zgrat | 1fc57c3525585fbc3de57df4e005e78321b2a2952fd056bb2078a4b49acef38d

Analysis

max time kernel
125s
max time network
146s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18881a897426a64bf676f00415259f10_NEIKI.exe
Size

1.8MB
MD5

18881a897426a64bf676f00415259f10
SHA1

d6aa5c64c71c1c8b82b2a989dc129e97e43f5f2d
SHA256

1fc57c3525585fbc3de57df4e005e78321b2a2952fd056bb2078a4b49acef38d
SHA512

7930bb9975ad51f6d48402433ea0a49e1d072f6b0dea679b6eecca7355c01e187b3fe0e4257741e3dfede066f03ebdf9d6080b554729b626ac6032b0aece9680
SSDEEP

24576:ASg5R9AL05rj1vlyn02GKSV2kRNQtKfA9v9UuDjZ+HAkv0Zj6fyblXT+yQkSwvjw:Ajew2PK4zDN+PvUJj+LpwvEBC

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2084-1-0x0000000000020000-0x00000000001FA000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000145c9-27.dat	family_zgrat_v1
behavioral1/memory/704-49-0x0000000000890000-0x0000000000A6A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\System.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2668	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2668	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
704	smss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18881a897426a64bf676f00415259f10_NEIKI = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\smss.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\18881a897426a64bf676f00415259f10_NEIKI = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\18881a897426a64bf676f00415259f10_NEIKI = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18881a897426a64bf676f00415259f10_NEIKI = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18881a897426a64bf676f00415259f10_NEIKI.exe\""	18881a897426a64bf676f00415259f10_NEIKI.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC186412EB9F5D4BE3BDCAD9D8DB4BEFE0.TMP	csc.exe
File created	\??\c:\Windows\System32\wx6deg.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1512	schtasks.exe
1188	schtasks.exe
2508	schtasks.exe
1560	schtasks.exe
2468	schtasks.exe
236	schtasks.exe
1456	schtasks.exe
2480	schtasks.exe
1600	schtasks.exe
2660	schtasks.exe
1708	schtasks.exe
2304	schtasks.exe
2584	schtasks.exe
2920	schtasks.exe
2372	schtasks.exe
820	schtasks.exe
2400	schtasks.exe
2144	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
2084	18881a897426a64bf676f00415259f10_NEIKI.exe
704	smss.exe
704	smss.exe
704	smss.exe
704	smss.exe
704	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
704	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	18881a897426a64bf676f00415259f10_NEIKI.exe
Token: SeDebugPrivilege	704	smss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2524	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	32
PID 2084 wrote to memory of 2524	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	32
PID 2084 wrote to memory of 2524	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	32
PID 2524 wrote to memory of 3016	2524	csc.exe	34
PID 2524 wrote to memory of 3016	2524	csc.exe	34
PID 2524 wrote to memory of 3016	2524	csc.exe	34
PID 2084 wrote to memory of 2948	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	50
PID 2084 wrote to memory of 2948	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	50
PID 2084 wrote to memory of 2948	2084	18881a897426a64bf676f00415259f10_NEIKI.exe	50
PID 2948 wrote to memory of 2428	2948	cmd.exe	52
PID 2948 wrote to memory of 2428	2948	cmd.exe	52
PID 2948 wrote to memory of 2428	2948	cmd.exe	52
PID 2948 wrote to memory of 2196	2948	cmd.exe	53
PID 2948 wrote to memory of 2196	2948	cmd.exe	53
PID 2948 wrote to memory of 2196	2948	cmd.exe	53
PID 2948 wrote to memory of 704	2948	cmd.exe	54
PID 2948 wrote to memory of 704	2948	cmd.exe	54
PID 2948 wrote to memory of 704	2948	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpfjgmox\rpfjgmox.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp" "c:\Windows\System32\CSC186412EB9F5D4BE3BDCAD9D8DB4BEFE0.TMP"
    3⤵
    PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TozjB5Lnli.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2428
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2196
- - C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe
    "C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\18881a897426a64bf676f00415259f10_NEIKI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\smss.exe

Filesize
1.8MB

MD5
18881a897426a64bf676f00415259f10

SHA1
d6aa5c64c71c1c8b82b2a989dc129e97e43f5f2d

SHA256
1fc57c3525585fbc3de57df4e005e78321b2a2952fd056bb2078a4b49acef38d

SHA512
7930bb9975ad51f6d48402433ea0a49e1d072f6b0dea679b6eecca7355c01e187b3fe0e4257741e3dfede066f03ebdf9d6080b554729b626ac6032b0aece9680

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp

Filesize
1KB

MD5
5e0bf7b9ff9c9bd44b31f6aeadf537a9

SHA1
bf9b5f9581011e77e5d3df815442bdbb174654b6

SHA256
56dafe65df5025e28a8e43ee8290fb622c0348276eda41987d173a9c1b3292b4

SHA512
403673eabf95298b27c26db39c2c48b782676787c708f813df079c4f0d0399908d19efe56fcad95af085f42206fc6a51e5b50d1cd91f619bb8be5c811290500a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TozjB5Lnli.bat

Filesize
185B

MD5
7efb21d17cbfcdd424259217b6203ddf

SHA1
bafbab59876522dc33e9903a90e17269a4765563

SHA256
e6f3456f49d5bff7e89de4c02db1a92f56e19344ee7ceb21c713277c8fbd78d8

SHA512
8c56a5dfb0d41f9cc6283eea45e3a8ab969bb630b64041c155ec8992526e05efaad1029692c98432904d7b2b1b53f4dd5a51516867a4e02c24719b4d89ec4b20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpfjgmox\rpfjgmox.0.cs

Filesize
389B

MD5
09c15fbef047bd5fc5130959f63365f7

SHA1
ae1eecf5a8127943c1029b066c8b86fe76291625

SHA256
8c208917991249e3123b0f541121b2c19a262ff2e3b067f5fe4aebbfef848dfe

SHA512
288a1fdd5277ad1c62ac4ede633872246852428564292ba5f63f1f018284038736a976627bed3f0027a8df33967beaa5f530e40db7e5496f53dea19bd8e2db97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpfjgmox\rpfjgmox.cmdline

Filesize
235B

MD5
324c53fa4a14d0ed34b1d9f489e3ec01

SHA1
c4738b5096175aea7882176b76ef8ed9fe733ae2

SHA256
6a9b8c64c2251e0829cdc0c360276c694ca23744a47df46dac4b70ce9db0ae38

SHA512
b8719884876e1c3bc0d18abf6beeac1954c2a6ea2ea66af84e65655408685db62d269aa4dc96e34980b3442dcaef9938998f0cf59520ae2bb11132cb015394c3

Download Submit
\??\c:\Windows\System32\CSC186412EB9F5D4BE3BDCAD9D8DB4BEFE0.TMP

Filesize
1KB

MD5
81f176b5da6f2f0e6b33c353995a2d09

SHA1
50fd7cc1c2c859d60f71fc36b122f70509f735e8

SHA256
003098fe5fd83cb4346dded8d55b9b673e4238d8dc810b59e22bc14eb7238478

SHA512
f40f10fe04872ed873774be305461262ce4e6416ca38561c4d74efd2a8a3ebbc58e9529de22e3fccd7413531f34fa56dc1cc2a7412b349fb7917d499d63835d8

Download Submit
memory/704-49-0x0000000000890000-0x0000000000A6A000-memory.dmp

Filesize
1.9MB

Download
memory/2084-6-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2084-9-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-15-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-17-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-16-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-14-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2084-12-0x0000000002130000-0x0000000002148000-memory.dmp

Filesize
96KB

Download
memory/2084-10-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-8-0x0000000002080000-0x000000000209C000-memory.dmp

Filesize
112KB

Download
memory/2084-0-0x000007FEF5C93000-0x000007FEF5C94000-memory.dmp

Filesize
4KB

Download
memory/2084-4-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-3-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-46-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/2084-1-0x0000000000020000-0x00000000001FA000-memory.dmp

Filesize
1.9MB

Download