zgrat | 81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

Analysis

max time kernel
130s
max time network
148s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1960-1-0x0000000001270000-0x000000000144A000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000016d7d-27.dat	family_zgrat_v1
behavioral1/memory/2448-49-0x0000000000E90000-0x000000000106A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\", \"C:\\Windows\\ShellNew\\explorer.exe\", \"C:\\Windows\\IME\\IMESC5\\HELP\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\", \"C:\\Windows\\LiveKernelReports\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\", \"C:\\Windows\\ShellNew\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\", \"C:\\Windows\\ShellNew\\explorer.exe\", \"C:\\Windows\\IME\\IMESC5\\HELP\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\", \"C:\\Windows\\ShellNew\\explorer.exe\", \"C:\\Windows\\IME\\IMESC5\\HELP\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\", \"C:\\Windows\\LiveKernelReports\\spoolsv.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2764	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2764	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2448	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ShellNew\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Windows\\IME\\IMESC5\\HELP\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Windows\\IME\\IMESC5\\HELP\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\LiveKernelReports\\spoolsv.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\LiveKernelReports\\spoolsv.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Portable Devices\\System.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ShellNew\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC687115D3534C450EA6DF632642791281.TMP	csc.exe
File created	\??\c:\Windows\System32\wx6deg.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Adobe\wininit.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Adobe\56085415360792	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\spoolsv.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\LiveKernelReports\f3b6ecef712a24	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\IME\IMESC5\HELP\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\IME\IMESC5\HELP\f9e5452d404055	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\ShellNew\explorer.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\ShellNew\7a0fd90576e088	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\LiveKernelReports\spoolsv.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2944	schtasks.exe
2468	schtasks.exe
1628	schtasks.exe
2952	schtasks.exe
1252	schtasks.exe
2524	schtasks.exe
296	schtasks.exe
2748	schtasks.exe
2828	schtasks.exe
744	schtasks.exe
1656	schtasks.exe
2628	schtasks.exe
2792	schtasks.exe
2616	schtasks.exe
2484	schtasks.exe
1216	schtasks.exe
1572	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
2448	spoolsv.exe
2448	spoolsv.exe
2448	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2448	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Token: SeDebugPrivilege	2448	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2416	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 1960 wrote to memory of 2416	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 1960 wrote to memory of 2416	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	32
PID 2416 wrote to memory of 2496	2416	csc.exe	34
PID 2416 wrote to memory of 2496	2416	csc.exe	34
PID 2416 wrote to memory of 2496	2416	csc.exe	34
PID 1960 wrote to memory of 1188	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 1960 wrote to memory of 1188	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 1960 wrote to memory of 1188	1960	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	50
PID 1188 wrote to memory of 1748	1188	cmd.exe	52
PID 1188 wrote to memory of 1748	1188	cmd.exe	52
PID 1188 wrote to memory of 1748	1188	cmd.exe	52
PID 1188 wrote to memory of 2036	1188	cmd.exe	53
PID 1188 wrote to memory of 2036	1188	cmd.exe	53
PID 1188 wrote to memory of 2036	1188	cmd.exe	53
PID 1188 wrote to memory of 2448	1188	cmd.exe	54
PID 1188 wrote to memory of 2448	1188	cmd.exe	54
PID 1188 wrote to memory of 2448	1188	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
"C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4g1s0xi\n4g1s0xi.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp" "c:\Windows\System32\CSC687115D3534C450EA6DF632642791281.TMP"
    3⤵
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RJdTu99W2t.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1748
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2036
- - C:\Windows\LiveKernelReports\spoolsv.exe
    "C:\Windows\LiveKernelReports\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMESC5\HELP\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\HELP\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\IMESC5\HELP\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\wininit.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES29EE.tmp

Filesize
1KB

MD5
a3927745425496522f93ef8ecf48ea11

SHA1
fb24125bf6990f6339176acce1a2028544464880

SHA256
80cb4ea427cfd7b958a4a2f6227378423a7b4aa1956d8ebeb8286af9fa651a3e

SHA512
6fd92306244740c2801e65fa2aefd2317efd6b04b6583d601f07702bbf4704d5d8f4bf17a609e28cae55a688fb2a456ac4b2135b21d849165b3a8d96efe2bb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RJdTu99W2t.bat

Filesize
216B

MD5
8b9bccec6af794bfe6eb28075b4a6832

SHA1
5a6cfa02d3d935ffbd049438a48afb60c0c23d34

SHA256
06f256a006568b0fa964c94bada579b5fb7eb4bcb083336d7223c2dc44e4f13e

SHA512
2e6b12e03863efbc9607b56b57cf96ae9b7f03b70b46d98b682b1e227adc635a2550f7266fee7927a8bbdbce84cf130fbb6738d9c3f3cbe1469bb68dce4ae1c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n4g1s0xi\n4g1s0xi.0.cs

Filesize
372B

MD5
90ec223b2a1833eee9a4f10a9179397b

SHA1
ae09eacd90c7a5b277dda1e70088247205bd811b

SHA256
76ad1159d05724e2366d7e8a1a04d2195ac2feeebdb996d31f4dac0d3e916f32

SHA512
f000cd3d2714a775f6dc1102391a21f66d714813bb53184c30c7a60ff4139b35d339a157083eb4c38d77821719e892ead31041f0ea5fa7f528d5cd0feb232e77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n4g1s0xi\n4g1s0xi.cmdline

Filesize
235B

MD5
dccb1cfd8dc34fe39cb3d30445405fa4

SHA1
73a414ea39862a3abf2803d6b5e1265f3a033647

SHA256
c6b283694b3d83d823476bf2e76353d6be65e7808a28f56f7c7554aad57d95c3

SHA512
a8ee5d83f2bcc44b3e6c0014ab793953fce4ac8bd4d18f11047a5bb14185790a88a61ad747c60d688537a71db60e0865b30baf8fddae2e87a2b985c73359c8bd

Download Submit
\??\c:\Windows\System32\CSC687115D3534C450EA6DF632642791281.TMP

Filesize
1KB

MD5
81f176b5da6f2f0e6b33c353995a2d09

SHA1
50fd7cc1c2c859d60f71fc36b122f70509f735e8

SHA256
003098fe5fd83cb4346dded8d55b9b673e4238d8dc810b59e22bc14eb7238478

SHA512
f40f10fe04872ed873774be305461262ce4e6416ca38561c4d74efd2a8a3ebbc58e9529de22e3fccd7413531f34fa56dc1cc2a7412b349fb7917d499d63835d8

Download Submit
memory/1960-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1960-10-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1960-14-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1960-15-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-16-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-18-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-12-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/1960-8-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-7-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/1960-4-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-3-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-1-0x0000000001270000-0x000000000144A000-memory.dmp

Filesize
1.9MB

Download
memory/1960-46-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2448-49-0x0000000000E90000-0x000000000106A000-memory.dmp

Filesize
1.9MB

Download