zgrat | c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687

Analysis

max time kernel
49s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
Size

6.4MB
MD5

6acbb1fb58dccd74db667187b22de689
SHA1

cf0df5b247b15157cfce47473d1b063705d10b44
SHA256

c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
SHA512

b195df77aece1c054493a8fa195b9cffbfb9b2fe5c446ce59aa16fcc7ca0d19ca1ae25d7de4aa9fde59cdcd554293057a1d6806c0734d3d9e62671088d5a66a6
SSDEEP

196608:5EnAjdZqS8NA40yYnSTq0GnUZhUjGtpoHtx:DbHB40yYSTq+Rix

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe	family_zgrat_v1
\PerfDll\hyperProviderSavesinto.exe	family_zgrat_v1
behavioral1/memory/2448-34-0x0000000000100000-0x00000000002E6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2748-134-0x0000000000070000-0x0000000000256000-memory.dmp	family_zgrat_v1
behavioral1/memory/2764-156-0x0000000000180000-0x0000000000366000-memory.dmp	family_zgrat_v1
behavioral1/memory/2296-170-0x0000000001300000-0x00000000014E6000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2008	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2008	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Drops file in Drivers directory 1 IoCs

Processes:

GargantuanS.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts GargantuanS.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	GargantuanS.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IFAYFBKT\ImagePath = "C:\\ProgramData\\celaehnmjins\\nhxnqwkhmssh.exe"	services.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

GargantuaN.exeGargantuanS.exehyperProviderSavesinto.exe

pid process

2236 GargantuaN.exe
2848 GargantuanS.exe
2448 hyperProviderSavesinto.exe

pid	process
2236	GargantuaN.exe
2848	GargantuanS.exe
2448	hyperProviderSavesinto.exe

Loads dropped DLL 6 IoCs

Processes:

C792057CB761DA8872421A6C906C4481B260BDB5D27B8.execmd.exeservices.exe

pid	process
3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
2564	cmd.exe
2564	cmd.exe
476	services.exe
476	services.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exeGargantuanS.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	GargantuanS.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GargantuanS.exe

description pid process target process

PID 2848 set thread context of 2412 2848 GargantuanS.exe dialer.exe
Drops file in Windows directory 1 IoCs

Processes:

wusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2536 sc.exe
2884 sc.exe
1172 sc.exe
1760 sc.exe
1680 sc.exe
2676 sc.exe
808 sc.exe
584 sc.exe
2892 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2848 set thread context of 2412	2848	GargantuanS.exe	dialer.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
2536	sc.exe
2884	sc.exe
1172	sc.exe
1760	sc.exe
1680	sc.exe
2676	sc.exe
808	sc.exe
584	sc.exe
2892	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2024	schtasks.exe
2272	schtasks.exe
832	schtasks.exe
2832	schtasks.exe
936	schtasks.exe
2332	schtasks.exe
1800	schtasks.exe
1648	schtasks.exe
484	schtasks.exe
748	schtasks.exe
1952	schtasks.exe
2756	schtasks.exe
1660	schtasks.exe
1740	schtasks.exe
2840	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1808 PING.EXE
2024 PING.EXE

pid	process
1808	PING.EXE
2024	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GargantuanS.exehyperProviderSavesinto.exe

pid	process
2848	GargantuanS.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe
2448	hyperProviderSavesinto.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

hyperProviderSavesinto.exepowershell.exedialer.exe

description	pid	process
Token: SeDebugPrivilege	2448	hyperProviderSavesinto.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2412	dialer.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeGargantuaN.exeWScript.execmd.execmd.exeGargantuanS.exehyperProviderSavesinto.execmd.exedialer.exeservices.exe

description	pid	process	target process
PID 3060 wrote to memory of 2236	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 3060 wrote to memory of 2236	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 3060 wrote to memory of 2236	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 3060 wrote to memory of 2236	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 3060 wrote to memory of 2848	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuanS.exe
PID 3060 wrote to memory of 2848	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuanS.exe
PID 3060 wrote to memory of 2848	3060	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuanS.exe
PID 2236 wrote to memory of 2532	2236	GargantuaN.exe	WScript.exe
PID 2236 wrote to memory of 2532	2236	GargantuaN.exe	WScript.exe
PID 2236 wrote to memory of 2532	2236	GargantuaN.exe	WScript.exe
PID 2236 wrote to memory of 2532	2236	GargantuaN.exe	WScript.exe
PID 2532 wrote to memory of 2564	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2564	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2564	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2564	2532	WScript.exe	cmd.exe
PID 2564 wrote to memory of 2448	2564	cmd.exe	hyperProviderSavesinto.exe
PID 2564 wrote to memory of 2448	2564	cmd.exe	hyperProviderSavesinto.exe
PID 2564 wrote to memory of 2448	2564	cmd.exe	hyperProviderSavesinto.exe
PID 2564 wrote to memory of 2448	2564	cmd.exe	hyperProviderSavesinto.exe
PID 1944 wrote to memory of 2500	1944	cmd.exe	wusa.exe
PID 1944 wrote to memory of 2500	1944	cmd.exe	wusa.exe
PID 1944 wrote to memory of 2500	1944	cmd.exe	wusa.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2448 wrote to memory of 2136	2448	hyperProviderSavesinto.exe	cmd.exe
PID 2448 wrote to memory of 2136	2448	hyperProviderSavesinto.exe	cmd.exe
PID 2448 wrote to memory of 2136	2448	hyperProviderSavesinto.exe	cmd.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2848 wrote to memory of 2412	2848	GargantuanS.exe	dialer.exe
PID 2136 wrote to memory of 1428	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 1428	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 1428	2136	cmd.exe	chcp.com
PID 2136 wrote to memory of 1808	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 1808	2136	cmd.exe	PING.EXE
PID 2136 wrote to memory of 1808	2136	cmd.exe	PING.EXE
PID 2412 wrote to memory of 432	2412	dialer.exe	winlogon.exe
PID 2412 wrote to memory of 476	2412	dialer.exe	services.exe
PID 2412 wrote to memory of 492	2412	dialer.exe	lsass.exe
PID 2412 wrote to memory of 500	2412	dialer.exe	lsm.exe
PID 476 wrote to memory of 2216	476	services.exe	nhxnqwkhmssh.exe
PID 476 wrote to memory of 2216	476	services.exe	nhxnqwkhmssh.exe
PID 476 wrote to memory of 2216	476	services.exe	nhxnqwkhmssh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476

C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
2⤵
PID:2216

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
PID:1712

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
"C:\Users\Admin\AppData\Local\Temp\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe
"C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564

C:\PerfDll\hyperProviderSavesinto.exe
"C:\PerfDll/hyperProviderSavesinto.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2lFq83UvDH.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1428

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1808

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe"
7⤵
PID:2748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat"
8⤵
PID:2512

C:\Windows\system32\chcp.com
chcp 65001
9⤵
PID:2488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1492

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe"
9⤵
PID:2764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
10⤵
PID:2620

C:\Windows\system32\chcp.com
chcp 65001
11⤵
PID:2032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:2024

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe"
11⤵
PID:2296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8H3eknNYNX.bat"
12⤵
PID:2408

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:2304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1648

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe
"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe"
13⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe
"C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:2500

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2676

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:2536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:584

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "IFAYFBKT"
3⤵
- Launches sc.exe
PID:2884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1172

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2892

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "IFAYFBKT"
3⤵
- Launches sc.exe
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderSavesintoh" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderSavesinto" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderSavesintoh" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\hyperProviderSavesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe
Filesize
202B

MD5
e58f54961290891ba8dd349131192542

SHA1
e95ee8b62c8ed496fcc87cf0bae3290392a4196e

SHA256
9b129787a354c2400b13f6a3adc4b22bb4efe21b88e1a04e7e5dc6d093e421a8

SHA512
5914af838fa227a64705ef2afbbc10b19a66d121e177eed8215a69f05cdfe7406ac8cf87897607e337a8e13b66a6d1ed091b2aa6b841e264a935e9a7baca21fe

Download Submit
C:\PerfDll\vvkzdvmSUM14jiAzc.bat
Filesize
87B

MD5
b23a11797069052e51f71ddf9bcfc4f2

SHA1
08c3c1d85cb102a92843c2ed82cccdd8ca26026d

SHA256
e026f1d8ced262bf0921ebc7bbc797aa65f3e6e2ad8a62b9f4566cc4aa540a43

SHA512
e8c8ef9ef32a415567e27eb467a992868fb836a52ce0f74348cfc3a590bfa3b5e4ac4e37725d0c2b572eebb42f6ba33ddcb7b513359c6392b71914b7bf03ba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\2lFq83UvDH.bat
Filesize
217B

MD5
d7a9ca14bcc74c41972f2fd8c4df58ce

SHA1
55eeeeeaa2202c5650c2a515d7f89b1f45821d84

SHA256
fa2b98e40fa79578303a8db3428692023db69d475cad9009efbaa7e8e730a0ac

SHA512
538e23291b148fb54a5c8d7572f431bf674abf845dcde9be2b55245b0d9458659aff85bc26df4c5406f1f887437f03451c61462f9172e251b60d5108d1be46e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8H3eknNYNX.bat
Filesize
265B

MD5
1bb671c1a4245bd6a771c4a245deeaec

SHA1
7249a4ab9fc57b0cbd3c67b4cc2862e3994b4e96

SHA256
b8f630dddaa186c2c40a581e228c7e227a5a3b63045aeed41ac4772fd4ce3068

SHA512
6214aa0495b4e7070fd64ec24d9900e8941abb60bed1347232e366160eab8ae297b0ace87e8ee9b43a118f97c44cab511abefa4b22dd9e829467677c5a81b9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe
Filesize
2.2MB

MD5
b3cee15e9fddc0e7dc33069319b549d6

SHA1
1ff4ef47ba8a0de9f65eaa389b11d662aec318de

SHA256
af6a8e7175a702f8af26ed414dd0fbf1708f7716efb33792594149ef12d2431c

SHA512
ca402d334e8c7d6dc3fab0a129c56ef8ed3228b75c7b5bc5b0e5a174b199d37583395cc52d241caf583aba46df388f46e728bcc264f25312f62929ac932809d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe
Filesize
5.2MB

MD5
7a568ef3f46d369f3d3ffd68fdf68573

SHA1
203042a80812e2208c45aa95900172550994d80d

SHA256
bb895b0d8e684a48f0e9564b9d7e1323087d4f4664da134a28a54338bfab4ea0

SHA512
4f08cdd7021bd9ac1922d1252dbf7a2f26c689574fda7c5a0eac7ddc1f1138f3a51770b23f5ea23458611851e410faf5468a7209437e354452c47c13f2bb3ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat
Filesize
217B

MD5
4bea8dbf6f38b0c1763aba80327827e3

SHA1
49d07a005c57402d99dcc120576c61e689a9ac16

SHA256
2a7e2d7e2f564eb5a7b7753151ff8825848341a1226c4bd22dab1974316aea20

SHA512
6d102b180552f2d0660c865e652e1b68a9191f1115f89df8104f939bc204115a68eb06b3f98a0b4b05f1bfaccb4e5cd638bcd330c9b938e25e53a10031e2e225

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat
Filesize
265B

MD5
6c362b2beec5f4daaf7a7511a7b150e9

SHA1
2666578107536d6e6cb9adc75fc5807c59e1c5ed

SHA256
2cb9ed327e877db3feed90b1ccf339072eaf4f28d17e7ddf83f8bea6a2a371ef

SHA512
0785df071473a548d452e4772bc8e4ea7a1055143323281a24bdce365833a83e2d9c11a67fc37b037f4466ea782d066f18b755b77ceea06c51d955f18110f30e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\PerfDll\hyperProviderSavesinto.exe
Filesize
1.9MB

MD5
3997d7d058af3c1b6c9abb57f6fa1f2a

SHA1
cd38c3eb67e2d09445eb39b66a69b31673c2360c

SHA256
b19c5e3261d05c95756d6452048448c4ab30d3179f90ca714de39ece0cd72d99

SHA512
ad53432c8f8309701e0dc2ba7c885f5088ee69c3073e9d1de4a3c75cb3c1af845b43d0a8512af58bcd425a831ec4f4bcf74fe3918956527db5a96a88fc003a36

Download Submit
memory/432-104-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/432-99-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/432-103-0x000007FEBDBD0000-0x000007FEBDBE0000-memory.dmp

Filesize
64KB

Download
memory/432-101-0x0000000000F80000-0x0000000000FAB000-memory.dmp

Filesize
172KB

Download
memory/432-108-0x0000000000F80000-0x0000000000FAB000-memory.dmp

Filesize
172KB

Download
memory/432-100-0x0000000000D30000-0x0000000000D54000-memory.dmp

Filesize
144KB

Download
memory/432-109-0x00000000777D1000-0x00000000777D2000-memory.dmp

Filesize
4KB

Download
memory/476-145-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/476-113-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/476-144-0x000007FEBDBD0000-0x000007FEBDBE0000-memory.dmp

Filesize
64KB

Download
memory/492-120-0x000007FEBDBD0000-0x000007FEBDBE0000-memory.dmp

Filesize
64KB

Download
memory/492-122-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/492-116-0x0000000000A30000-0x0000000000A5B000-memory.dmp

Filesize
172KB

Download
memory/500-136-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/500-135-0x000007FEBDBD0000-0x000007FEBDBE0000-memory.dmp

Filesize
64KB

Download
memory/500-133-0x0000000000600000-0x000000000062B000-memory.dmp

Filesize
172KB

Download
memory/1712-143-0x000000001A0E0000-0x000000001A3C2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-170-0x0000000001300000-0x00000000014E6000-memory.dmp

Filesize
1.9MB

Download
memory/2296-181-0x000007FEF80A0000-0x000007FEF8A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2296-182-0x000000001B406000-0x000000001B46D000-memory.dmp

Filesize
412KB

Download
memory/2412-95-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/2412-90-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2412-84-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2412-87-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2412-86-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2412-88-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2412-92-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/2412-96-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2448-53-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2448-35-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-78-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2448-93-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-41-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2448-75-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-37-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2448-38-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2448-36-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2448-45-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2448-42-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2448-34-0x0000000000100000-0x00000000002E6000-memory.dmp

Filesize
1.9MB

Download
memory/2448-54-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/2448-40-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/2448-51-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2448-49-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/2448-48-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/2448-44-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2448-47-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/2636-73-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2636-77-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2636-79-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2636-69-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/2636-71-0x000007FEED650000-0x000007FEEDFED000-memory.dmp

Filesize
9.6MB

Download
memory/2636-70-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2636-72-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2636-74-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2636-76-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2748-134-0x0000000000070000-0x0000000000256000-memory.dmp

Filesize
1.9MB

Download
memory/2748-151-0x000007FEF80A0000-0x000007FEF8A8C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-152-0x000000001B096000-0x000000001B0FD000-memory.dmp

Filesize
412KB

Download
memory/2764-166-0x000007FEF7140000-0x000007FEF7B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-167-0x000000001B456000-0x000000001B4BD000-memory.dmp

Filesize
412KB

Download
memory/2764-156-0x0000000000180000-0x0000000000366000-memory.dmp

Filesize
1.9MB

Download