zgrat | b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
Size

3.6MB
MD5

ae6fa9bafb66f9f7abef04452e02bc1c
SHA1

9ef051f253f58a97df773d3ab14654320191a08d
SHA256

b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f
SHA512

098dd73c9f75fd90ceb897f487d80c556456246ced0880057a317dd07c96900ab217cff500e363aa27e2debdde639f0be492ae84eabfd55846cbbf2b8cbd238c
SSDEEP

49152:IBJ7Cz5hm/qbhLLVAaM0+aSp0a+utgmvaIQLk7vsFMT2QbZCsL5A+rTpeZicE:ypCz5hvLqa3fSp0a+u6mt6cZnFDeEf

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000233f2-10.dat	family_zgrat_v1
behavioral2/memory/4468-13-0x00000000002C0000-0x000000000060A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\""	BridgeWin.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2240	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2240	schtasks.exe	87

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x000b0000000233f2-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/4468-13-0x00000000002C0000-0x000000000060A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	BridgeWin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

pid	Process
4468	BridgeWin.exe
3464	SearchApp.exe
4332	SearchApp.exe
1800	SearchApp.exe
4852	SearchApp.exe
2724	SearchApp.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\tracing\\backgroundTaskHost.exe\""	BridgeWin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\tracing\\backgroundTaskHost.exe\""	BridgeWin.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP	csc.exe
File created	\??\c:\Windows\System32\cwwwvr.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\55b276f4edf653	BridgeWin.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe	BridgeWin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe	BridgeWin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\tracing\backgroundTaskHost.exe	BridgeWin.exe
File created	C:\Windows\tracing\eddb19405b7ce1	BridgeWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1480	schtasks.exe
4420	schtasks.exe
2496	schtasks.exe
1592	schtasks.exe
3800	schtasks.exe
944	schtasks.exe
1688	schtasks.exe
1448	schtasks.exe
3652	schtasks.exe
932	schtasks.exe
3020	schtasks.exe
4660	schtasks.exe
1120	schtasks.exe
4528	schtasks.exe
3492	schtasks.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	BridgeWin.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE
3752	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe
4468	BridgeWin.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	BridgeWin.exe
Token: SeDebugPrivilege	3464	SearchApp.exe
Token: SeDebugPrivilege	4332	SearchApp.exe
Token: SeDebugPrivilege	1800	SearchApp.exe
Token: SeDebugPrivilege	4852	SearchApp.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4356	1060	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	82
PID 1060 wrote to memory of 4356	1060	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	82
PID 1060 wrote to memory of 4356	1060	b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe	82
PID 4356 wrote to memory of 4516	4356	WScript.exe	84
PID 4356 wrote to memory of 4516	4356	WScript.exe	84
PID 4356 wrote to memory of 4516	4356	WScript.exe	84
PID 4516 wrote to memory of 4468	4516	cmd.exe	86
PID 4516 wrote to memory of 4468	4516	cmd.exe	86
PID 4468 wrote to memory of 3644	4468	BridgeWin.exe	91
PID 4468 wrote to memory of 3644	4468	BridgeWin.exe	91
PID 3644 wrote to memory of 4896	3644	csc.exe	93
PID 3644 wrote to memory of 4896	3644	csc.exe	93
PID 4468 wrote to memory of 4196	4468	BridgeWin.exe	106
PID 4468 wrote to memory of 4196	4468	BridgeWin.exe	106
PID 4196 wrote to memory of 4552	4196	cmd.exe	108
PID 4196 wrote to memory of 4552	4196	cmd.exe	108
PID 4196 wrote to memory of 1848	4196	cmd.exe	109
PID 4196 wrote to memory of 1848	4196	cmd.exe	109
PID 4196 wrote to memory of 3464	4196	cmd.exe	110
PID 4196 wrote to memory of 3464	4196	cmd.exe	110
PID 3464 wrote to memory of 2248	3464	SearchApp.exe	113
PID 3464 wrote to memory of 2248	3464	SearchApp.exe	113
PID 2248 wrote to memory of 4324	2248	cmd.exe	115
PID 2248 wrote to memory of 4324	2248	cmd.exe	115
PID 2248 wrote to memory of 4488	2248	cmd.exe	116
PID 2248 wrote to memory of 4488	2248	cmd.exe	116
PID 2248 wrote to memory of 4332	2248	cmd.exe	117
PID 2248 wrote to memory of 4332	2248	cmd.exe	117
PID 4332 wrote to memory of 3608	4332	SearchApp.exe	118
PID 4332 wrote to memory of 3608	4332	SearchApp.exe	118
PID 3608 wrote to memory of 2408	3608	cmd.exe	120
PID 3608 wrote to memory of 2408	3608	cmd.exe	120
PID 3608 wrote to memory of 1680	3608	cmd.exe	121
PID 3608 wrote to memory of 1680	3608	cmd.exe	121
PID 3608 wrote to memory of 1800	3608	cmd.exe	122
PID 3608 wrote to memory of 1800	3608	cmd.exe	122
PID 1800 wrote to memory of 4612	1800	SearchApp.exe	123
PID 1800 wrote to memory of 4612	1800	SearchApp.exe	123
PID 4612 wrote to memory of 4608	4612	cmd.exe	125
PID 4612 wrote to memory of 4608	4612	cmd.exe	125
PID 4612 wrote to memory of 4624	4612	cmd.exe	126
PID 4612 wrote to memory of 4624	4612	cmd.exe	126
PID 4612 wrote to memory of 4852	4612	cmd.exe	127
PID 4612 wrote to memory of 4852	4612	cmd.exe	127
PID 4852 wrote to memory of 3112	4852	SearchApp.exe	128
PID 4852 wrote to memory of 3112	4852	SearchApp.exe	128
PID 3112 wrote to memory of 4244	3112	cmd.exe	130
PID 3112 wrote to memory of 4244	3112	cmd.exe	130
PID 3112 wrote to memory of 3752	3112	cmd.exe	131
PID 3112 wrote to memory of 3752	3112	cmd.exe	131
PID 3112 wrote to memory of 2724	3112	cmd.exe	132
PID 3112 wrote to memory of 2724	3112	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe
"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainProvider\Ue6DPbuBmrgvvM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\ChainProvider\BridgeWin.exe
      "C:\ChainProvider/BridgeWin.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9683.tmp" "c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP"
        6⤵
        
        PID:4896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Eo3NOVlJF1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4552
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1848
      - C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4488
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yo3Upowo0F.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1680
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4624
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmR8xVOsrj.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:3752
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        "C:\Recovery\WindowsRE\SearchApp.exe"
        14⤵
        Executes dropped EXE
        
        PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainProvider\BridgeWin.exe

Filesize
3.3MB

MD5
08efce1648b0191ab668a92693f404d2

SHA1
8e0e2293ac8a05c4ead1db9f35131814af0f0838

SHA256
4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191

SHA512
86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

Download Submit
C:\ChainProvider\Ue6DPbuBmrgvvM.bat

Filesize
65B

MD5
6c93675d5528de536918490f2a030831

SHA1
ea764eee1b3bde0450319ef30b2433a9a46d4186

SHA256
0fef681907e2cf1e93b3ed1f68439901833d5ada3c70aa374e024560bfc86d64

SHA512
c935abd4d5390841784dee4edb8941b26a7fb5091b6d38e329959e70626fa19bb600d957456f079a95ab6ff2ba2f5059ae4ecfebe360d18aaf1ad61edccd6679

Download Submit
C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe

Filesize
206B

MD5
55e5be814935518dd671f62280d31bf7

SHA1
5b2fe2c2bc5b928a1225cf5b01c05dba98384812

SHA256
4e6b3324992136821adcecafa68aa60e1ec41664737ed1a75e96de82c3abd979

SHA512
873f644b249cebdf2a666e30eb1c06b8e276a5311d72f7c17af7fdad5ff767577c1a1cc2b9d9d84bfee28898e179356aa334aa29596a57549770f737c3d555b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
3c93e1d75c4f1682ef0f33b9c0759623

SHA1
b725fdf914847d4896aec8e97d7535bed90ed02a

SHA256
6905fbb07def20c266499860d66336405ee8a44de59fc7da1ef879ab4bc08b93

SHA512
31bbda359f7184f2b45fe4775b4c9b58a1720183964006557292fff8412d179379893816dc760a2b433bdbbb23c9fadaf9975a821734a891db7cbc34b410b5cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eo3NOVlJF1.bat

Filesize
211B

MD5
f667b066eabb183868ca758af6170304

SHA1
61d8a3ae29e454aa58fdee912502d68ad0cf122a

SHA256
c8ee9ded150f32ab7b26e26087e3eb33b2f5305b3c19e5baf8367b92b09f5d57

SHA512
5cc708870a3ebe51d27526c7d5aac597abb947644bb25ec0ddf4032b1cdfacde41b325db509f556b38e984ae2524f25ebf1b109373fd0229c7a4ac3261722b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmR8xVOsrj.bat

Filesize
163B

MD5
5aa3b1838b5fd938355b6513b44f6de2

SHA1
0f09dacf583120661fff7d20ae5fff91e336ce13

SHA256
7b54418f7480210b3a6c82f6e7bddc2651c628e8ffbfeaca3c4f2497e791747d

SHA512
ad3fd9c9f02ef8376f4188c31590191212ebac5df7655029e6bfbc09d6e38644060c1adb000dda8f805e1fd3988dae45599cbf1cf3ffcb44d6702ec09a4f09bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9683.tmp

Filesize
1KB

MD5
44e26e37c8ba28a1b7c8845399a27864

SHA1
6917a460a2b4b8b608583e8c0f2dd3ae8657c7a0

SHA256
3ca24859b973762264e424bcbe1aea4028409c2ec7cc4648510e60434e315555

SHA512
f8859cd5334efa4329c8483d9643ea1d42542f55bc071b24d8ea8c0b8713e0806f843e3f22d4d947a3c8dc0e3da722c97451bbcda0771ece6edd8c2fce5e4f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yo3Upowo0F.bat

Filesize
211B

MD5
191e030ebeee617fa59ae2442e44fd68

SHA1
2a4b8ef287b5609b340c1214d9040c997ec3f496

SHA256
b7005077197a9d35c53d2514d13a09a27812fcd38618f8569f8c30ce88885af3

SHA512
1252621bac2428430e5884ee390641ed0d448b90dc75afbdc0684e57a9772073277a3cca89a7ea4ed4829108d3281c01515ae350ac382a3f6161499b3708fe65

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat

Filesize
163B

MD5
d70854ccd59046c385bbc69b1ec544b8

SHA1
0da1cf3a0f47d64cceb59370fb89422efd0291a2

SHA256
78814a086c3d27e6cfa13c9e366609a906db4de05a731eb8878f9727170d71c9

SHA512
2d58d4628dc6511557f8ad69597f5e00fb0c0a3d4cf4332a2ea979b6dbf912510cb186cd20e7f0e64882be81d49ed0004316c8bf658cee779d1bc962a9dd02d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat

Filesize
211B

MD5
a0b2305dba96c6b90e9067f03a5a4de6

SHA1
434b66e8f9b6e9a75500b4fdb633fabd9f0c078b

SHA256
a3d3b22111fe5c05ef23088d78cf849dd92d2f18ff02845433b7eaee2e34e6b1

SHA512
cc012865f7cd9fac0f00efec44f5e634c0f157a640ba1e9158f4918bed657d52cc64d06690390fdaf400385365cc9858fc13cca708d3a1c4622e5741211f382a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.0.cs

Filesize
413B

MD5
d4772af6e6051ace5f3da6d83c146e35

SHA1
41d0cf6143fbc45e4881c60cc31abc0109708699

SHA256
ad988f857ca9a9b21858e1cccc20057da7f20255ccb838f0c25b604360e582a6

SHA512
86e163533490801eed57fd1bf1ff9630702521e4cd62d5918d187642e898fffa95a8a4632df1ecca716b5279806bbd74bcc0288c39ef3f3adeb5359d8048b4ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.cmdline

Filesize
235B

MD5
41ca946115e083d1bbaa8ec7f735a54c

SHA1
7d55f295304852fa9d56efeeab68696ff3fa7c56

SHA256
ac8f6f1ab29e0becd6290804cb5b4035407c4faa76b5af9d099c45b9afd087a2

SHA512
d968eb63db4d6eed764651f248446c4b3768eb9bf5419a0682042d12a7832b4220df75946fa9fba929cd037300fcec2b039d3b5d939f41356a6cc8df5153b907

Download Submit
\??\c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP

Filesize
1KB

MD5
913b41bbe173c6878eae5b8d8b62f5b7

SHA1
386047df3df2b03e486bc87c4b7a3fee5f68ad73

SHA256
24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135

SHA512
c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

Download Submit
memory/1800-190-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/1800-182-0x000000001BF40000-0x000000001BF48000-memory.dmp

Filesize
32KB

Download
memory/1800-181-0x000000001C350000-0x000000001C3F9000-memory.dmp

Filesize
676KB

Download
memory/1800-189-0x000000001C350000-0x000000001C3F9000-memory.dmp

Filesize
676KB

Download
memory/3464-121-0x000000001D9F0000-0x000000001DAF2000-memory.dmp

Filesize
1.0MB

Download
memory/3464-119-0x000000001B810000-0x000000001B8B9000-memory.dmp

Filesize
676KB

Download
memory/3464-120-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/3464-110-0x000000001D9F0000-0x000000001DAF2000-memory.dmp

Filesize
1.0MB

Download
memory/3464-109-0x000000001B400000-0x000000001B408000-memory.dmp

Filesize
32KB

Download
memory/3464-108-0x000000001B810000-0x000000001B8B9000-memory.dmp

Filesize
676KB

Download
memory/3464-122-0x000000001C000000-0x000000001C16A000-memory.dmp

Filesize
1.4MB

Download
memory/4332-146-0x000000001C3C0000-0x000000001C469000-memory.dmp

Filesize
676KB

Download
memory/4332-148-0x000000001CC10000-0x000000001CD12000-memory.dmp

Filesize
1.0MB

Download
memory/4332-158-0x000000001CC10000-0x000000001CD12000-memory.dmp

Filesize
1.0MB

Download
memory/4332-157-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

Filesize
32KB

Download
memory/4332-156-0x000000001C3C0000-0x000000001C469000-memory.dmp

Filesize
676KB

Download
memory/4332-147-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

Filesize
32KB

Download
memory/4468-26-0x000000001B480000-0x000000001B48E000-memory.dmp

Filesize
56KB

Download
memory/4468-49-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/4468-43-0x000000001B540000-0x000000001B550000-memory.dmp

Filesize
64KB

Download
memory/4468-41-0x000000001B510000-0x000000001B51C000-memory.dmp

Filesize
48KB

Download
memory/4468-39-0x000000001BAD0000-0x000000001BFF8000-memory.dmp

Filesize
5.2MB

Download
memory/4468-38-0x000000001B580000-0x000000001B592000-memory.dmp

Filesize
72KB

Download
memory/4468-36-0x000000001B560000-0x000000001B576000-memory.dmp

Filesize
88KB

Download
memory/4468-34-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/4468-32-0x000000001B520000-0x000000001B532000-memory.dmp

Filesize
72KB

Download
memory/4468-30-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

Filesize
56KB

Download
memory/4468-28-0x000000001B490000-0x000000001B49E000-memory.dmp

Filesize
56KB

Download
memory/4468-53-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/4468-24-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/4468-45-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/4468-47-0x000000001B600000-0x000000001B65A000-memory.dmp

Filesize
360KB

Download
memory/4468-83-0x000000001C300000-0x000000001C3A9000-memory.dmp

Filesize
676KB

Download
memory/4468-51-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

Filesize
56KB

Download
memory/4468-22-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/4468-55-0x000000001B6B0000-0x000000001B6FE000-memory.dmp

Filesize
312KB

Download
memory/4468-20-0x000000001B460000-0x000000001B478000-memory.dmp

Filesize
96KB

Download
memory/4468-18-0x000000001B4B0000-0x000000001B500000-memory.dmp

Filesize
320KB

Download
memory/4468-17-0x000000001B430000-0x000000001B44C000-memory.dmp

Filesize
112KB

Download
memory/4468-15-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/4468-13-0x00000000002C0000-0x000000000060A000-memory.dmp

Filesize
3.3MB

Download
memory/4468-12-0x00007FFA4C1E3000-0x00007FFA4C1E5000-memory.dmp

Filesize
8KB

Download
memory/4852-213-0x000000001C3C0000-0x000000001C469000-memory.dmp

Filesize
676KB

Download
memory/4852-222-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/4852-221-0x000000001C3C0000-0x000000001C469000-memory.dmp

Filesize
676KB

Download
memory/4852-214-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download