zgrat | c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687

Analysis

max time kernel
87s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 08:31

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T08:32:39Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_1-dirty.qcow2\"}"

Report Analysis Logs

General

Target

C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
Size

6.4MB
MD5

6acbb1fb58dccd74db667187b22de689
SHA1

cf0df5b247b15157cfce47473d1b063705d10b44
SHA256

c792057cb761da8872421a6c906c4481b260bdb5d27b86378efdd2af39319687
SHA512

b195df77aece1c054493a8fa195b9cffbfb9b2fe5c446ce59aa16fcc7ca0d19ca1ae25d7de4aa9fde59cdcd554293057a1d6806c0734d3d9e62671088d5a66a6
SSDEEP

196608:5EnAjdZqS8NA40yYnSTq0GnUZhUjGtpoHtx:DbHB40yYSTq+Rix

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe	family_zgrat_v1
C:\PerfDll\hyperProviderSavesinto.exe	family_zgrat_v1
behavioral2/memory/4624-49-0x0000000000310000-0x00000000004F6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Drops file in Drivers directory 1 IoCs

Processes:

GargantuanS.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts GargantuanS.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	GargantuanS.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GargantuaN.exeWScript.exeC792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	GargantuaN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe

Executes dropped EXE 4 IoCs

Processes:

GargantuaN.exeGargantuanS.exehyperProviderSavesinto.exenhxnqwkhmssh.exe

pid process

2160 GargantuaN.exe
4772 GargantuanS.exe
4624 hyperProviderSavesinto.exe
1680 nhxnqwkhmssh.exe

pid	process
2160	GargantuaN.exe
4772	GargantuanS.exe
4624	hyperProviderSavesinto.exe
1680	nhxnqwkhmssh.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeGargantuanS.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	GargantuanS.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GargantuanS.exe

description pid process target process

PID 4772 set thread context of 3000 4772 GargantuanS.exe dialer.exe

description	pid	process	target process
PID 4772 set thread context of 3000	4772	GargantuanS.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

hyperProviderSavesinto.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\nhxnqwkhmssh.exe	hyperProviderSavesinto.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dd512a05490103	hyperProviderSavesinto.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1644 sc.exe
4760 sc.exe
3640 sc.exe
3512 sc.exe
1296 sc.exe
4292 sc.exe
5052 sc.exe
3812 sc.exe
1280 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1644	sc.exe
4760	sc.exe
3640	sc.exe
3512	sc.exe
1296	sc.exe
4292	sc.exe
5052	sc.exe
3812	sc.exe
1280	sc.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

GargantuaN.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings GargantuaN.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings	GargantuaN.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GargantuanS.exepowershell.exedialer.exenhxnqwkhmssh.exehyperProviderSavesinto.exepowershell.exe

pid	process
4772	GargantuanS.exe
5104	powershell.exe
5104	powershell.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
3000	dialer.exe
3000	dialer.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
4772	GargantuanS.exe
1680	nhxnqwkhmssh.exe
3000	dialer.exe
3000	dialer.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
3880	powershell.exe
3880	powershell.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe
4624	hyperProviderSavesinto.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
3144
4564
1588
1960
3508
3504
1264
536
2828
1036
3520
2768
840
712
684
2620
4920
968
4752
3700
4036
1008
2292
3640
5036
1424
2476
1812
3720
208
804
220
4480
2752
1392
3512
4824
2240
1240
8
3548
4816
4176
3444
436
2840
816
780
3996
1816
4796
4228
2376
3992
4716
4104
1360
4756
4032
2636
3248
1428
2144
4800

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exehyperProviderSavesinto.exedialer.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4624	hyperProviderSavesinto.exe
Token: SeDebugPrivilege	3000	dialer.exe
Token: SeDebugPrivilege	3880	powershell.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exeGargantuaN.execmd.exeWScript.execmd.exeGargantuanS.exedialer.exelsass.exe

description	pid	process	target process
PID 5072 wrote to memory of 2160	5072	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 5072 wrote to memory of 2160	5072	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 5072 wrote to memory of 2160	5072	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuaN.exe
PID 5072 wrote to memory of 4772	5072	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuanS.exe
PID 5072 wrote to memory of 4772	5072	C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe	GargantuanS.exe
PID 2160 wrote to memory of 1376	2160	GargantuaN.exe	WScript.exe
PID 2160 wrote to memory of 1376	2160	GargantuaN.exe	WScript.exe
PID 2160 wrote to memory of 1376	2160	GargantuaN.exe	WScript.exe
PID 536 wrote to memory of 1596	536	cmd.exe	wusa.exe
PID 536 wrote to memory of 1596	536	cmd.exe	wusa.exe
PID 1376 wrote to memory of 2932	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 2932	1376	WScript.exe	cmd.exe
PID 1376 wrote to memory of 2932	1376	WScript.exe	cmd.exe
PID 2932 wrote to memory of 4624	2932	cmd.exe	hyperProviderSavesinto.exe
PID 2932 wrote to memory of 4624	2932	cmd.exe	hyperProviderSavesinto.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 4772 wrote to memory of 3000	4772	GargantuanS.exe	dialer.exe
PID 3000 wrote to memory of 612	3000	dialer.exe	winlogon.exe
PID 3000 wrote to memory of 680	3000	dialer.exe	lsass.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 3000 wrote to memory of 960	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 64	3000	dialer.exe	dwm.exe
PID 3000 wrote to memory of 740	3000	dialer.exe	svchost.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 3000 wrote to memory of 1048	3000	dialer.exe	svchost.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 680 wrote to memory of 2612	680	lsass.exe	sysmon.exe
PID 3000 wrote to memory of 1128	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 1136	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 1144	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 1188	3000	dialer.exe	svchost.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 680 wrote to memory of 3936	680	lsass.exe	smss.exe
PID 3000 wrote to memory of 1232	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 1320	3000	dialer.exe	svchost.exe
PID 3000 wrote to memory of 1344	3000	dialer.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe
"C:\Users\Admin\AppData\Local\Temp\C792057CB761DA8872421A6C906C4481B260BDB5D27B8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe
"C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PerfDll\vvkzdvmSUM14jiAzc.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\PerfDll\hyperProviderSavesinto.exe
"C:\PerfDll/hyperProviderSavesinto.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe
"C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:1596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:3812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1280

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:1644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:3640

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:3512

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "IFAYFBKT"
3⤵
- Launches sc.exe
PID:4760

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "IFAYFBKT" binpath= "C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1296

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:5052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "IFAYFBKT"
3⤵
- Launches sc.exe
PID:4292

C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
C:\ProgramData\celaehnmjins\nhxnqwkhmssh.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2556

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4528

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2072

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1056

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4140

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1792

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000088
1⤵
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfDll\c2HM4VxGuBBIXOzYQncd9IeSwfaF3.vbe
Filesize
202B

MD5
e58f54961290891ba8dd349131192542

SHA1
e95ee8b62c8ed496fcc87cf0bae3290392a4196e

SHA256
9b129787a354c2400b13f6a3adc4b22bb4efe21b88e1a04e7e5dc6d093e421a8

SHA512
5914af838fa227a64705ef2afbbc10b19a66d121e177eed8215a69f05cdfe7406ac8cf87897607e337a8e13b66a6d1ed091b2aa6b841e264a935e9a7baca21fe

Download Submit
C:\PerfDll\hyperProviderSavesinto.exe
Filesize
1.9MB

MD5
3997d7d058af3c1b6c9abb57f6fa1f2a

SHA1
cd38c3eb67e2d09445eb39b66a69b31673c2360c

SHA256
b19c5e3261d05c95756d6452048448c4ab30d3179f90ca714de39ece0cd72d99

SHA512
ad53432c8f8309701e0dc2ba7c885f5088ee69c3073e9d1de4a3c75cb3c1af845b43d0a8512af58bcd425a831ec4f4bcf74fe3918956527db5a96a88fc003a36

Download Submit
C:\PerfDll\vvkzdvmSUM14jiAzc.bat
Filesize
87B

MD5
b23a11797069052e51f71ddf9bcfc4f2

SHA1
08c3c1d85cb102a92843c2ed82cccdd8ca26026d

SHA256
e026f1d8ced262bf0921ebc7bbc797aa65f3e6e2ad8a62b9f4566cc4aa540a43

SHA512
e8c8ef9ef32a415567e27eb467a992868fb836a52ce0f74348cfc3a590bfa3b5e4ac4e37725d0c2b572eebb42f6ba33ddcb7b513359c6392b71914b7bf03ba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\GargantuaN.exe
Filesize
2.2MB

MD5
b3cee15e9fddc0e7dc33069319b549d6

SHA1
1ff4ef47ba8a0de9f65eaa389b11d662aec318de

SHA256
af6a8e7175a702f8af26ed414dd0fbf1708f7716efb33792594149ef12d2431c

SHA512
ca402d334e8c7d6dc3fab0a129c56ef8ed3228b75c7b5bc5b0e5a174b199d37583395cc52d241caf583aba46df388f46e728bcc264f25312f62929ac932809d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GargantuanS.exe
Filesize
5.2MB

MD5
7a568ef3f46d369f3d3ffd68fdf68573

SHA1
203042a80812e2208c45aa95900172550994d80d

SHA256
bb895b0d8e684a48f0e9564b9d7e1323087d4f4664da134a28a54338bfab4ea0

SHA512
4f08cdd7021bd9ac1922d1252dbf7a2f26c689574fda7c5a0eac7ddc1f1138f3a51770b23f5ea23458611851e410faf5468a7209437e354452c47c13f2bb3ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2wrtnra.wbn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
22KB

MD5
a55853709d5e9a10db1347806f25c886

SHA1
96527bd4d1cface564d6e1a3e7a4224ff0f33c16

SHA256
bd8f6575650557f2e0a1972cbcc7de46f9132219870ff7ec697978e382a4b231

SHA512
be24f560d7a19b831bb0877e23526f23ebbe958f3c0590fcc68ed9b2848def5c251f65ba40eb7ec9fa2731733965ebc008406a49ee5c199830407076385b06cf

Download Submit
memory/64-177-0x00007FFDEC00F000-0x00007FFDEC010000-memory.dmp

Filesize
4KB

Download
memory/64-170-0x000001BA27E30000-0x000001BA27E5B000-memory.dmp

Filesize
172KB

Download
memory/64-169-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/64-114-0x000001BA27E30000-0x000001BA27E5B000-memory.dmp

Filesize
172KB

Download
memory/64-87-0x000001BA27E30000-0x000001BA27E5B000-memory.dmp

Filesize
172KB

Download
memory/612-164-0x0000014A59E20000-0x0000014A59E4B000-memory.dmp

Filesize
172KB

Download
memory/612-76-0x0000014A59E20000-0x0000014A59E4B000-memory.dmp

Filesize
172KB

Download
memory/612-163-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/612-71-0x0000014A59DF0000-0x0000014A59E14000-memory.dmp

Filesize
144KB

Download
memory/612-92-0x00007FFDEC00D000-0x00007FFDEC00E000-memory.dmp

Filesize
4KB

Download
memory/612-72-0x0000014A59E20000-0x0000014A59E4B000-memory.dmp

Filesize
172KB

Download
memory/680-77-0x000001F01B980000-0x000001F01B9AB000-memory.dmp

Filesize
172KB

Download
memory/680-81-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/680-103-0x00007FFDEC00D000-0x00007FFDEC00E000-memory.dmp

Filesize
4KB

Download
memory/680-97-0x000001F01B980000-0x000001F01B9AB000-memory.dmp

Filesize
172KB

Download
memory/740-96-0x0000020C8BB60000-0x0000020C8BB8B000-memory.dmp

Filesize
172KB

Download
memory/740-116-0x0000020C8BB60000-0x0000020C8BB8B000-memory.dmp

Filesize
172KB

Download
memory/740-98-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/960-86-0x00000238D0DA0000-0x00000238D0DCB000-memory.dmp

Filesize
172KB

Download
memory/960-91-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/960-104-0x00000238D0DA0000-0x00000238D0DCB000-memory.dmp

Filesize
172KB

Download
memory/960-115-0x00007FFDEC00C000-0x00007FFDEC00D000-memory.dmp

Filesize
4KB

Download
memory/1048-129-0x000001E6A6BD0000-0x000001E6A6BFB000-memory.dmp

Filesize
172KB

Download
memory/1048-127-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1048-123-0x000001E6A6BD0000-0x000001E6A6BFB000-memory.dmp

Filesize
172KB

Download
memory/1048-278-0x000001E6A6BD0000-0x000001E6A6BFB000-memory.dmp

Filesize
172KB

Download
memory/1128-130-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1128-126-0x000002498AB40000-0x000002498AB6B000-memory.dmp

Filesize
172KB

Download
memory/1128-145-0x000002498AB40000-0x000002498AB6B000-memory.dmp

Filesize
172KB

Download
memory/1136-279-0x000001F2854E0000-0x000001F28550B000-memory.dmp

Filesize
172KB

Download
memory/1136-146-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1136-148-0x000001F2854E0000-0x000001F28550B000-memory.dmp

Filesize
172KB

Download
memory/1136-132-0x000001F2854E0000-0x000001F28550B000-memory.dmp

Filesize
172KB

Download
memory/1144-150-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1144-147-0x00000224A9CB0000-0x00000224A9CDB000-memory.dmp

Filesize
172KB

Download
memory/1144-280-0x00000224A9CB0000-0x00000224A9CDB000-memory.dmp

Filesize
172KB

Download
memory/1144-151-0x00000224A9CB0000-0x00000224A9CDB000-memory.dmp

Filesize
172KB

Download
memory/1188-281-0x000001EDD3F40000-0x000001EDD3F6B000-memory.dmp

Filesize
172KB

Download
memory/1188-154-0x000001EDD3F40000-0x000001EDD3F6B000-memory.dmp

Filesize
172KB

Download
memory/1188-155-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1232-160-0x00007FFDABFF0000-0x00007FFDAC000000-memory.dmp

Filesize
64KB

Download
memory/1232-161-0x00000269F85D0000-0x00000269F85FB000-memory.dmp

Filesize
172KB

Download
memory/1232-159-0x00000269F85D0000-0x00000269F85FB000-memory.dmp

Filesize
172KB

Download
memory/1320-173-0x000001C66E9C0000-0x000001C66E9EB000-memory.dmp

Filesize
172KB

Download
memory/1320-180-0x000001C66E9C0000-0x000001C66E9EB000-memory.dmp

Filesize
172KB

Download
memory/1344-183-0x000001DB68390000-0x000001DB683BB000-memory.dmp

Filesize
172KB

Download
memory/3000-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-55-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-66-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-57-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-59-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3000-60-0x00007FFDEBF70000-0x00007FFDEC165000-memory.dmp

Filesize
2.0MB

Download
memory/3000-61-0x00007FFDEBC60000-0x00007FFDEBD1E000-memory.dmp

Filesize
760KB

Download
memory/3880-70-0x00000216F3F40000-0x00000216F3F50000-memory.dmp

Filesize
64KB

Download
memory/3880-200-0x00007FF40A320000-0x00007FF40A330000-memory.dmp

Filesize
64KB

Download
memory/3880-277-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3880-276-0x00000216F3F40000-0x00000216F3F50000-memory.dmp

Filesize
64KB

Download
memory/3880-275-0x00000216F3F40000-0x00000216F3F50000-memory.dmp

Filesize
64KB

Download
memory/3880-274-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3880-271-0x00000216F6610000-0x00000216F661A000-memory.dmp

Filesize
40KB

Download
memory/3880-269-0x00000216F6600000-0x00000216F6606000-memory.dmp

Filesize
24KB

Download
memory/3880-267-0x00000216F65D0000-0x00000216F65D8000-memory.dmp

Filesize
32KB

Download
memory/3880-265-0x00000216F6620000-0x00000216F663A000-memory.dmp

Filesize
104KB

Download
memory/3880-260-0x00000216F65C0000-0x00000216F65CA000-memory.dmp

Filesize
40KB

Download
memory/3880-217-0x00000216F65E0000-0x00000216F65FC000-memory.dmp

Filesize
112KB

Download
memory/3880-208-0x00000216F3F30000-0x00000216F3F3A000-memory.dmp

Filesize
40KB

Download
memory/3880-202-0x00000216F6500000-0x00000216F65B5000-memory.dmp

Filesize
724KB

Download
memory/3880-69-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/3880-199-0x00000216F3F10000-0x00000216F3F2C000-memory.dmp

Filesize
112KB

Download
memory/3880-201-0x00000216F3F40000-0x00000216F3F50000-memory.dmp

Filesize
64KB

Download
memory/4624-79-0x0000000000D80000-0x0000000000D9C000-memory.dmp

Filesize
112KB

Download
memory/4624-90-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4624-54-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4624-49-0x0000000000310000-0x00000000004F6000-memory.dmp

Filesize
1.9MB

Download
memory/4624-179-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/4624-50-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/4624-167-0x00007FFDCD1D0000-0x00007FFDCDC91000-memory.dmp

Filesize
10.8MB

Download
memory/4624-62-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4624-171-0x000000001B090000-0x000000001B0A0000-memory.dmp

Filesize
64KB

Download
memory/4624-74-0x0000000000D00000-0x0000000000D0E000-memory.dmp

Filesize
56KB

Download
memory/4624-118-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/4624-82-0x00007FFDEBC60000-0x00007FFDEBD1E000-memory.dmp

Filesize
760KB

Download
memory/4624-125-0x00007FFDEBC10000-0x00007FFDEBC11000-memory.dmp

Filesize
4KB

Download
memory/4624-56-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4624-89-0x000000001B2F0000-0x000000001B340000-memory.dmp

Filesize
320KB

Download
memory/4624-85-0x00007FFDEBC50000-0x00007FFDEBC51000-memory.dmp

Filesize
4KB

Download
memory/4624-101-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/4624-99-0x00007FFDEBC40000-0x00007FFDEBC41000-memory.dmp

Filesize
4KB

Download
memory/4624-94-0x0000000002650000-0x0000000002668000-memory.dmp

Filesize
96KB

Download
memory/4624-119-0x00007FFDEBC20000-0x00007FFDEBC21000-memory.dmp

Filesize
4KB

Download
memory/4624-122-0x00007FFDEBC30000-0x00007FFDEBC31000-memory.dmp

Filesize
4KB

Download
memory/5104-44-0x00007FFDCCE00000-0x00007FFDCD8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-41-0x0000028737020000-0x0000028737030000-memory.dmp

Filesize
64KB

Download
memory/5104-40-0x0000028737020000-0x0000028737030000-memory.dmp

Filesize
64KB

Download
memory/5104-29-0x000002871EBD0000-0x000002871EBF2000-memory.dmp

Filesize
136KB

Download
memory/5104-35-0x00007FFDCCE00000-0x00007FFDCD8C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads