zgrat | cfe275730764d39a1638d54ab8d991bc4865ec7a39b90da8b23a7b4957944b45

Analysis

max time kernel
121s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Size

1.9MB
MD5

17eb4c4e58353a5db52602d0ae321fbd
SHA1

791e65e864b8831b86149c079b09d04cac894e59
SHA256

22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1
SHA512

a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14
SSDEEP

24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score

10^/10

zgrat execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000DB0000-0x0000000000F9A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016cb7-33.dat	family_zgrat_v1
behavioral1/memory/1608-143-0x0000000000920000-0x0000000000B0A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\services.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\services.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2544	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2544	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe
296	powershell.exe
660	powershell.exe
1996	powershell.exe
2816	powershell.exe
1928	powershell.exe
2180	powershell.exe
2372	powershell.exe
2592	powershell.exe
2452	powershell.exe
2104	powershell.exe
1664	powershell.exe
2828	powershell.exe
1676	powershell.exe
892	powershell.exe
2344	powershell.exe
2124	powershell.exe
1624	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\services.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\csrss.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\5b7985c2-d100-11ee-bb00-c695cbc44580\\services.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\dwm.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC93BEE686293B4EE5AAD361699A637D42.TMP	csc.exe
File created	\??\c:\Windows\System32\b3zcf6.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1064	schtasks.exe
1472	schtasks.exe
2780	schtasks.exe
2744	schtasks.exe
1808	schtasks.exe
2708	schtasks.exe
1992	schtasks.exe
2584	schtasks.exe
2320	schtasks.exe
1056	schtasks.exe
344	schtasks.exe
772	schtasks.exe
1900	schtasks.exe
2704	schtasks.exe
2712	schtasks.exe
1628	schtasks.exe
1060	schtasks.exe
1484	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	services.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1892	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1608	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2604	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	32
PID 2684 wrote to memory of 2604	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	32
PID 2684 wrote to memory of 2604	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	32
PID 2604 wrote to memory of 2476	2604	csc.exe	34
PID 2604 wrote to memory of 2476	2604	csc.exe	34
PID 2604 wrote to memory of 2476	2604	csc.exe	34
PID 2684 wrote to memory of 2344	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	50
PID 2684 wrote to memory of 2344	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	50
PID 2684 wrote to memory of 2344	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	50
PID 2684 wrote to memory of 1996	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	51
PID 2684 wrote to memory of 1996	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	51
PID 2684 wrote to memory of 1996	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	51
PID 2684 wrote to memory of 1664	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	53
PID 2684 wrote to memory of 1664	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	53
PID 2684 wrote to memory of 1664	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	53
PID 2684 wrote to memory of 660	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	54
PID 2684 wrote to memory of 660	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	54
PID 2684 wrote to memory of 660	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	54
PID 2684 wrote to memory of 296	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	55
PID 2684 wrote to memory of 296	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	55
PID 2684 wrote to memory of 296	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	55
PID 2684 wrote to memory of 892	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	56
PID 2684 wrote to memory of 892	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	56
PID 2684 wrote to memory of 892	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	56
PID 2684 wrote to memory of 1560	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	57
PID 2684 wrote to memory of 1560	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	57
PID 2684 wrote to memory of 1560	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	57
PID 2684 wrote to memory of 1624	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	58
PID 2684 wrote to memory of 1624	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	58
PID 2684 wrote to memory of 1624	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	58
PID 2684 wrote to memory of 2124	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	59
PID 2684 wrote to memory of 2124	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	59
PID 2684 wrote to memory of 2124	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	59
PID 2684 wrote to memory of 2372	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	60
PID 2684 wrote to memory of 2372	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	60
PID 2684 wrote to memory of 2372	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	60
PID 2684 wrote to memory of 2180	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	62
PID 2684 wrote to memory of 2180	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	62
PID 2684 wrote to memory of 2180	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	62
PID 2684 wrote to memory of 2452	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	64
PID 2684 wrote to memory of 2452	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	64
PID 2684 wrote to memory of 2452	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	64
PID 2684 wrote to memory of 2104	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	65
PID 2684 wrote to memory of 2104	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	65
PID 2684 wrote to memory of 2104	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	65
PID 2684 wrote to memory of 1676	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	68
PID 2684 wrote to memory of 1676	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	68
PID 2684 wrote to memory of 1676	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	68
PID 2684 wrote to memory of 1928	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	70
PID 2684 wrote to memory of 1928	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	70
PID 2684 wrote to memory of 1928	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	70
PID 2684 wrote to memory of 2592	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	72
PID 2684 wrote to memory of 2592	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	72
PID 2684 wrote to memory of 2592	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	72
PID 2684 wrote to memory of 2828	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	73
PID 2684 wrote to memory of 2828	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	73
PID 2684 wrote to memory of 2828	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	73
PID 2684 wrote to memory of 2816	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	74
PID 2684 wrote to memory of 2816	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	74
PID 2684 wrote to memory of 2816	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	74
PID 2684 wrote to memory of 2088	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	86
PID 2684 wrote to memory of 2088	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	86
PID 2684 wrote to memory of 2088	2684	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	86
PID 2088 wrote to memory of 2980	2088	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
"C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\204c2jbi\204c2jbi.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmp" "c:\Windows\System32\CSC93BEE686293B4EE5AAD361699A637D42.TMP"
    3⤵
    PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qeNS6u5c9O.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2980
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1892
- - C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe
    "C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe

Filesize
1.9MB

MD5
17eb4c4e58353a5db52602d0ae321fbd

SHA1
791e65e864b8831b86149c079b09d04cac894e59

SHA256
22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

SHA512
a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FDE.tmp

Filesize
1KB

MD5
cf705530cfab288f848e72c66ae912ce

SHA1
64ecd769b3ec50e7d7d362d8601b801897743200

SHA256
0c627b27be18ab213d9cec62271d63ba616889fd37810971d9dcd489ddedf1d9

SHA512
e19e2f685e105d2a0d4e86c0f1401979af5c4b5a5d06533114d040252d7ca57e564ebf24cbfd61f11ac6dd26a34ce0f76b6ae645e12e9132110394e8ecbf3f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeNS6u5c9O.bat

Filesize
189B

MD5
51aca9f4a3c151adc19d01c116653b40

SHA1
9a812fcedde7dbd545260cdc2844cdcd39438491

SHA256
60262e36deabfaedb2b659e31384346eba34ab9c552d8fa336cb4fc3afe60c3a

SHA512
5dc3c6bc5475a635ba8e68b0ec0363aedb3e4681eb45525f4666b70ea8eee57b0c469dc6279c946aebeb423892ff8b2b47fc91b371eca0903736eb8f54ab5dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e59153891da40759f3a9bedf0c58d3fc

SHA1
0c606950a2bc627c2f393ab8386dbf4aa49ebfda

SHA256
a0f69bd189b88000e21361dcf14a63fef54edb67ec18383785eca22b4686ff4e

SHA512
2385b4db4fb9b3808c7d6a33244008e2f1bdba68c86d2e9c7d541e2c271ec5d4acca9bc65be99847136b240d34b42ecc540a6e8ac83aa6a8ddd54f4681b2b069

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\204c2jbi\204c2jbi.0.cs

Filesize
390B

MD5
d57ec7a69293c6e1b4cab7dbeb1dc285

SHA1
2b64e6676dd56e5720274b0e263c4233004b83c1

SHA256
7e2bf9fffb367e1f003e6392eca74704828c2a3b2bc7f407165c22f06c6c46b7

SHA512
65733a15583be756dfc9ad4923f22aa4899b5cbd3ca849040c8d29f4eb85ff8def004ec771e48f66fbc35aa8ce86a09ed9f79d260ff5ed4100756e2d68a358d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\204c2jbi\204c2jbi.cmdline

Filesize
235B

MD5
32f7bfaf3bfc1dd2de3478bf51259fc4

SHA1
580a4bce4fe832ee5ee387bfdd6ca5cf128b69f1

SHA256
0560b621f91fbe35889afa4d3a13cb65305b3ce62f6125517c6191fdbe0e8001

SHA512
bd8799695c034313b5f393e2700bb61bdc1d267231f99082d0d3085b8401a01a9ebdf2d649739626f78259445ffb7edb4c163041e285bf9dc8bf14fb6a6241a1

Download Submit
\??\c:\Windows\System32\CSC93BEE686293B4EE5AAD361699A637D42.TMP

Filesize
1KB

MD5
65053ba71cff182339972c8e120f82dc

SHA1
f01cfd6c1206ef1ad67357a6e5607360135eb1c2

SHA256
be37fc91a219971553906fb22c0c8d78ec73c37bb1a60c449ebf14209a7d5e32

SHA512
ffc553ffbbe1ac9e5cd5e74812d4d1a63f98f96c4dd1e02d17abbf08a4223180e75dd247c0bb3443f0a9776ed5915ebd8d76960876bbe05256354594003ddd83

Download Submit
memory/1608-143-0x0000000000920000-0x0000000000B0A000-memory.dmp

Filesize
1.9MB

Download
memory/2684-10-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2684-14-0x00000000001B0000-0x00000000001BE000-memory.dmp

Filesize
56KB

Download
memory/2684-19-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-24-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-22-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-21-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2684-18-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-17-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/2684-12-0x0000000000480000-0x0000000000498000-memory.dmp

Filesize
96KB

Download
memory/2684-8-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2684-15-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-9-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-6-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2684-4-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-3-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-73-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000000DB0000-0x0000000000F9A000-memory.dmp

Filesize
1.9MB

Download
memory/2684-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2816-78-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2816-79-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download