zgrat | 81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

Analysis

max time kernel
127s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2184-1-0x0000000000220000-0x00000000003FA000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000014b1c-27.dat	family_zgrat_v1
behavioral1/memory/2176-49-0x0000000000BC0000-0x0000000000D9A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\", \"C:\\MSOCache\\All Users\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\winlogon.exe\", \"C:\\MSOCache\\All Users\\System.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2784	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2784	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/memory/2184-1-0x0000000000220000-0x00000000003FA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000014b1c-27.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2176-49-0x0000000000BC0000-0x0000000000D9A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
2176	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Google\\Temp\\smss.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\winlogon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default\\winlogon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Prefetch\\ReadyBoot\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE4151FDB2509490FABD96482A961CF29.TMP	csc.exe
File created	\??\c:\Windows\System32\u7e72d.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\smss.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\smss.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Google\Temp\69ddcba757bf72	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\f9e5452d404055	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\dllhost.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\Prefetch\ReadyBoot\5940a34987c991	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2684	schtasks.exe
2152	schtasks.exe
2468	schtasks.exe
2440	schtasks.exe
2764	schtasks.exe
2660	schtasks.exe
2340	schtasks.exe
2156	schtasks.exe
1436	schtasks.exe
2656	schtasks.exe
2632	schtasks.exe
2396	schtasks.exe
1840	schtasks.exe
1776	schtasks.exe
2576	schtasks.exe
2044	schtasks.exe
2876	schtasks.exe
352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2176	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2176	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Token: SeDebugPrivilege	2176	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2384	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 2184 wrote to memory of 2384	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 2184 wrote to memory of 2384	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 2384 wrote to memory of 2868	2384	csc.exe	34
PID 2384 wrote to memory of 2868	2384	csc.exe	34
PID 2384 wrote to memory of 2868	2384	csc.exe	34
PID 2184 wrote to memory of 2196	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 2184 wrote to memory of 2196	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 2184 wrote to memory of 2196	2184	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 2196 wrote to memory of 2180	2196	cmd.exe	52
PID 2196 wrote to memory of 2180	2196	cmd.exe	52
PID 2196 wrote to memory of 2180	2196	cmd.exe	52
PID 2196 wrote to memory of 1596	2196	cmd.exe	53
PID 2196 wrote to memory of 1596	2196	cmd.exe	53
PID 2196 wrote to memory of 1596	2196	cmd.exe	53
PID 2196 wrote to memory of 2176	2196	cmd.exe	54
PID 2196 wrote to memory of 2176	2196	cmd.exe	54
PID 2196 wrote to memory of 2176	2196	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
"C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1lyxwjmf\1lyxwjmf.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15B2.tmp" "c:\Windows\System32\CSCE4151FDB2509490FABD96482A961CF29.TMP"
    3⤵
    PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\odFU1HdEgr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2180
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1596
- - C:\Users\Default\winlogon.exe
    "C:\Users\Default\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES15B2.tmp

Filesize
1KB

MD5
3e29aaa5cba91da40605ae00378b01c7

SHA1
3854918c0060c8f91df5bd188e88ce3abf03f2a0

SHA256
3201d2b047d7d10e3a4962399e3619005a686780a5dd74024d1061faa7026991

SHA512
347ce78eafb3af370996da19f57bd4b378fe4a9264f4a50303627c3e0911c321e1a4ffa402bb53223dcc9c2c63bd411e6ab277cf9b0b0f79375189a3ce163bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\odFU1HdEgr.bat

Filesize
205B

MD5
8a7ffd10634603c46688e38edd1c49a3

SHA1
4722f84320bbf1727a05b4ccefc72ac66f2fbe1f

SHA256
6b71eb787cd918a2796bd0b3abd1de476d843a692e195c3cf9a7fc92b83d3f83

SHA512
86e908986538c8c90decc5c2c54cc1c591f4565518015c9986e5b689003d971b77e84b8a2bcaad1e7dce9736a27d1d71d9caf3b604e0f6a2423510a229896147

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lyxwjmf\1lyxwjmf.0.cs

Filesize
361B

MD5
c1f3a29badbbae852275ceebf52f21d4

SHA1
5d82790776ab30bbee7ab305c4bc25c04dbf5170

SHA256
cf6f461165df0ac9693531d9dbd0c2d8c55329e803df694c72a29c9e571cfb5a

SHA512
a6912eae05d9f55c2ab5dbbcfe8bd3ba0c2cd14c3138f2e7a67e96a7dc1ea33bb0bf19724e4d09a0877cc18774f5f7f19c5620b4c4cb75af0b10b93c07dfaa1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1lyxwjmf\1lyxwjmf.cmdline

Filesize
235B

MD5
0516ee7873290a47cc79637082521932

SHA1
cea99e8c8074f2584d8c9e9d0ff82f80f23d1eb0

SHA256
843042ee297798e6146c382b93f30bca9f9af97f4bbda641d2a04649ee7fd847

SHA512
e60f473b53d66d4686e5953ee05637339a7a15f2d7119b2a83b581a3693d9acfd21c43de4c5de29f74935942ae0029bfe09bda07dfccf9ea40b8a027485b5d5e

Download Submit
\??\c:\Windows\System32\CSCE4151FDB2509490FABD96482A961CF29.TMP

Filesize
1KB

MD5
984924caf6574026769de34f35c2358e

SHA1
6dd41e492235d812252231912aa025f47fa7a9e7

SHA256
2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

SHA512
5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

Download Submit
memory/2176-49-0x0000000000BC0000-0x0000000000D9A000-memory.dmp

Filesize
1.9MB

Download
memory/2184-6-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/2184-8-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2184-18-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-15-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-14-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2184-12-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-11-0x0000000000640000-0x0000000000658000-memory.dmp

Filesize
96KB

Download
memory/2184-16-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-9-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2184-4-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-3-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-46-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-1-0x0000000000220000-0x00000000003FA000-memory.dmp

Filesize
1.9MB

Download