zgrat | 54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b416d08c3391ce0842d998e0d5f273.exe
Size

1.3MB
MD5

b2b416d08c3391ce0842d998e0d5f273
SHA1

b384e63d2d57c5c744d1da4e5e92faad09228ab1
SHA256

54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254
SHA512

42ecf9093b0182388b57e40ff2581ede8a3e9cd487315d02886e19aeb168005016c6178e966cae4a9358b056927947b65a46bf77de432b73d7fce237abb996b9
SSDEEP

24576:eziaTTDWECSiUgQCl+V1KPOiLs1yYeunFqjTZfyt2V1zdPY0UavdQ1+fXmc1:UiUvCSH1r2s1NRqHZKt2V1zdPYVaNv5

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/5116-1-0x000000001BC30000-0x000000001BDD4000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-5-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-9-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-11-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-7-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-3-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-17-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-19-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-21-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-15-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-23-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-13-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-25-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-27-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-29-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-31-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-33-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-37-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-35-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-39-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-41-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-47-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-49-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-45-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-51-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-43-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-57-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-55-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-53-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-61-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-63-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-65-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-67-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1
behavioral2/memory/5116-59-0x000000001BC30000-0x000000001BDCF000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\", \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Application Data\\taskhostw.exe\", \"C:\\odt\\sysmon.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3988	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3988	schtasks.exe	90

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	b2b416d08c3391ce0842d998e0d5f273.exe

Executes dropped EXE 1 IoCs

pid	Process
3656	sysmon.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\odt\\sysmon.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\All Users\\Application Data\\taskhostw.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\odt\\sysmon.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\""	b2b416d08c3391ce0842d998e0d5f273.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF5BE7238684D46978DD720945985CBEE.TMP	csc.exe
File created	\??\c:\Windows\System32\ghlptw.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	b2b416d08c3391ce0842d998e0d5f273.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe	b2b416d08c3391ce0842d998e0d5f273.exe
File created	C:\Program Files\VideoLAN\VLC\locale\5b884080fd4f94	b2b416d08c3391ce0842d998e0d5f273.exe
File created	C:\Program Files\Mozilla Firefox\fontdrvhost.exe	b2b416d08c3391ce0842d998e0d5f273.exe
File created	C:\Program Files\Mozilla Firefox\5b884080fd4f94	b2b416d08c3391ce0842d998e0d5f273.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3604	schtasks.exe
1508	schtasks.exe
316	schtasks.exe
4832	schtasks.exe
2304	schtasks.exe
2916	schtasks.exe
2416	schtasks.exe
2920	schtasks.exe
748	schtasks.exe
4028	schtasks.exe
2444	schtasks.exe
4596	schtasks.exe
3444	schtasks.exe
4512	schtasks.exe
2792	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	b2b416d08c3391ce0842d998e0d5f273.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
5116	b2b416d08c3391ce0842d998e0d5f273.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe
3656	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	b2b416d08c3391ce0842d998e0d5f273.exe
Token: SeDebugPrivilege	3656	sysmon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 784	5116	b2b416d08c3391ce0842d998e0d5f273.exe	92
PID 5116 wrote to memory of 784	5116	b2b416d08c3391ce0842d998e0d5f273.exe	92
PID 784 wrote to memory of 428	784	csc.exe	112
PID 784 wrote to memory of 428	784	csc.exe	112
PID 5116 wrote to memory of 4972	5116	b2b416d08c3391ce0842d998e0d5f273.exe	106
PID 5116 wrote to memory of 4972	5116	b2b416d08c3391ce0842d998e0d5f273.exe	106
PID 4972 wrote to memory of 1916	4972	cmd.exe	110
PID 4972 wrote to memory of 1916	4972	cmd.exe	110
PID 4972 wrote to memory of 2752	4972	cmd.exe	109
PID 4972 wrote to memory of 2752	4972	cmd.exe	109
PID 4972 wrote to memory of 3656	4972	cmd.exe	116
PID 4972 wrote to memory of 3656	4972	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b2b416d08c3391ce0842d998e0d5f273.exe
"C:\Users\Admin\AppData\Local\Temp\b2b416d08c3391ce0842d998e0d5f273.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\situ1a1w\situ1a1w.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES980A.tmp" "c:\Windows\System32\CSCF5BE7238684D46978DD720945985CBEE.TMP"
    3⤵
    PID:428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MFun5mcpL2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2752
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1916
- - C:\odt\sysmon.exe
    "C:\odt\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MFun5mcpL2.bat

Filesize
193B

MD5
1d93004e13855521a525798304d7d37f

SHA1
da16d20487d86989aebb1692ef28f0cc73afb259

SHA256
2a108e9091bdad816af91d4545f8febdc1ec9d03f43fa827aba2c6c9cfdbb7c9

SHA512
d1e2546c39e8e981ebdc09f0c0f47ee4a3f7de94ad1e5a73d8fbf5da0a47588400ea64d9f54477894420ed34a55632c76deee8482c1381ae57e3ea57d43f73b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES980A.tmp

Filesize
1KB

MD5
782b9e7484fbc2e25bdcf4601b9f555e

SHA1
ca149d029cb3daa4b976b1ebe69f89dd1719f386

SHA256
45445462c6a7f689e3761ce8e69e265071b5d9d4c9cd427759cbe53f0b52ca37

SHA512
552144ed93e07b5b19bbe7d922330fe357c92c8266c7565737680247ffee9ae20a39d3d82bbe5510de384a54b134543dc447a88e31e66e3b9ed340a1f02bb83a

Download Submit
C:\odt\sysmon.exe

Filesize
371KB

MD5
193214753eaab034460d97664dd60e53

SHA1
7680393a77caeb4c494c6d4984de4e0949249ab0

SHA256
b4d9731ef1cfdddfb210bfcd16df8b22e468463a866bb0cd828e4352df1016fd

SHA512
46f2fde056b9e48d7a041cd5b52c46b6fbceeca9adcad3407a260621fe63130d929e0e561ecdad9a7296f65b99aaeebbae68bfdc420cad88e3e49f73dff628c2

Download Submit
C:\odt\sysmon.exe

Filesize
1.2MB

MD5
e6cb4214937afac11e2d353cbbf2102a

SHA1
8dadccab82640455ddb1ca7fda46fdca51d96fb8

SHA256
d8d18cf4082243bb064057771a3dcbede3091cd76030a301acb2f00c2780f60d

SHA512
7c121377db38e7a1d5d77922e5f255cd382c40ea81b328163db7b94fb9ce21b05cf3b0164f9803b87c2d541c0b6c54adeff79190b1ae330b4939f649d5373cf0

Download Submit
C:\odt\sysmon.exe

Filesize
1.3MB

MD5
b2b416d08c3391ce0842d998e0d5f273

SHA1
b384e63d2d57c5c744d1da4e5e92faad09228ab1

SHA256
54471e79557fcf3f12279ab32be68aee2ca1cfd68e29134d0b34caf6975c3254

SHA512
42ecf9093b0182388b57e40ff2581ede8a3e9cd487315d02886e19aeb168005016c6178e966cae4a9358b056927947b65a46bf77de432b73d7fce237abb996b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\situ1a1w\situ1a1w.0.cs

Filesize
384B

MD5
e3046c28a70e81ebcd966953148cd1bf

SHA1
cd7859981eae221174a6c3d4f8a82d4c7ee561a9

SHA256
5a4801df293da06c1010fb68f568c04ff9e82249bf4c343236d154e50cdc74fa

SHA512
9afa4c317c2fc09d171472fc913250f075ee75a6690158a017e3dd7b9c0029eb2375918674978d375338bf82e7a5a9470ff6f5f6a27f372eba438fafa724e539

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\situ1a1w\situ1a1w.cmdline

Filesize
235B

MD5
57b33599bf38ac79148d8545f0250e96

SHA1
d8513caf62c26932dd0d2313c1fea1254521b345

SHA256
9ba48362042a9d7ac674606d22287924b8bc5f60106b931227646c3faaadbf2d

SHA512
33b1396246d5ce8c2b8d410844b6a59e6c95b59b20e2a98524d980c50d7bd754b368326d91d80d500af040580a196643b24240e1c7aa73540b87800f5a5a3828

Download Submit
\??\c:\Windows\System32\CSCF5BE7238684D46978DD720945985CBEE.TMP

Filesize
1KB

MD5
5bc7fffeb74f6ba57a2071934d353745

SHA1
fb8fae919b698ac12d3ec7d66cdb691f5763c146

SHA256
5146249f8fbc8b152593329b29ba45f4c96ff5eef3c1885dd4f2c4ed36804285

SHA512
e053f2d895ffc4324bca69ead2366f51f94e1dcd9bd43ed712068f73a45df02d39bdf29699b8401b03d7f2d5646d779197d027af21e0f317f232bf3e05526ac8

Download Submit
memory/3656-7171-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7166-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7164-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7163-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3656-7023-0x00007FFDB2FF0000-0x00007FFDB3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-3607-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-3604-0x00007FFDB2FF0000-0x00007FFDB3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/3656-7165-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7167-0x00007FFDD0E20000-0x00007FFDD0EDE000-memory.dmp

Filesize
760KB

Download
memory/3656-7169-0x00007FFDD0E10000-0x00007FFDD0E11000-memory.dmp

Filesize
4KB

Download
memory/3656-7172-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7174-0x00007FFDD0E20000-0x00007FFDD0EDE000-memory.dmp

Filesize
760KB

Download
memory/3656-7176-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/3656-7179-0x000000001BA10000-0x000000001BA20000-memory.dmp

Filesize
64KB

Download
memory/5116-29-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-39-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-47-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-49-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-45-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-51-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-43-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-57-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-55-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-53-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-61-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-63-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-65-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-67-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-59-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-3337-0x00007FFDB2FF0000-0x00007FFDB3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-3561-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/5116-3563-0x000000001BF30000-0x000000001BF40000-memory.dmp

Filesize
64KB

Download
memory/5116-3562-0x000000001BF30000-0x000000001BF40000-memory.dmp

Filesize
64KB

Download
memory/5116-3568-0x00007FFDD0E10000-0x00007FFDD0E11000-memory.dmp

Filesize
4KB

Download
memory/5116-3567-0x00007FFDD0E20000-0x00007FFDD0EDE000-memory.dmp

Filesize
760KB

Download
memory/5116-3566-0x00007FFDD0E20000-0x00007FFDD0EDE000-memory.dmp

Filesize
760KB

Download
memory/5116-3565-0x0000000003030000-0x000000000303E000-memory.dmp

Filesize
56KB

Download
memory/5116-41-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-35-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-37-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-33-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-3600-0x00007FFDD0E20000-0x00007FFDD0EDE000-memory.dmp

Filesize
760KB

Download
memory/5116-3599-0x00007FFDB2FF0000-0x00007FFDB3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-31-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-0-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/5116-27-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-25-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-13-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-23-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-15-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-21-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-19-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-17-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-3-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-4-0x000000001BF30000-0x000000001BF40000-memory.dmp

Filesize
64KB

Download
memory/5116-7-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-11-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-9-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-5-0x000000001BC30000-0x000000001BDCF000-memory.dmp

Filesize
1.6MB

Download
memory/5116-2-0x00007FFDB2FF0000-0x00007FFDB3AB1000-memory.dmp

Filesize
10.8MB

Download
memory/5116-1-0x000000001BC30000-0x000000001BDD4000-memory.dmp

Filesize
1.6MB

Download