zgrat | 43660d12841c026463f346661481cc19a48e18bbb230ceaaa39828ee57d82d2b

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4536-1-0x00000000005E0000-0x00000000007BA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0031000000023bb7-27.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\", \"C:\\Windows\\Prefetch\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\", \"C:\\Windows\\Prefetch\\explorer.exe\", \"C:\\Windows\\ImmersiveControlPanel\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\", \"C:\\Windows\\Prefetch\\explorer.exe\", \"C:\\Windows\\ImmersiveControlPanel\\backgroundTaskHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\sppsvc.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\", \"C:\\Windows\\Prefetch\\explorer.exe\", \"C:\\Windows\\ImmersiveControlPanel\\backgroundTaskHost.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1972	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1972	schtasks.exe	84

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Executes dropped EXE 1 IoCs

pid	Process
2280	backgroundTaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\ImmersiveControlPanel\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\sppsvc.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\sppsvc.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\apppatch\\ja-JP\\wininit.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Prefetch\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Prefetch\\explorer.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\ImmersiveControlPanel\\backgroundTaskHost.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9F6759A804B4EF1838C82ECB1D2815A.TMP	csc.exe
File created	\??\c:\Windows\System32\7bmpgk.exe	csc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\7a0fd90576e088	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\apppatch\ja-JP\wininit.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\apppatch\ja-JP\56085415360792	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\ServiceState\SEMgrSvc\Data\RuntimeBroker.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\ImmersiveControlPanel\eddb19405b7ce1	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
File created	C:\Windows\Prefetch\explorer.exe	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
888	schtasks.exe
2732	schtasks.exe
4052	schtasks.exe
4720	schtasks.exe
3808	schtasks.exe
3056	schtasks.exe
3732	schtasks.exe
3048	schtasks.exe
3340	schtasks.exe
3868	schtasks.exe
3192	schtasks.exe
4948	schtasks.exe
716	schtasks.exe
4944	schtasks.exe
3544	schtasks.exe
4068	schtasks.exe
2808	schtasks.exe
932	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3940	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2280	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
Token: SeDebugPrivilege	2280	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 3512	4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	88
PID 4536 wrote to memory of 3512	4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	88
PID 3512 wrote to memory of 2592	3512	csc.exe	91
PID 3512 wrote to memory of 2592	3512	csc.exe	91
PID 4536 wrote to memory of 4156	4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	111
PID 4536 wrote to memory of 4156	4536	81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe	111
PID 4156 wrote to memory of 4248	4156	cmd.exe	113
PID 4156 wrote to memory of 4248	4156	cmd.exe	113
PID 4156 wrote to memory of 3940	4156	cmd.exe	114
PID 4156 wrote to memory of 3940	4156	cmd.exe	114
PID 4156 wrote to memory of 2280	4156	cmd.exe	119
PID 4156 wrote to memory of 2280	4156	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe
"C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ftmtmjw\4ftmtmjw.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C7A.tmp" "c:\Windows\System32\CSC9F6759A804B4EF1838C82ECB1D2815A.TMP"
    3⤵
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9n6fQNof7y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4248
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3940
- - C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe
    "C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\ImmersiveControlPanel\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\MsEdgeCrashpad\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d8" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\lsass.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9n6fQNof7y.bat

Filesize
183B

MD5
785ec6cf1afd218373452044f4302fdd

SHA1
b9d6f60b7f954e666d3aafb1f6462b493ef9b2cb

SHA256
3c9265e7a6d91937cb9392179ee6b8064a14f480e6b2db540a33733cb0568c0f

SHA512
2b323c243118e3eb5a134da1bcd74a64e81cd912fc75c242bd4dd8a5d870496c46c303017e30b9019d63cb26fb4f73d0793ee24a46a937cd38a604381ea757d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C7A.tmp

Filesize
1KB

MD5
96ebb6b715bb8fc079f98adc807b16d4

SHA1
57d07aded54a6e240e6a5e6a1eabda72ed5e8672

SHA256
a8e19d1c1d91dfe64321f41cc2874e02c84b67d7289b792e579f72e464a8ce05

SHA512
b8dcec16ce3eb8179da0ddff9fb59d6e6e2b0d0d9a0faff5556ab126de10c54f3b10713a0029703f5ade787941d3a9cdd8bad100dad36fcc9fe318402b0ba757

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ftmtmjw\4ftmtmjw.0.cs

Filesize
363B

MD5
3f2fdc017df7a30daa151bcc253c5f51

SHA1
bceca04812ebebdc113ff3cb7e32f47c1c8f8b80

SHA256
2bae2ef2dd83bf423493061a8d9f687fbadaacb8b0d239a58de072a1da08ba27

SHA512
241c9f4b01e33c2d2122137728420c5d88a4057d5ea07d153f4e1362833b65166594c45175d09988ca6597c20f55ebf46c3fad4d0a3c8cc47660696238da84ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ftmtmjw\4ftmtmjw.cmdline

Filesize
235B

MD5
8f14ee4a3e4532c8db5c7222f6032409

SHA1
0f1dc331aacc8ab24e955cfae8b6fc1c9392be1f

SHA256
aea8edff7eb25d930244d2f4b82af4fb44201c8b7616cf27fb72a33931a978ad

SHA512
8789d7aafe05572af9995ab3187194ac75124365a2a2834e8333af2f5ff30c2c4bb3e9f822792cdee109552de3dd0db79b10f93b74fe6a892a5d60d789fc6aa1

Download Submit
\??\c:\Windows\System32\CSC9F6759A804B4EF1838C82ECB1D2815A.TMP

Filesize
1KB

MD5
f8c17a9410d4d326f9e6a23230c45678

SHA1
0d43e49c7c23d3eba775acddcba4483b3922d148

SHA256
cf57d1926470fe33fb8a804cd20f7e01fd54c5956081e74b1adabe97a67452ab

SHA512
8c3c5c18499a1c29fa8f903f0c2e44835b7d87df764476362c59688600e83773403bb7eda102a3a18edb7e4ae79d13cc145a065e283bf3d4ea7f516ea022b923

Download Submit
memory/4536-14-0x000000001B520000-0x000000001B538000-memory.dmp

Filesize
96KB

Download
memory/4536-29-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-10-0x000000001B500000-0x000000001B51C000-memory.dmp

Filesize
112KB

Download
memory/4536-11-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-0-0x00007FFC753B3000-0x00007FFC753B5000-memory.dmp

Filesize
8KB

Download
memory/4536-12-0x000000001B7B0000-0x000000001B800000-memory.dmp

Filesize
320KB

Download
memory/4536-16-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

Filesize
48KB

Download
memory/4536-17-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-7-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-8-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-33-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-6-0x0000000002840000-0x000000000284E000-memory.dmp

Filesize
56KB

Download
memory/4536-4-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-3-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-2-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-49-0x00007FFC753B0000-0x00007FFC75E71000-memory.dmp

Filesize
10.8MB

Download
memory/4536-1-0x00000000005E0000-0x00000000007BA000-memory.dmp

Filesize
1.9MB

Download