zgrat | 3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

General

Target

A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Size

1.9MB
MD5

a8feeee4d7550b6d235a58fcc27a7c27
SHA1

cca74652e0efb730d7109d825102f6d163cbcf91
SHA256

3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9
SHA512

2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3
SSDEEP

24576:hgXogJObMWfLOAT6gih1R12T3W07YbkKKcZUhhKpHqS/iZ0g0W2kg+mnS5aUVDe2:hFo6EN0W08kKKQUD8abIVS5xDL

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-0-0x0000000000F00000-0x00000000010F0000-memory.dmp	family_zgrat_v1
C:\Users\Default\Saved Games\csrss.exe	family_zgrat_v1
behavioral1/memory/1692-51-0x0000000000810000-0x0000000000A00000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\dwm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\taskhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\taskhost.exe\", \"C:\\Users\\Default\\Saved Games\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2392	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

1692 taskhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1692	taskhost.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\lsm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\dwm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\smss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\dwm.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\taskhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\taskhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Saved Games\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCDB5E790463D14E47B6EFA8569D55A5CF.TMP	csc.exe
File created	\??\c:\Windows\System32\b3zcf6.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6cb0b6c459d5d3	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1576	schtasks.exe
2600	schtasks.exe
2936	schtasks.exe
2748	schtasks.exe
800	schtasks.exe
2968	schtasks.exe
1228	schtasks.exe
2728	schtasks.exe
2888	schtasks.exe
1232	schtasks.exe
2412	schtasks.exe
2316	schtasks.exe
2768	schtasks.exe
2896	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid	process
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskhost.exe

pid process

1692 taskhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exetaskhost.exe

description pid process

Token: SeDebugPrivilege 1948 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege 1692 taskhost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taskhost.exe

pid process

1692 taskhost.exe

pid	process
1692	taskhost.exe

description	pid	process
Token: SeDebugPrivilege	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege	1692	taskhost.exe

pid	process
1692	taskhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 2496	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 1948 wrote to memory of 2496	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 1948 wrote to memory of 2496	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 2496 wrote to memory of 2416	2496	csc.exe	cvtres.exe
PID 2496 wrote to memory of 2416	2496	csc.exe	cvtres.exe
PID 2496 wrote to memory of 2416	2496	csc.exe	cvtres.exe
PID 1948 wrote to memory of 1900	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 1948 wrote to memory of 1900	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 1948 wrote to memory of 1900	1948	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 1900 wrote to memory of 280	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 280	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 280	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 2596	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 2596	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 2596	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 1692	1900	cmd.exe	taskhost.exe
PID 1900 wrote to memory of 1692	1900	cmd.exe	taskhost.exe
PID 1900 wrote to memory of 1692	1900	cmd.exe	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe
"C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4dv3n4yx\4dv3n4yx.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BB2.tmp" "c:\Windows\System32\CSCDB5E790463D14E47B6EFA8569D55A5CF.TMP"
3⤵
PID:2416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3MUNFPIFJ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:280

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2596

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe
"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2BB2.tmp
Filesize
1KB

MD5
d4f019ef8e3c708762515d1fb05cecc2

SHA1
9c4ddab91802d62f439c2d899a9bc513a3bd8e5c

SHA256
30a047750c083c9c28bcaf21fff5d4000b90004e2aa534b5fe524d56a19cf1f8

SHA512
0acdc9415b82851e807644c0f8546893e66c19ada925889673e84e14eb6c9e3a04e7134917df589d594a5c8e422fdb97c24c02f8a68beb0a3c2048784fcc66b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3MUNFPIFJ.bat
Filesize
264B

MD5
2c7491ced3dc3c2f572827aadcb84a80

SHA1
4c0b0b5eebf709a592f5f6d7b14a4f6017534ee7

SHA256
796c84e5d3789d19e93f5ee16e8d55122c1a066cb99c88b003141ed1dd33b750

SHA512
917d633267bd946527c6b316559abc3bc1506324f1fcb1e231cc61d1b87817d38d40934660f21c20640f7973b153d7bcc2944d127d852bd59595433a866c2ed5

Download Submit
C:\Users\Default\Saved Games\csrss.exe
Filesize
1.9MB

MD5
a8feeee4d7550b6d235a58fcc27a7c27

SHA1
cca74652e0efb730d7109d825102f6d163cbcf91

SHA256
3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

SHA512
2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4dv3n4yx\4dv3n4yx.0.cs
Filesize
389B

MD5
851e6da9024b1d2137de24557e675b9b

SHA1
97becb9ce4916516198a257e1f871dc6feffbebd

SHA256
a1838c0ce4a1d30b17e32763552f79babcca8e448edaeceba3e1e1a210c6c0be

SHA512
1d9cb7eb57a970346aab0974ae46d9c89ad0acd5bc549ee4bc276f976e32a26b110eed030ff07a188ebfbedf4da3e65c8420c0c1b5330da58eeda5e4f4ae3b16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4dv3n4yx\4dv3n4yx.cmdline
Filesize
235B

MD5
e30afa95dc1b485043ca590aaf40aa19

SHA1
739edfd9f634517061263db4b86d6349771f69be

SHA256
8fe6063285b152f18feb36413c00b64b3a680c8d2afcd50debb66a51dfac02e1

SHA512
633620b98ef4a251f714812a40a053cf152c10966a08d28ee01f0b34d07f535e28a536d2adceb06fe34086d47e76c2ed161081ac41113caebd6c5daa5bf81e2f

Download Submit
\??\c:\Windows\System32\CSCDB5E790463D14E47B6EFA8569D55A5CF.TMP
Filesize
1KB

MD5
65053ba71cff182339972c8e120f82dc

SHA1
f01cfd6c1206ef1ad67357a6e5607360135eb1c2

SHA256
be37fc91a219971553906fb22c0c8d78ec73c37bb1a60c449ebf14209a7d5e32

SHA512
ffc553ffbbe1ac9e5cd5e74812d4d1a63f98f96c4dd1e02d17abbf08a4223180e75dd247c0bb3443f0a9776ed5915ebd8d76960876bbe05256354594003ddd83

Download Submit
memory/1692-60-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/1692-61-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/1692-93-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-92-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-70-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-69-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-67-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1692-68-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-65-0x0000000077860000-0x0000000077861000-memory.dmp

Filesize
4KB

Download
memory/1692-64-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1692-57-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-56-0x00000000778A0000-0x00000000778A1000-memory.dmp

Filesize
4KB

Download
memory/1692-55-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-54-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1692-53-0x000000001A9B0000-0x000000001AA30000-memory.dmp

Filesize
512KB

Download
memory/1692-51-0x0000000000810000-0x0000000000A00000-memory.dmp

Filesize
1.9MB

Download
memory/1692-52-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-8-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/1948-4-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1948-48-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1948-20-0x0000000077860000-0x0000000077861000-memory.dmp

Filesize
4KB

Download
memory/1948-5-0x00000000778A0000-0x00000000778A1000-memory.dmp

Filesize
4KB

Download
memory/1948-6-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1948-19-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1948-2-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1948-1-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-0-0x0000000000F00000-0x00000000010F0000-memory.dmp

Filesize
1.9MB

Download
memory/1948-17-0x0000000077870000-0x0000000077871000-memory.dmp

Filesize
4KB

Download
memory/1948-16-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/1948-14-0x0000000077880000-0x0000000077881000-memory.dmp

Filesize
4KB

Download
memory/1948-13-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/1948-11-0x0000000077890000-0x0000000077891000-memory.dmp

Filesize
4KB

Download
memory/1948-10-0x00000000006C0000-0x00000000006DC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads