zgrat | 81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/1364-1-0x0000000000C90000-0x0000000000E6A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023bc1-26.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\", \"C:\\Program Files\\Google\\Chrome\\sysmon.exe\", \"C:\\Windows\\CbsTemp\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\", \"C:\\Program Files\\Google\\Chrome\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\", \"C:\\Program Files\\Google\\Chrome\\sysmon.exe\", \"C:\\Windows\\CbsTemp\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\", \"C:\\Program Files\\Google\\Chrome\\sysmon.exe\", \"C:\\Windows\\CbsTemp\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\RuntimeBroker.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2464	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2464	schtasks.exe	84

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/memory/1364-1-0x0000000000C90000-0x0000000000E6A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000a000000023bc1-26.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	sysmon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Google\\Chrome\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\CbsTemp\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\RuntimeBroker.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\RuntimeBroker.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Public\\Documents\\My Pictures\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\CbsTemp\\dllhost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Google\\Chrome\\sysmon.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2A782E1D3BD3459BB647743192358828.TMP	csc.exe
File created	\??\c:\Windows\System32\ja7kri.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RuntimeBroker.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files\Microsoft Office 15\9e8d7a4ca61bd9	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files\Google\Chrome\sysmon.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files\Google\Chrome\121e5b5079f7c0	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\dllhost.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\CbsTemp\5940a34987c991	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4356	schtasks.exe
4424	schtasks.exe
3872	schtasks.exe
4620	schtasks.exe
1712	schtasks.exe
2280	schtasks.exe
3076	schtasks.exe
1984	schtasks.exe
1428	schtasks.exe
1708	schtasks.exe
4644	schtasks.exe
1932	schtasks.exe
4604	schtasks.exe
4304	schtasks.exe
4544	schtasks.exe
4812	schtasks.exe
212	schtasks.exe
2328	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3960	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Token: SeDebugPrivilege	3960	sysmon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2036	1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	89
PID 1364 wrote to memory of 2036	1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	89
PID 2036 wrote to memory of 1908	2036	csc.exe	94
PID 2036 wrote to memory of 1908	2036	csc.exe	94
PID 1364 wrote to memory of 4240	1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	111
PID 1364 wrote to memory of 4240	1364	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	111
PID 4240 wrote to memory of 912	4240	cmd.exe	113
PID 4240 wrote to memory of 912	4240	cmd.exe	113
PID 4240 wrote to memory of 1448	4240	cmd.exe	114
PID 4240 wrote to memory of 1448	4240	cmd.exe	114
PID 4240 wrote to memory of 3960	4240	cmd.exe	119
PID 4240 wrote to memory of 3960	4240	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
"C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3j1w1ybl\3j1w1ybl.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B5.tmp" "c:\Windows\System32\CSC2A782E1D3BD3459BB647743192358828.TMP"
    3⤵
    PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EQVSU6ui7g.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:912
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1448
- - C:\Users\Public\Documents\My Pictures\sysmon.exe
    "C:\Users\Public\Documents\My Pictures\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQVSU6ui7g.bat

Filesize
224B

MD5
5897358693a6e3029cbeb5fcde3fe1b0

SHA1
1f8f33d23b5aebfb1cbdd5672ec4d00fe3ec6262

SHA256
14d229ba7142f50cde3bd10ddb2ca0e2f835a27837924550788562b2535b54e7

SHA512
d91be015cc940a9b906ffa17374a3194c60114dec289b0d718ff2a2eeaa55bc383dcbe677971131e1b6be9f148efa75169190bc1210834358981a7cd71cfc9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES57B5.tmp

Filesize
1KB

MD5
f62c24cf960701535e0fe9d1f9d40ace

SHA1
a9ddcd5eab50ecf5f7440dfb1cdb22cb750e0457

SHA256
44acd494a816f0d8313c48288ded53d844a6780d55a7d07d968ae5bb048e86b3

SHA512
9c5abfefba872b435b6f5ab820a653b2db2dbbcedc67034dd8a2c7243865e00de87fbf142b7f19b2196c7b64ed934046e0b891b36f66532a0830a282646d124a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3j1w1ybl\3j1w1ybl.0.cs

Filesize
370B

MD5
c7f4e7df086ee5149802399b0497ef24

SHA1
30ee0b97e77f3f4eb5c24f633336fd3cc016b67f

SHA256
8079ce7ed4d4e51bc274fca1f49534cc35dc0f41820c534100d30958d9462366

SHA512
b1677daf50e170be10a81ead963e6f8b7ea16fa9b9646024f9f5eaf398e2f06e1538e712059f617477234a5af6a4a72bec0d4bddbde85160b1e88c2857dd031a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3j1w1ybl\3j1w1ybl.cmdline

Filesize
235B

MD5
73ff392c0ac474b532ab88f081d218bb

SHA1
408dcf6f1109870b66bcefcf4198eddb0dc3732a

SHA256
a690dc8b85c6aed5d62e54068ab8adf71b0e4583d42b52b6e86f7fd7d8080f9c

SHA512
49dafb0c41587b9892fc4d12928eea2f8d7dda4aa398ec1c81e7943d5190dde92d97de6f5cabff42e4c5b1252702cb2d971d28ccb085209e96983e80932fac67

Download Submit
\??\c:\Windows\System32\CSC2A782E1D3BD3459BB647743192358828.TMP

Filesize
1KB

MD5
c39f312a5cba8a420c1a93bbab328edc

SHA1
20dabcad44082ed54949c50dd2e8a4178a046340

SHA256
2077b880e475632b0638001558cbdff81982b820fcfd7bcde8d688730f432e9e

SHA512
8818d4fe55a0ee022100fa73b6a2248c35ab775cf14292353f3d1a0c3c3f91021b00c56c7787184373aaf595b4833b1963fe9814e85b65cba6c989bbe2d29038

Download Submit
memory/1364-14-0x0000000003040000-0x000000000304C000-memory.dmp

Filesize
48KB

Download
memory/1364-32-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-12-0x000000001BAC0000-0x000000001BAD8000-memory.dmp

Filesize
96KB

Download
memory/1364-8-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/1364-0-0x00007FFF7DDE3000-0x00007FFF7DDE5000-memory.dmp

Filesize
8KB

Download
memory/1364-15-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-20-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-9-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-28-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-10-0x000000001BB10000-0x000000001BB60000-memory.dmp

Filesize
320KB

Download
memory/1364-33-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-6-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-5-0x0000000001780000-0x000000000178E000-memory.dmp

Filesize
56KB

Download
memory/1364-3-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-2-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-48-0x00007FFF7DDE0000-0x00007FFF7E8A1000-memory.dmp

Filesize
10.8MB

Download
memory/1364-1-0x0000000000C90000-0x0000000000E6A000-memory.dmp

Filesize
1.9MB

Download