	96
PID 4416 wrote to memory of 1048	4416	cmd.exe	96
PID 4416 wrote to memory of 4684	4416	cmd.exe	97
PID 4416 wrote to memory of 4684	4416	cmd.exe	97
PID 4416 wrote to memory of 4376	4416	cmd.exe	98
PID 4416 wrote to memory of 4376	4416	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainProvider\Ue6DPbuBmrgvvM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\ChainProvider\BridgeWin.exe
      "C:\ChainProvider/BridgeWin.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgew5z1h\pgew5z1h.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9527.tmp" "c:\Windows\System32\CSCEDDE70DA43924B42A2B9B2995041F149.TMP"
        6⤵
        
        PID:1800
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LCuhv5CJdW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1048
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4684
      - C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\ChainProvider\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ChainProvider\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\ChainProvider\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\lib\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\lib\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainProvider\BridgeWin.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\ChainProvider\BridgeWin.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\ChainProvider\Ue6DPbuBmrgvvM.bat

Filesize
65B

MD5
6c93675d5528de536918490f2a030831

SHA1
ea764eee1b3bde0450319ef30b2433a9a46d4186

SHA256
0fef681907e2cf1e93b3ed1f68439901833d5ada3c70aa374e024560bfc86d64

SHA512
c935abd4d5390841784dee4edb8941b26a7fb5091b6d38e329959e70626fa19bb600d957456f079a95ab6ff2ba2f5059ae4ecfebe360d18aaf1ad61edccd6679

Download Submit
C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe

Filesize
206B

MD5
55e5be814935518dd671f62280d31bf7

SHA1
5b2fe2c2bc5b928a1225cf5b01c05dba98384812

SHA256
4e6b3324992136821adcecafa68aa60e1ec41664737ed1a75e96de82c3abd979

SHA512
873f644b249cebdf2a666e30eb1c06b8e276a5311d72f7c17af7fdad5ff767577c1a1cc2b9d9d84bfee28898e179356aa334aa29596a57549770f737c3d555b0

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\OfficeClickToRun.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\Program Files\Windows Photo Viewer\it-IT\ApplicationFrameHost.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\Users\Admin\AppData\Local\Temp\LCuhv5CJdW.bat

Filesize
244B

MD5
2616825bc4d3d45d5a3134e3637a2624

SHA1
4b77d0dc3edeaa99cae46aa13cb84758bc5c14ec

SHA256
fb37ce6ba8ad5664ba5229c6f44bd23769f82381de34fcc67534a689a9808f7d

SHA512
62fc431afaad9d49d689f271f3f6778d37bcbc9e88c2d12d6c6e3ed57ce2152674d486ca6429cba2c5c29cdbd61d0966ff4654409b6d53b3ec87be3eef2aed4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9527.tmp

Filesize
1KB

MD5
47068fa831278bbeeeefac6639eda61a

SHA1
207edf2588c14e0c8364c95433d05b653ea25c09

SHA256
fa4c062998fab14d0924e6f97df06464be6a42e18ffef190b2d80b86c286f761

SHA512
559b1b213703f541dd31b217d11e3ccdbbdcb93601cb8450cc6c6e7746ffd761c26c281e1d093dde09f4d474fee2d6810a6700ce99c87af35665e95106b2f0b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pgew5z1h\pgew5z1h.0.cs

Filesize
400B

MD5
4381b851ba0068426d4c9f1f4c083bdf

SHA1
68c1e67bbade8b051adbd5f15afb15f127b08a97

SHA256
a25c3b2f30364c790267e57119bfc83ace97059f0f9f6938dd5623d799cd3adf

SHA512
e458073115a42830202c5ffb7e755aacad8e9c55d7add1740fb85cc07bd04bfe8c193b6676c2aeada8347140d7817f5792c3b5cbff57453fcdd7799f553130f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pgew5z1h\pgew5z1h.cmdline

Filesize
235B

MD5
a4f41d274338645a6a8e1d519aa0ea8c

SHA1
53adc2979ea74e1328f8dad94ff16a1a28b6f4c6

SHA256
d50372eb41603fead08cd40c4f99021c3d868c6645fd74395648ce54f4de3c91

SHA512
72203469db3b05d983cac01ad8feb90a9fe91a91c9a68244a626ee50f3cc25046deb246408ccd8d519c03de46bec2d2c558f5a398be5084c70d9982ce8b66bed

Download Submit
\??\c:\Windows\System32\CSCEDDE70DA43924B42A2B9B2995041F149.TMP

Filesize
1KB

MD5
96290f4ecff32a0c9d864a1e85a40619

SHA1
adb84ba415413e867007033314ffc8b85af09e41

SHA256
2a1fe0a7c9c85af33d339e0952da3fc35675e0efd145b7e9ab44e527b69ed7a5

SHA512
3472a2e280ee013e0e4ea6f075c5251c69a355d2eb3a506d2d217e3c8aeedd547e9e2e8c85aace774d9cd46d7b3dfddfce0430a477c936ad1a6f0a9d98e93023

Download Submit
memory/3644-36-0x00007FFA0A750000-0x00007FFA0A751000-memory.dmp

Filesize
4KB

Download
memory/3644-67-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/3644-26-0x000000001B800000-0x000000001B850000-memory.dmp

Filesize
320KB

Download
memory/3644-27-0x00007FFA0A770000-0x00007FFA0A771000-memory.dmp

Filesize
4KB

Download
memory/3644-29-0x000000001B7B0000-0x000000001B7C8000-memory.dmp

Filesize
96KB

Download
memory/3644-31-0x00000000013A0000-0x00000000013B0000-memory.dmp

Filesize
64KB

Download
memory/3644-32-0x00007FF9FAA80000-0x00007FF9FB46C000-memory.dmp

Filesize
9.9MB

Download
memory/3644-23-0x00007FFA0A780000-0x00007FFA0A781000-memory.dmp

Filesize
4KB

Download
memory/3644-35-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/3644-37-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-33-0x00007FFA0A760000-0x00007FFA0A761000-memory.dmp

Filesize
4KB

Download
memory/3644-38-0x00007FFA0A740000-0x00007FFA0A741000-memory.dmp

Filesize
4KB

Download
memory/3644-40-0x0000000001400000-0x000000000140E000-memory.dmp

Filesize
56KB

Download
memory/3644-41-0x00007FFA0A690000-0x00007FFA0A691000-memory.dmp

Filesize
4KB

Download
memory/3644-43-0x000000001B7D0000-0x000000001B7DE000-memory.dmp

Filesize
56KB

Download
memory/3644-44-0x00007FFA0A680000-0x00007FFA0A681000-memory.dmp

Filesize
4KB

Download
memory/3644-46-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/3644-47-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-48-0x00007FFA0A670000-0x00007FFA0A671000-memory.dmp

Filesize
4KB

Download
memory/3644-50-0x000000001B870000-0x000000001B882000-memory.dmp

Filesize
72KB

Download
memory/3644-51-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-52-0x00007FFA0A660000-0x00007FFA0A661000-memory.dmp

Filesize
4KB

Download
memory/3644-54-0x000000001B7F0000-0x000000001B800000-memory.dmp

Filesize
64KB

Download
memory/3644-55-0x00007FFA0A650000-0x00007FFA0A651000-memory.dmp

Filesize
4KB

Download
memory/3644-57-0x000000001B9A0000-0x000000001B9B6000-memory.dmp

Filesize
88KB

Download
memory/3644-58-0x00007FFA0A640000-0x00007FFA0A641000-memory.dmp

Filesize
4KB

Download
memory/3644-60-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

Filesize
72KB

Download
memory/3644-61-0x000000001BF10000-0x000000001C436000-memory.dmp

Filesize
5.1MB

Download
memory/3644-62-0x00007FFA0A630000-0x00007FFA0A631000-memory.dmp

Filesize
4KB

Download
memory/3644-64-0x000000001B850000-0x000000001B85C000-memory.dmp

Filesize
48KB

Download
memory/3644-65-0x00007FFA0A620000-0x00007FFA0A621000-memory.dmp

Filesize
4KB

Download
memory/3644-25-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/3644-68-0x00007FFA0A610000-0x00007FFA0A611000-memory.dmp

Filesize
4KB

Download
memory/3644-70-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/3644-71-0x00007FFA0A600000-0x00007FFA0A601000-memory.dmp

Filesize
4KB

Download
memory/3644-73-0x000000001BA50000-0x000000001BAAA000-memory.dmp

Filesize
360KB

Download
memory/3644-74-0x00007FFA0A5F0000-0x00007FFA0A5F1000-memory.dmp

Filesize
4KB

Download
memory/3644-76-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/3644-77-0x00007FFA0A5E0000-0x00007FFA0A5E1000-memory.dmp

Filesize
4KB

Download
memory/3644-79-0x000000001BA00000-0x000000001BA0E000-memory.dmp

Filesize
56KB

Download
memory/3644-80-0x00007FFA0A5D0000-0x00007FFA0A5D1000-memory.dmp

Filesize
4KB

Download
memory/3644-82-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/3644-83-0x00007FFA0A5C0000-0x00007FFA0A5C1000-memory.dmp

Filesize
4KB

Download
memory/3644-85-0x000000001BB00000-0x000000001BB4E000-memory.dmp

Filesize
312KB

Download
memory/3644-22-0x0000000001390000-0x000000000139E000-memory.dmp

Filesize
56KB

Download
memory/3644-20-0x00007FFA0A790000-0x00007FFA0A791000-memory.dmp

Filesize
4KB

Download
memory/3644-19-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-18-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-16-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/3644-113-0x00007FF9FAA80000-0x00007FF9FB46C000-memory.dmp

Filesize
9.9MB

Download
memory/3644-17-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3644-15-0x00007FF9FAA80000-0x00007FF9FB46C000-memory.dmp

Filesize
9.9MB

Download
memory/3644-14-0x0000000000730000-0x0000000000A7A000-memory.dmp

Filesize
3.3MB

Download
memory/4376-118-0x00007FF9FAA80000-0x00007FF9FB46C000-memory.dmp

Filesize
9.9MB

Download
memory/4376-119-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/4376-120-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4376-121-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/4376-122-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/4376-124-0x00007FFA0A790000-0x00007FFA0A791000-memory.dmp

Filesize
4KB

Download
memory/4376-125-0x00007FFA0A780000-0x00007FFA0A781000-memory.dmp

Filesize
4KB

Download
memory/4376-128-0x00007FFA0A770000-0x00007FFA0A771000-memory.dmp

Filesize
4KB

Download
memory/4376-130-0x00007FF9FAA80000-0x00007FF9FB46C000-memory.dmp

Filesize
9.9MB

Download
memory/4376-131-0x00007FFA0A760000-0x00007FFA0A761000-memory.dmp

Filesize
4KB

Download
memory/4376-132-0x00007FFA0A750000-0x00007FFA0A751000-memory.dmp

Filesize
4KB

Download