zgrat | 61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06/05/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
Size

7.2MB
MD5

5446af14bfb2bf63ec1b409a0752f2bb
SHA1

2d0ed53f2bab261a09e50e35b95f896ddf6dd688
SHA256

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434
SHA512

3f96ff6656d7937fe3be66688c5559a238be9e0277373dd8a325f2e36fbd50095285ae8da8db0b59f0706b9514bdf54f2f66da81caf4d2818b9c9d20d5cff436
SSDEEP

49152:OSa5+lvH/3ehlWOU9Hl73KkPjOMVMC21gt9dmFF9KINW1FQr7qrzW+x30rY6yTK4:A0X3IWbXPjObC9CFAArmGm3U0KFK/j

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral1/memory/2716-30-0x000000001BC80000-0x000000001C00E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-34-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-32-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-38-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-62-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-76-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-90-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-88-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-86-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-84-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-82-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-80-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-78-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-74-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-72-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-70-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-68-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-66-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-64-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-60-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-56-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-54-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-50-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-48-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-46-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-40-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-36-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-58-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-52-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-44-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-42-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1
behavioral1/memory/2716-31-0x000000001BC80000-0x000000001C007000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	768	schtasks.exe	31

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 40 IoCs

resource	yara_rule
behavioral1/files/0x000c000000013113-2.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2548-9-0x0000000000400000-0x0000000000B37000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x000a00000001342b-12.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2856-21-0x0000000000400000-0x0000000000AF3000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0008000000013a11-28.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2112-27-0x0000000000400000-0x0000000000A98000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-29-0x0000000000200000-0x0000000000850000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-30-0x000000001BC80000-0x000000001C00E000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-34-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-32-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-38-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-62-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-76-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-90-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-88-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-86-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-84-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-82-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-80-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-78-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-74-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-72-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-70-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-68-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-66-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-64-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-60-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-56-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-54-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-50-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-48-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-46-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-40-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-36-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-58-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-52-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-44-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-42-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2716-31-0x000000001BC80000-0x000000001C007000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1604-3739-0x0000000000F50000-0x00000000015A0000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2264	powershell.exe
944	powershell.exe
2256	powershell.exe
1284	powershell.exe
1328	powershell.exe
1436	powershell.exe
1612	powershell.exe
1656	powershell.exe
2776	powershell.exe
336	powershell.exe
1440	powershell.exe
1564	powershell.exe
2124	powershell.exe
2808	powershell.exe
540	powershell.exe
2188	powershell.exe
2788	powershell.exe
2824	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2856	Province Hacks.exe
2112	Logger.exe
2716	1.exe
1604	smss.exe

Loads dropped DLL 5 IoCs

pid	Process
2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
2856	Province Hacks.exe
2856	Province Hacks.exe
2112	Logger.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\wininit.exe	1.exe
File created	C:\Windows\RemotePackages\RemoteApps\56085415360792	1.exe
File created	C:\Windows\de-DE\smss.exe	1.exe
File created	C:\Windows\de-DE\69ddcba757bf72	1.exe
File created	C:\Windows\SchCache\winlogon.exe	1.exe
File created	C:\Windows\SchCache\cc11b995f2a76d	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2752	schtasks.exe
2956	schtasks.exe
3036	schtasks.exe
2000	schtasks.exe
1896	schtasks.exe
1680	schtasks.exe
2184	schtasks.exe
1912	schtasks.exe
2384	schtasks.exe
2228	schtasks.exe
1996	schtasks.exe
1624	schtasks.exe
1164	schtasks.exe
2828	schtasks.exe
2656	schtasks.exe
1504	schtasks.exe
3048	schtasks.exe
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe
2716	1.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	1.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1604	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2856	2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 2548 wrote to memory of 2856	2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 2548 wrote to memory of 2856	2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 2548 wrote to memory of 2856	2548	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 2856 wrote to memory of 2112	2856	Province Hacks.exe	29
PID 2856 wrote to memory of 2112	2856	Province Hacks.exe	29
PID 2856 wrote to memory of 2112	2856	Province Hacks.exe	29
PID 2856 wrote to memory of 2112	2856	Province Hacks.exe	29
PID 2112 wrote to memory of 2716	2112	Logger.exe	30
PID 2112 wrote to memory of 2716	2112	Logger.exe	30
PID 2112 wrote to memory of 2716	2112	Logger.exe	30
PID 2112 wrote to memory of 2716	2112	Logger.exe	30
PID 2716 wrote to memory of 2824	2716	1.exe	50
PID 2716 wrote to memory of 2824	2716	1.exe	50
PID 2716 wrote to memory of 2824	2716	1.exe	50
PID 2716 wrote to memory of 944	2716	1.exe	51
PID 2716 wrote to memory of 944	2716	1.exe	51
PID 2716 wrote to memory of 944	2716	1.exe	51
PID 2716 wrote to memory of 2788	2716	1.exe	52
PID 2716 wrote to memory of 2788	2716	1.exe	52
PID 2716 wrote to memory of 2788	2716	1.exe	52
PID 2716 wrote to memory of 2776	2716	1.exe	53
PID 2716 wrote to memory of 2776	2716	1.exe	53
PID 2716 wrote to memory of 2776	2716	1.exe	53
PID 2716 wrote to memory of 2808	2716	1.exe	54
PID 2716 wrote to memory of 2808	2716	1.exe	54
PID 2716 wrote to memory of 2808	2716	1.exe	54
PID 2716 wrote to memory of 2124	2716	1.exe	57
PID 2716 wrote to memory of 2124	2716	1.exe	57
PID 2716 wrote to memory of 2124	2716	1.exe	57
PID 2716 wrote to memory of 2188	2716	1.exe	58
PID 2716 wrote to memory of 2188	2716	1.exe	58
PID 2716 wrote to memory of 2188	2716	1.exe	58
PID 2716 wrote to memory of 1656	2716	1.exe	59
PID 2716 wrote to memory of 1656	2716	1.exe	59
PID 2716 wrote to memory of 1656	2716	1.exe	59
PID 2716 wrote to memory of 1564	2716	1.exe	61
PID 2716 wrote to memory of 1564	2716	1.exe	61
PID 2716 wrote to memory of 1564	2716	1.exe	61
PID 2716 wrote to memory of 1612	2716	1.exe	62
PID 2716 wrote to memory of 1612	2716	1.exe	62
PID 2716 wrote to memory of 1612	2716	1.exe	62
PID 2716 wrote to memory of 1436	2716	1.exe	64
PID 2716 wrote to memory of 1436	2716	1.exe	64
PID 2716 wrote to memory of 1436	2716	1.exe	64
PID 2716 wrote to memory of 1328	2716	1.exe	65
PID 2716 wrote to memory of 1328	2716	1.exe	65
PID 2716 wrote to memory of 1328	2716	1.exe	65
PID 2716 wrote to memory of 1440	2716	1.exe	66
PID 2716 wrote to memory of 1440	2716	1.exe	66
PID 2716 wrote to memory of 1440	2716	1.exe	66
PID 2716 wrote to memory of 1284	2716	1.exe	67
PID 2716 wrote to memory of 1284	2716	1.exe	67
PID 2716 wrote to memory of 1284	2716	1.exe	67
PID 2716 wrote to memory of 2264	2716	1.exe	68
PID 2716 wrote to memory of 2264	2716	1.exe	68
PID 2716 wrote to memory of 2264	2716	1.exe	68
PID 2716 wrote to memory of 2256	2716	1.exe	71
PID 2716 wrote to memory of 2256	2716	1.exe	71
PID 2716 wrote to memory of 2256	2716	1.exe	71
PID 2716 wrote to memory of 540	2716	1.exe	73
PID 2716 wrote to memory of 540	2716	1.exe	73
PID 2716 wrote to memory of 540	2716	1.exe	73
PID 2716 wrote to memory of 336	2716	1.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
"C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
  "C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Logger.exe
    "C:\Users\Admin\AppData\Local\Temp\Logger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y7XCVZlaCv.bat"
        5⤵
        
        PID:1984
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1872
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:488
      - C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
6.3MB

MD5
4e2c3489ec26807d69f9171479886188

SHA1
40f8c57e6918d1626177810c6f1b5a65d9bf93d1

SHA256
33466d0c92e0fb64d98b89ca503976b86cfd5400c387aeb9dd66f096b4c14ca9

SHA512
0ed949039d77b4777f8da9ede1e245b22759fa2bd86ec90692c216263a27693264f926ad256336a8b4e2e688c05deb4790ba0a2799479213a9cb9960787f0d3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aa37a9577eafa2cfb42aa8f0b1c75015

SHA1
aa8430ddfb3ffeafb1d814730f1246ca96ebfc8c

SHA256
3740a6c5cedeb3a7b53921d12e3db641bd99f47c7aca35cf415c87ff8e0cdb1f

SHA512
a993edc32b7a6805ee9ea115272cbe5c9996014c39365f12177dedef634bd311e01f43ff2ec48606d3f558103fd8991b1021659e3236a3fcce410e77056ba8bc

Download Submit
\Users\Admin\AppData\Local\Temp\Logger.exe

Filesize
6.6MB

MD5
48bfaeb0285f1b090cbf09e2feb6ad10

SHA1
67d25ecce37f5a70ec950758351e81593b99ed05

SHA256
d8c19254251b41d6f815582ba4c018994cae3bdf3677e198a88138a43aaaf15e

SHA512
f8f19c480a72dcb1a88585a94c95767dfdaab0320aafd46f61309385fd9f7e68a8b392801ab243e7c545f43cd9e23366aa94814a05d9f9a0b604c22ab81ad08d

Download Submit
\Users\Admin\AppData\Local\Temp\Province Hacks.exe

Filesize
6.9MB

MD5
d22490055518bbf8d44579a00453da46

SHA1
d738768635f9646c71b98befc3bf2a4c9f5c29e3

SHA256
ee2c37126091fa67a5b5abbf7ac2a4271514ec7620aef87b34d42e80c576cd0a

SHA512
ecdd5baf602b3e9e59f15b47ad3925026568be9fdf1d384cc3dbae2b292abbf1878cbd1f919cf680442c65a9299c3496d9f03fed8b8504ba34f805e5ef984f08

Download Submit
memory/1284-3736-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1604-3739-0x0000000000F50000-0x00000000015A0000-memory.dmp

Filesize
6.3MB

Download
memory/2112-27-0x0000000000400000-0x0000000000A98000-memory.dmp

Filesize
6.6MB

Download
memory/2548-9-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2716-46-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-44-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-32-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-38-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-62-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-76-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-90-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-88-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-86-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-84-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-82-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-80-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-78-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-74-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-72-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-70-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-68-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-66-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-64-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-60-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-56-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-54-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-50-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-48-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-30-0x000000001BC80000-0x000000001C00E000-memory.dmp

Filesize
3.6MB

Download
memory/2716-40-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-36-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-58-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-52-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-34-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-42-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-31-0x000000001BC80000-0x000000001C007000-memory.dmp

Filesize
3.5MB

Download
memory/2716-3588-0x0000000002460000-0x0000000002486000-memory.dmp

Filesize
152KB

Download
memory/2716-3590-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2716-3594-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2716-3596-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/2716-3598-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/2716-3592-0x00000000024B0000-0x00000000024CC000-memory.dmp

Filesize
112KB

Download
memory/2716-3602-0x0000000002490000-0x000000000249E000-memory.dmp

Filesize
56KB

Download
memory/2716-3600-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/2716-3604-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/2716-3606-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/2716-3608-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/2716-3610-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/2716-3612-0x00000000024F0000-0x00000000024FE000-memory.dmp

Filesize
56KB

Download
memory/2716-3614-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/2716-3618-0x000000001B260000-0x000000001B2BA000-memory.dmp

Filesize
360KB

Download
memory/2716-3620-0x0000000002810000-0x000000000281E000-memory.dmp

Filesize
56KB

Download
memory/2716-3616-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2716-3622-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2716-3624-0x0000000002830000-0x000000000283E000-memory.dmp

Filesize
56KB

Download
memory/2716-3626-0x000000001B140000-0x000000001B158000-memory.dmp

Filesize
96KB

Download
memory/2716-3628-0x0000000002840000-0x000000000284C000-memory.dmp

Filesize
48KB

Download
memory/2716-3630-0x000000001C110000-0x000000001C15E000-memory.dmp

Filesize
312KB

Download
memory/2716-29-0x0000000000200000-0x0000000000850000-memory.dmp

Filesize
6.3MB

Download
memory/2788-3735-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2856-21-0x0000000000400000-0x0000000000AF3000-memory.dmp

Filesize
6.9MB

Download