zgrat | 81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/1864-1-0x0000000000B80000-0x0000000000D5A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023b8a-25.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\", \"C:\\Windows\\Web\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\", \"C:\\Windows\\Web\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\", \"C:\\Windows\\Web\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\", \"C:\\Windows\\Web\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Links\\lsass.exe\", \"C:\\Windows\\Web\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\", \"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2372	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2372	schtasks.exe	86

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Executes dropped EXE 1 IoCs

pid	Process
4256	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Mail\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Links\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Web\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\OfficeClickToRun.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Links\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Web\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\LiveKernelReports\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC88E032948D3042C191308056BC6B1BA.TMP	csc.exe
File created	\??\c:\Windows\System32\wj3gg0.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\e6c9b481da804f	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\backgroundTaskHost.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\LiveKernelReports\eddb19405b7ce1	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\Web\lsass.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\Web\6203df4a6bafc7	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4664	schtasks.exe
2540	schtasks.exe
3628	schtasks.exe
2044	schtasks.exe
3208	schtasks.exe
2216	schtasks.exe
2336	schtasks.exe
4896	schtasks.exe
2900	schtasks.exe
1216	schtasks.exe
3036	schtasks.exe
3352	schtasks.exe
3216	schtasks.exe
3844	schtasks.exe
4320	schtasks.exe
760	schtasks.exe
592	schtasks.exe
1856	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4256	lsass.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Token: SeDebugPrivilege	4256	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 4592	1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	90
PID 1864 wrote to memory of 4592	1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	90
PID 4592 wrote to memory of 5096	4592	csc.exe	92
PID 4592 wrote to memory of 5096	4592	csc.exe	92
PID 1864 wrote to memory of 948	1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	109
PID 1864 wrote to memory of 948	1864	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	109
PID 948 wrote to memory of 2240	948	cmd.exe	112
PID 948 wrote to memory of 2240	948	cmd.exe	112
PID 948 wrote to memory of 516	948	cmd.exe	113
PID 948 wrote to memory of 516	948	cmd.exe	113
PID 948 wrote to memory of 4256	948	cmd.exe	118
PID 948 wrote to memory of 4256	948	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
"C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wj5yt20\5wj5yt20.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES446B.tmp" "c:\Windows\System32\CSC88E032948D3042C191308056BC6B1BA.TMP"
    3⤵
    PID:5096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W1DQrbJds0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2240
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:516
- - C:\Program Files (x86)\Windows Mail\lsass.exe
    "C:\Program Files (x86)\Windows Mail\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Web\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES446B.tmp

Filesize
1KB

MD5
acf1e2a07c88f64e2f703d940b46dae1

SHA1
59b668b5dbc562bf6ef095a6bcb96573db060794

SHA256
e8c074f12da1d8e8651227e5acf76b0c63aa13b88944e45be12ea5c3043fd3aa

SHA512
bf4130c1d18cca2c0e1b1e5266ef4c01214110a86f85f35b4441857f3b1d13f0da4ae565e55ca7482debefbebae85b79645962daf91fc2fc19aa28d2ea510ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\W1DQrbJds0.bat

Filesize
221B

MD5
58493206d174862e1ebc3f405f96e1ac

SHA1
53ef6a4e94a2735eee95758ed62802ecc0779350

SHA256
934a5568e6c4d3b23ab3cb94d00e3de6d35a0f0feeaa0e286e0580249cf65aa2

SHA512
f903b2a43ac059418409dc032b65d14936cb6a2ece2e2a359b312a60bb2708b6f37c5801dec6f6ba5642221338eaf23e4a46cfb66380e4c25def1171e244ab93

Download Submit
C:\Users\Default\Links\lsass.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5wj5yt20\5wj5yt20.0.cs

Filesize
364B

MD5
7da32779fbef655c4cff0d2f4b1244bf

SHA1
f2610b765c030263d2ad36eaca6f8d8305e15679

SHA256
e69483a556d5edf34b5c432abda5d06ead099d0e2291e75718a94c115b71ef4a

SHA512
afb5173b5d54d17915df4c8b6ae1cf0158b2c515757cecb07b3ef22120feb1488d95fb027f2a4b81f33295234a1b014839e5e4bb286f9734a468ad77d3d93f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5wj5yt20\5wj5yt20.cmdline

Filesize
235B

MD5
5b12a6cdd99c7447f0615ba8870f50b2

SHA1
14951cc9212863a1b695b71fe258ef223bb5d194

SHA256
c3849ba50c82b872fef0858c9ff80e091bb8e2642720903ec594cadb8e28ca55

SHA512
d6a3646108f2e8f93543263146d4644a86845581dfbb35785f84a24a879c571f040d947f49b77bc73d3f080931dc3fea1afe0aa34548d671ab77bd5e7eb97cc6

Download Submit
\??\c:\Windows\System32\CSC88E032948D3042C191308056BC6B1BA.TMP

Filesize
1KB

MD5
fc8059b5255b923f4956fbb9fde49aa2

SHA1
cee42442f0945012958fdd60f08a5b0f4d953608

SHA256
dfc8527fe4ce4eb1d97eeefcaeb02cbd320da16e4515171e2688228ee99fc4ae

SHA512
b3aa1009a05ee4ac931b2797e9fbf035a6f6f30975cab9e1724edcf2da9705c349d40db4710adfe140f90e5be65fc272f94616e89dc7cdf204aae58b957cb05d

Download Submit
memory/1864-9-0x000000001B980000-0x000000001B99C000-memory.dmp

Filesize
112KB

Download
memory/1864-29-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-10-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/1864-4-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-14-0x0000000002E80000-0x0000000002E8C000-memory.dmp

Filesize
48KB

Download
memory/1864-15-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-3-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-27-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-28-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-12-0x000000001B9A0000-0x000000001B9B8000-memory.dmp

Filesize
96KB

Download
memory/1864-33-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-7-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-0-0x00007FFF6E0A3000-0x00007FFF6E0A5000-memory.dmp

Filesize
8KB

Download
memory/1864-6-0x0000000002DE0000-0x0000000002DEE000-memory.dmp

Filesize
56KB

Download
memory/1864-2-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-48-0x00007FFF6E0A0000-0x00007FFF6EB61000-memory.dmp

Filesize
10.8MB

Download
memory/1864-1-0x0000000000B80000-0x0000000000D5A000-memory.dmp

Filesize
1.9MB

Download
memory/4256-57-0x000000001AD40000-0x000000001AD48000-memory.dmp

Filesize
32KB

Download