zgrat | 54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254

Analysis

max time kernel
129s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b416d08c3391ce0842d998e0d5f273.exe
Size

1.3MB
MD5

b2b416d08c3391ce0842d998e0d5f273
SHA1

b384e63d2d57c5c744d1da4e5e92faad09228ab1
SHA256

54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254
SHA512

42ecf9093b0182388b57e40ff2581ede8a3e9cd487315d02886e19aeb168005016c6178e966cae4a9358b056927947b65a46bf77de432b73d7fce237abb996b9
SSDEEP

24576:eziaTTDWECSiUgQCl+V1KPOiLs1yYeunFqjTZfyt2V1zdPY0UavdQ1+fXmc1:UiUvCSH1r2s1NRqHZKt2V1zdPYVaNv5

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/3028-2-0x000000001AF10000-0x000000001B0B4000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-4-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-5-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-7-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-9-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-11-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-13-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-15-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-17-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-19-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-21-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-23-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-25-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-27-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-29-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-31-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-33-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-35-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-37-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-39-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-41-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-43-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-45-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-47-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-49-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-51-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-53-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-55-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-57-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-59-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-61-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-63-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-65-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1
behavioral1/memory/3028-67-0x000000001AF10000-0x000000001B0AF000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\", \"C:\\Recovery\\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\\services.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Videos\\Idle.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\", \"C:\\Recovery\\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\\services.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Videos\\Idle.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1540	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
3060	services.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Videos\\Idle.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\sppsvc.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\\services.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\Videos\\Idle.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\sppsvc.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\\services.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4A9D90D757CF4805B2B8BCB7A15B6E99.TMP	csc.exe
File created	\??\c:\Windows\System32\fbfjrg.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\sppsvc.exe	b2b416d08c3391ce0842d998e0d5f273.exe
File created	C:\Program Files\Java\0a1fd5f707cd16	b2b416d08c3391ce0842d998e0d5f273.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1348	schtasks.exe
2752	schtasks.exe
2756	schtasks.exe
2576	schtasks.exe
2404	schtasks.exe
2456	schtasks.exe
2056	schtasks.exe
2044	schtasks.exe
2980	schtasks.exe
1256	schtasks.exe
2452	schtasks.exe
1312	schtasks.exe
2532	schtasks.exe
2760	schtasks.exe
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3028	b2b416d08c3391ce0842d998e0d5f273.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe
3060	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	b2b416d08c3391ce0842d998e0d5f273.exe
Token: SeDebugPrivilege	3060	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 984	3028	b2b416d08c3391ce0842d998e0d5f273.exe	32
PID 3028 wrote to memory of 984	3028	b2b416d08c3391ce0842d998e0d5f273.exe	32
PID 3028 wrote to memory of 984	3028	b2b416d08c3391ce0842d998e0d5f273.exe	32
PID 984 wrote to memory of 1396	984	csc.exe	34
PID 984 wrote to memory of 1396	984	csc.exe	34
PID 984 wrote to memory of 1396	984	csc.exe	34
PID 3028 wrote to memory of 2680	3028	b2b416d08c3391ce0842d998e0d5f273.exe	47
PID 3028 wrote to memory of 2680	3028	b2b416d08c3391ce0842d998e0d5f273.exe	47
PID 3028 wrote to memory of 2680	3028	b2b416d08c3391ce0842d998e0d5f273.exe	47
PID 2680 wrote to memory of 2140	2680	cmd.exe	49
PID 2680 wrote to memory of 2140	2680	cmd.exe	49
PID 2680 wrote to memory of 2140	2680	cmd.exe	49
PID 2680 wrote to memory of 2880	2680	cmd.exe	50
PID 2680 wrote to memory of 2880	2680	cmd.exe	50
PID 2680 wrote to memory of 2880	2680	cmd.exe	50
PID 2680 wrote to memory of 3060	2680	cmd.exe	53
PID 2680 wrote to memory of 3060	2680	cmd.exe	53
PID 2680 wrote to memory of 3060	2680	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b2b416d08c3391ce0842d998e0d5f273.exe
"C:\Users\Admin\AppData\Local\Temp\b2b416d08c3391ce0842d998e0d5f273.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\430jxlpy\430jxlpy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFDD.tmp" "c:\Windows\System32\CSC4A9D90D757CF4805B2B8BCB7A15B6E99.TMP"
    3⤵
    PID:1396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ftGc9FMGwt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2140
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2880
- - C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\services.exe
    "C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.3MB

MD5
b2b416d08c3391ce0842d998e0d5f273

SHA1
b384e63d2d57c5c744d1da4e5e92faad09228ab1

SHA256
54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254

SHA512
42ecf9093b0182388b57e40ff2581ede8a3e9cd487315d02886e19aeb168005016c6178e966cae4a9358b056927947b65a46bf77de432b73d7fce237abb996b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCFDD.tmp

Filesize
1KB

MD5
69e26a3c238514f0e040d950a1f56280

SHA1
afa0584c4ff66c21609d6a106fdacb0117dc192f

SHA256
2a9208471c9416b51566b0f43c04c7b76f448b6844087b1b35c9b8fc754f73aa

SHA512
bcd4d128e94ce94b64313929d8facb91072352617b7a2a2557597679a1899c0975a539fbda47a0b0fd08a053bfe69bdedbcdacc347bbced6aaeba597aebf0110

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftGc9FMGwt.bat

Filesize
237B

MD5
af311b0f649c5cd65ae189c35a8b96e3

SHA1
d434f7d2f8aa4dbede2539b267a328c2eec69dad

SHA256
ce900332241ef1e8130e1057f2fc966c342f80a812146ebc0c102e7bd7b4bc00

SHA512
469a518ef6a85fd55054d23dea26177308351c9f3d072bbe2dfd92a00355820f4732ecdb5460b4ff6002e85849ed0e79211b1cee1123433a0548433e41999490

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\430jxlpy\430jxlpy.0.cs

Filesize
364B

MD5
60d17c38d94f9cbf7f9983aef780c654

SHA1
7e1f2fe6f708a5d591c60042f1699f3c034d38e9

SHA256
a219c7c7218af23ebce58c3c452f5df2c817cb9e86844aba7af62bac442b8eda

SHA512
b85b6f9fea2e665106a643e3c9a8ad560240a73ede242e8dfaf3f7b6d645443bdee97580253ba8f3af575e4c0aed90a9b4d3fcbdce61a39f0b2664d63e56bbcd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\430jxlpy\430jxlpy.cmdline

Filesize
235B

MD5
cfab9fd0fcf919ba929b6bedce6adee1

SHA1
6e908714a19f8a3ed383ae61f9b91bbe55bb60f3

SHA256
d014d5aa11db8e5216eab95e6edb3c3d70ae5d4b82a4f3269704c025678441b9

SHA512
80805db8ab3b709306422b38a6b8a5b18e04e8e48357276a911b6b1483e225eb16f8a0ababd7fad09120251553df3dd72a8e2c7cb7a9a1fa0a138fd00f707293

Download Submit
\??\c:\Windows\System32\CSC4A9D90D757CF4805B2B8BCB7A15B6E99.TMP

Filesize
1KB

MD5
be2c0c12ae0811c909259a9ef7faaac6

SHA1
002bac0233c2db332d9e2b17fdc32dc8e6139350

SHA256
eee9beb7acf4ae34d0b4bc1c136a9abd1c625d5a2c1eccdb14ceedab91adca3a

SHA512
db719e3a4f86d6384d31cecc0c1ce4525690d2cdbd315a699dbba6481a55c3b60cdb4f07029f956c4f1f116c1a2b72191036c7c5da8a07d9a12606e69b1eec88

Download Submit
memory/3028-27-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-7-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-11-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-13-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-15-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-17-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-19-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-21-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-23-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-25-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-0-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/3028-29-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-31-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-33-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-35-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-37-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-39-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-41-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-67-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-45-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-47-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-49-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-51-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-53-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-55-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-57-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-59-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-61-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-9-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-63-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-43-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-3190-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-3561-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/3028-3562-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3028-3563-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/3028-3564-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/3028-3565-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/3028-3567-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/3028-65-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-5-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-4-0x000000001AF10000-0x000000001B0AF000-memory.dmp

Filesize
1.6MB

Download
memory/3028-3-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/3028-2-0x000000001AF10000-0x000000001B0B4000-memory.dmp

Filesize
1.6MB

Download
memory/3028-1-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-3596-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-7167-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-3600-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-3602-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-7158-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3060-7159-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-7163-0x0000000077630000-0x0000000077631000-memory.dmp

Filesize
4KB

Download
memory/3060-7160-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-3599-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/3060-7164-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-7165-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-7166-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/3060-7162-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-7168-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download