zgrat | 3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

General

Target

A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Size

1.9MB
MD5

a8feeee4d7550b6d235a58fcc27a7c27
SHA1

cca74652e0efb730d7109d825102f6d163cbcf91
SHA256

3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9
SHA512

2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3
SSDEEP

24576:hgXogJObMWfLOAT6gih1R12T3W07YbkKKcZUhhKpHqS/iZ0g0W2kg+mnS5aUVDe2:hFo6EN0W08kKKQUD8abIVS5xDL

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000860000-0x0000000000A50000-memory.dmp	family_zgrat_v1
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\System.exe	family_zgrat_v1
behavioral1/memory/1244-51-0x0000000000C10000-0x0000000000E00000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\A8FEEEE4D7550B6D235A58FCC27A7C27.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\A8FEEEE4D7550B6D235A58FCC27A7C27.exe\", \"C:\\Users\\Default\\PrintHood\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\services.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	2384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2384	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid process

1244 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1244	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Uninstall Information\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Uninstall Information\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\A8FEEEE4D7550B6D235A58FCC27A7C27 = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\A8FEEEE4D7550B6D235A58FCC27A7C27.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A8FEEEE4D7550B6D235A58FCC27A7C27 = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\A8FEEEE4D7550B6D235A58FCC27A7C27.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\\Idle.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\PrintHood\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\PrintHood\\System.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC7DD37BEAEFC14925A0F5F2FABC2913E7.TMP	csc.exe
File created	\??\c:\Windows\System32\u7e72d.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\System.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\27d1bcfc3c54e0	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1556	schtasks.exe
2436	schtasks.exe
2284	schtasks.exe
356	schtasks.exe
2584	schtasks.exe
1608	schtasks.exe
2280	schtasks.exe
240	schtasks.exe
2664	schtasks.exe
2412	schtasks.exe
1748	schtasks.exe
2832	schtasks.exe
2260	schtasks.exe
2544	schtasks.exe
2980	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2164 PING.EXE

pid	process
2164	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid	process
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid process

1244 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exeA8FEEEE4D7550B6D235A58FCC27A7C27.exe

description pid process

Token: SeDebugPrivilege 3036 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege 1244 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid process

1244 A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid	process
1244	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	pid	process
Token: SeDebugPrivilege	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege	1244	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid	process
1244	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.execmd.exe

description	pid	process	target process
PID 3036 wrote to memory of 2492	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 3036 wrote to memory of 2492	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 3036 wrote to memory of 2492	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 2492 wrote to memory of 2448	2492	csc.exe	cvtres.exe
PID 2492 wrote to memory of 2448	2492	csc.exe	cvtres.exe
PID 2492 wrote to memory of 2448	2492	csc.exe	cvtres.exe
PID 3036 wrote to memory of 2112	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 3036 wrote to memory of 2112	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 3036 wrote to memory of 2112	3036	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 2112 wrote to memory of 1544	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 1544	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 1544	2112	cmd.exe	chcp.com
PID 2112 wrote to memory of 2164	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 2164	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 2164	2112	cmd.exe	PING.EXE
PID 2112 wrote to memory of 1244	2112	cmd.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
PID 2112 wrote to memory of 1244	2112	cmd.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
PID 2112 wrote to memory of 1244	2112	cmd.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe
"C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\otvdztn1\otvdztn1.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24DF.tmp" "c:\Windows\System32\CSC7DD37BEAEFC14925A0F5F2FABC2913E7.TMP"
3⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8WzfOKJUge.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1544

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2164

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\A8FEEEE4D7550B6D235A58FCC27A7C27.exe
"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "A8FEEEE4D7550B6D235A58FCC27A7C27A" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\A8FEEEE4D7550B6D235A58FCC27A7C27.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "A8FEEEE4D7550B6D235A58FCC27A7C27" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\A8FEEEE4D7550B6D235A58FCC27A7C27.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "A8FEEEE4D7550B6D235A58FCC27A7C27A" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\A8FEEEE4D7550B6D235A58FCC27A7C27.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8WzfOKJUge.bat
Filesize
227B

MD5
7bdde80fa99115f602a1a42cf2a9673b

SHA1
f2f8803700f8fee0e735b9945c33684969974182

SHA256
8f19e16c54365545b776d2232a0e031d6759b9712d6927ddf0f579a1f2c305a3

SHA512
d344da49ddc7e043dff2771ea92f09f735b951073c12aee4ebe510578916aae3301bcc318d691292e39020d019dbb8eaa3ca7dc1669c231d28c34634ddd4f174

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES24DF.tmp
Filesize
1KB

MD5
0984af5a66779ebe76044361d19f66c1

SHA1
c2a6e69985e8b82c394802698a261b70872a3249

SHA256
55563d1bc6f0afaf16fad163610470089951ab4072fe3f511d47611ad611644f

SHA512
6429a4506a05f7894e772627c83da645a155bc7604484d50bf8c87e41eca1816505868b1bba93c039c4c6f909215aab076bcc8f8007c98d1b36a033703e0de65

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\System.exe
Filesize
1.9MB

MD5
a8feeee4d7550b6d235a58fcc27a7c27

SHA1
cca74652e0efb730d7109d825102f6d163cbcf91

SHA256
3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

SHA512
2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\otvdztn1\otvdztn1.0.cs
Filesize
389B

MD5
5af43db4b68ca5aa4ef9aa4e4f7d9457

SHA1
59cb79ebc1e63e0f8d1a36825d010a17545bb619

SHA256
7397c32f32023391e3563ca3483e90445c7fa423238a76c61c2d4c9225fdb7d8

SHA512
2bfac92b297287054d0b19fde573da4c8d78643a8efe8d8420fb4ed1fdcc227a11a5562dc5e319a498cfb309eff3f164345cb00a57a9b34e5a2578cd56374efd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\otvdztn1\otvdztn1.cmdline
Filesize
235B

MD5
47fdafa052055fa886441832e56e96c8

SHA1
e20bafaa2c34e10f366426195bc01adbbfde71e3

SHA256
1639474113f63d1dcdb4ef59a47e1e65e1b4de81f7b689bba4c32bb7278d8dbd

SHA512
88095ea718155d8888f25ae8efeaab99283d8303eac8a8629dd2c2f6c10c752cc660351d4dadea066527b914e02ebd69f373f1b838380950ec460a6581e2a21d

Download Submit
\??\c:\Windows\System32\CSC7DD37BEAEFC14925A0F5F2FABC2913E7.TMP
Filesize
1KB

MD5
984924caf6574026769de34f35c2358e

SHA1
6dd41e492235d812252231912aa025f47fa7a9e7

SHA256
2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

SHA512
5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

Download Submit
memory/1244-60-0x0000000076F60000-0x0000000076F61000-memory.dmp

Filesize
4KB

Download
memory/1244-62-0x0000000076F50000-0x0000000076F51000-memory.dmp

Filesize
4KB

Download
memory/1244-93-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-92-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-70-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-69-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-68-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-67-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

Filesize
9.9MB

Download
memory/1244-66-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/1244-64-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/1244-58-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-57-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/1244-55-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-54-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1244-53-0x000000001AA10000-0x000000001AA90000-memory.dmp

Filesize
512KB

Download
memory/1244-51-0x0000000000C10000-0x0000000000E00000-memory.dmp

Filesize
1.9MB

Download
memory/1244-52-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-6-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/3036-4-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/3036-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3036-20-0x0000000076F30000-0x0000000076F31000-memory.dmp

Filesize
4KB

Download
memory/3036-8-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/3036-7-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/3036-19-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/3036-2-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/3036-47-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-0-0x0000000000860000-0x0000000000A50000-memory.dmp

Filesize
1.9MB

Download
memory/3036-17-0x0000000076F40000-0x0000000076F41000-memory.dmp

Filesize
4KB

Download
memory/3036-16-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/3036-14-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/3036-12-0x0000000076F50000-0x0000000076F51000-memory.dmp

Filesize
4KB

Download
memory/3036-11-0x0000000076F60000-0x0000000076F61000-memory.dmp

Filesize
4KB

Download
memory/3036-10-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads