zgrat | 70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d83f04d14b3ef5742e3a5cb0c9089dea.exe
Size

145KB
MD5

d83f04d14b3ef5742e3a5cb0c9089dea
SHA1

5ba0a13d620b4e2352de8cd4b033c3b4b4a85015
SHA256

70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0
SHA512

0840f4acaf1b98b5358ad0f0b51696cf8298f2f7112401ae79a39de3b02d801403914bc21f1704b9bc3df390d0886859534d9b02385b360b598f745d18ab304b
SSDEEP

3072:8XZGjXpoGoByXPQs2UTXQ8yb7aFcCiSIvF68XJZ:mZGbpYByPT7lyvIcLSIvF68X

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-80-0x0000000007C20000-0x0000000007EE6000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-86-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-90-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-81-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-82-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-84-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-94-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-138-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-142-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-144-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-140-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-136-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-134-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-132-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-130-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-128-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-126-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-124-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-122-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-120-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-118-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-116-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-114-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-112-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-110-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-108-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-106-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-104-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-102-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-100-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-98-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-96-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-92-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-88-0x0000000007C20000-0x0000000007EE1000-memory.dmp	family_zgrat_v1
behavioral1/memory/2240-4972-0x0000000008A80000-0x0000000008B68000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

AuditFlags.exe

pid process

1240 AuditFlags.exe

pid	process
1240	AuditFlags.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

AuditFlags.exe

description pid process target process

PID 1240 set thread context of 7768 1240 AuditFlags.exe MSBuild.exe

description	pid	process	target process
PID 1240 set thread context of 7768	1240	AuditFlags.exe	MSBuild.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

d83f04d14b3ef5742e3a5cb0c9089dea.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	d83f04d14b3ef5742e3a5cb0c9089dea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeAuditFlags.exepowershell.exeMSBuild.exe

pid	process
2040	powershell.exe
1240	AuditFlags.exe
1240	AuditFlags.exe
7032	powershell.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe
7768	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

d83f04d14b3ef5742e3a5cb0c9089dea.exepowershell.exeAuditFlags.exeMSBuild.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2240	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Token: SeDebugPrivilege	2240	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Token: SeDebugPrivilege	2240	d83f04d14b3ef5742e3a5cb0c9089dea.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1240	AuditFlags.exe
Token: SeDebugPrivilege	1240	AuditFlags.exe
Token: SeDebugPrivilege	1240	AuditFlags.exe
Token: SeDebugPrivilege	7768	MSBuild.exe
Token: SeDebugPrivilege	7768	MSBuild.exe
Token: SeDebugPrivilege	7768	MSBuild.exe
Token: SeDebugPrivilege	7032	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

taskeng.exetaskeng.exeAuditFlags.exe

description	pid	process	target process
PID 2440 wrote to memory of 2040	2440	taskeng.exe	powershell.exe
PID 2440 wrote to memory of 2040	2440	taskeng.exe	powershell.exe
PID 2440 wrote to memory of 2040	2440	taskeng.exe	powershell.exe
PID 1076 wrote to memory of 1240	1076	taskeng.exe	AuditFlags.exe
PID 1076 wrote to memory of 1240	1076	taskeng.exe	AuditFlags.exe
PID 1076 wrote to memory of 1240	1076	taskeng.exe	AuditFlags.exe
PID 1076 wrote to memory of 1240	1076	taskeng.exe	AuditFlags.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 1240 wrote to memory of 7768	1240	AuditFlags.exe	MSBuild.exe
PID 2440 wrote to memory of 7032	2440	taskeng.exe	powershell.exe
PID 2440 wrote to memory of 7032	2440	taskeng.exe	powershell.exe
PID 2440 wrote to memory of 7032	2440	taskeng.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d83f04d14b3ef5742e3a5cb0c9089dea.exe
"C:\Users\Admin\AppData\Local\Temp\d83f04d14b3ef5742e3a5cb0c9089dea.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\taskeng.exe
taskeng.exe {5D81E1FC-A5B1-4363-89F9-49E80BE77005} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQB1AGQAaQB0AEYAbABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQB1AGQAaQB0AEYAbABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7032

C:\Windows\system32\taskeng.exe
taskeng.exe {77651E62-AC43-49BC-9029-90528A2B5FC6} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\ActivityId\xyjrphfd\AuditFlags.exe
  C:\Users\Admin\AppData\Local\ActivityId\xyjrphfd\AuditFlags.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ee36494e9ff17b35872c0fbc8ff5e3f

SHA1
95f2b9b7226df89f1f35ed3ff98fe0d973a943b6

SHA256
a24cad1ef08ad0a5f944245a946b891ada79800a1bab3cb7172354e079f78ac1

SHA512
220c0657dae404d67bf841ef4a369afb9eafab9f3152756865c4c28b9523741b56de09b02ab26b570ec0274b88f2e9ad1fa9efc8a8d6d57277ca7cb2d5f87032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7891a86bb1601357c72d71d487045c12

SHA1
22772343e409904b30a67b8a84f2625dfff066fa

SHA256
25463aeeabe9c204c154f899e6fa7301744e69dcb20ae45cc7721034e6d36dc8

SHA512
a7ec8718ce1cd607197e201e7498a435a74bc9d3c36d0ef1a1c251d5d967e33aff9e2c6e397b030d83e0fb29dcd983e2dd950596b0cf9f48e0ed5186207dfd4a

Download Submit
C:\Users\Admin\AppData\Local\ActivityId\xyjrphfd\AuditFlags.exe

Filesize
145KB

MD5
d83f04d14b3ef5742e3a5cb0c9089dea

SHA1
5ba0a13d620b4e2352de8cd4b033c3b4b4a85015

SHA256
70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0

SHA512
0840f4acaf1b98b5358ad0f0b51696cf8298f2f7112401ae79a39de3b02d801403914bc21f1704b9bc3df390d0886859534d9b02385b360b598f745d18ab304b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D04.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DE6.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0bfb4bd6640707edc1e6f158fa035f86

SHA1
4ff98185673332bbb79b99210cafa875fb90e7be

SHA256
225eb85c8d86a5205d09a15c98b3015019e0eafd275aca5e87f01374fd0f133e

SHA512
9e0605d48fefaca89cba5e2ea12cb73744bc4d6d531da48e10fbe968b017b4928d2d34235b70e815ca3d16580f8ac1feeb12b292d78d354212762c4155268754

Download Submit
memory/1240-7191-0x0000000000D70000-0x0000000000D98000-memory.dmp

Filesize
160KB

Download
memory/2040-7187-0x000000001A140000-0x000000001A422000-memory.dmp

Filesize
2.9MB

Download
memory/2040-7188-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2240-110-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-100-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-82-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-84-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-94-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-138-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-142-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-144-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-140-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-136-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-134-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-132-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-130-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-128-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-126-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-124-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-122-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-120-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-118-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-116-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-114-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-112-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-90-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-108-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-106-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-104-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-102-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-81-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-98-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-96-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-92-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-88-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-4961-0x0000000004070000-0x0000000004071000-memory.dmp

Filesize
4KB

Download
memory/2240-4963-0x0000000004BE0000-0x0000000004C2C000-memory.dmp

Filesize
304KB

Download
memory/2240-4962-0x0000000007EF0000-0x0000000007FF2000-memory.dmp

Filesize
1.0MB

Download
memory/2240-4964-0x0000000077150000-0x0000000077226000-memory.dmp

Filesize
856KB

Download
memory/2240-4965-0x0000000005430000-0x0000000005484000-memory.dmp

Filesize
336KB

Download
memory/2240-4968-0x00000000084E0000-0x000000000858C000-memory.dmp

Filesize
688KB

Download
memory/2240-4971-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2240-4970-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2240-4969-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2240-4972-0x0000000008A80000-0x0000000008B68000-memory.dmp

Filesize
928KB

Download
memory/2240-7178-0x0000000005940000-0x0000000005996000-memory.dmp

Filesize
344KB

Download
memory/2240-7177-0x0000000005700000-0x0000000005708000-memory.dmp

Filesize
32KB

Download
memory/2240-86-0x0000000007C20000-0x0000000007EE1000-memory.dmp

Filesize
2.8MB

Download
memory/2240-80-0x0000000007C20000-0x0000000007EE6000-memory.dmp

Filesize
2.8MB

Download
memory/2240-2-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2240-7181-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-7182-0x0000000077150000-0x0000000077226000-memory.dmp

Filesize
856KB

Download
memory/2240-0-0x00000000008C0000-0x00000000008E8000-memory.dmp

Filesize
160KB

Download
memory/2240-1-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/7032-21418-0x000000001A2C0000-0x000000001A5A2000-memory.dmp

Filesize
2.9MB

Download
memory/7032-21419-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/7768-14309-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download