zgrat | 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57EC49D438753F3BDFEC6A616258B370.exe
Size

8.7MB
MD5

57ec49d438753f3bdfec6a616258b370
SHA1

a34f757f5f2bd4763f04206c0d0cd32ab4491117
SHA256

872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638
SHA512

88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a
SSDEEP

196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu

Score

10^/10

zgrat persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023419-31.dat	family_zgrat_v1
behavioral2/files/0x000800000002341b-47.dat	family_zgrat_v1
behavioral2/memory/1088-49-0x00000000000F0000-0x000000000047E000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sihost.exe\", \"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\dllhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\explorer.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Windows\\SKB\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sihost.exe\""	portmonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4604	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	4604	schtasks.exe	95

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	portmonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	57EC49D438753F3BDFEC6A616258B370.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	leetcrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	portmonitor.exe

Executes dropped EXE 6 IoCs

pid	Process
3248	Nursultan 1.16.5 Crack.exe
692	leetcrack.exe
3288	3b73a6fa2092a350d795.exe
5096	portmonitor.exe
1088	portmonitor.exe
4400	portmonitor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023418-22.dat	upx
behavioral2/memory/3288-33-0x00007FF7D0700000-0x00007FF7D132A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\dllhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SKB\\dllhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\explorer.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sihost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Google\\Update\\Download\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\110.0.5481.104\\OfficeClickToRun.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\explorer.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\sihost.exe\""	portmonitor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC38B37F72283F4F1AA99DE0AC9F1EA3ED.TMP	csc.exe
File created	\??\c:\Windows\System32\t4pfwd.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe	portmonitor.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\66fc9ff0ee96c2	portmonitor.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\OfficeClickToRun.exe	portmonitor.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\e6c9b481da804f	portmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	portmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\5b884080fd4f94	portmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe	portmonitor.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\explorer.exe	portmonitor.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\7a0fd90576e088	portmonitor.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Fonts\dllhost.exe	portmonitor.exe
File created	C:\Windows\SKB\dllhost.exe	portmonitor.exe
File created	C:\Windows\SKB\5940a34987c991	portmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1428	schtasks.exe
1588	schtasks.exe
996	schtasks.exe
4808	schtasks.exe
4688	schtasks.exe
1484	schtasks.exe
2708	schtasks.exe
3580	schtasks.exe
4016	schtasks.exe
5116	schtasks.exe
4728	schtasks.exe
2840	schtasks.exe
4372	schtasks.exe
3860	schtasks.exe
588	schtasks.exe
536	schtasks.exe
880	schtasks.exe
1108	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	portmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	portmonitor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe
1088	portmonitor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4400	portmonitor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	portmonitor.exe
Token: SeDebugPrivilege	4400	portmonitor.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 3248	64	57EC49D438753F3BDFEC6A616258B370.exe	83
PID 64 wrote to memory of 3248	64	57EC49D438753F3BDFEC6A616258B370.exe	83
PID 64 wrote to memory of 3248	64	57EC49D438753F3BDFEC6A616258B370.exe	83
PID 64 wrote to memory of 692	64	57EC49D438753F3BDFEC6A616258B370.exe	84
PID 64 wrote to memory of 692	64	57EC49D438753F3BDFEC6A616258B370.exe	84
PID 64 wrote to memory of 692	64	57EC49D438753F3BDFEC6A616258B370.exe	84
PID 692 wrote to memory of 3288	692	leetcrack.exe	85
PID 692 wrote to memory of 3288	692	leetcrack.exe	85
PID 692 wrote to memory of 5096	692	leetcrack.exe	86
PID 692 wrote to memory of 5096	692	leetcrack.exe	86
PID 692 wrote to memory of 5096	692	leetcrack.exe	86
PID 5096 wrote to memory of 1496	5096	portmonitor.exe	88
PID 5096 wrote to memory of 1496	5096	portmonitor.exe	88
PID 5096 wrote to memory of 1496	5096	portmonitor.exe	88
PID 1496 wrote to memory of 860	1496	WScript.exe	99
PID 1496 wrote to memory of 860	1496	WScript.exe	99
PID 1496 wrote to memory of 860	1496	WScript.exe	99
PID 860 wrote to memory of 1088	860	cmd.exe	101
PID 860 wrote to memory of 1088	860	cmd.exe	101
PID 1088 wrote to memory of 1008	1088	portmonitor.exe	105
PID 1088 wrote to memory of 1008	1088	portmonitor.exe	105
PID 1008 wrote to memory of 2864	1008	csc.exe	107
PID 1008 wrote to memory of 2864	1008	csc.exe	107
PID 1088 wrote to memory of 4896	1088	portmonitor.exe	123
PID 1088 wrote to memory of 4896	1088	portmonitor.exe	123
PID 4896 wrote to memory of 2676	4896	cmd.exe	125
PID 4896 wrote to memory of 2676	4896	cmd.exe	125
PID 4896 wrote to memory of 3952	4896	cmd.exe	126
PID 4896 wrote to memory of 3952	4896	cmd.exe	126
PID 4896 wrote to memory of 4400	4896	cmd.exe	127
PID 4896 wrote to memory of 4400	4896	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57EC49D438753F3BDFEC6A616258B370.exe
"C:\Users\Admin\AppData\Local\Temp\57EC49D438753F3BDFEC6A616258B370.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\leetcrack.exe
  "C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe
    "C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"
    3⤵
    - Executes dropped EXE
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\portmonitor.exe
    "C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Webnet\x9qTsv13UFeYw.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
      - C:\Webnet\portmonitor.exe
        
        "C:\Webnet/portmonitor.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qdqdv53\1qdqdv53.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C23.tmp" "c:\Windows\System32\CSC38B37F72283F4F1AA99DE0AC9F1EA3ED.TMP"
        8⤵
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYCYn73hCB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3952
        
        C:\Webnet\portmonitor.exe
        
        "C:\Webnet\portmonitor.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SKB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 5 /tr "'C:\Webnet\portmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 9 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portmonitor.exe.log

Filesize
1KB

MD5
07309bd8d88aa32cac50b856dcde7ea4

SHA1
ff36ee74f17d7af6f2a59e4d868970b65d1181e2

SHA256
b9e8a168e9c52fef84060a8a9d03406e694b7b83fe5aacca905cc3f0bcf4b023

SHA512
3f0fa70207546a0150dad3bd4e817191561b2a97fcbb73db0bed9a6bb9462b10495c0aae11643d788b655893523c862f2c4a71f22ff611b2dfb4fe54a594bdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe

Filesize
5.2MB

MD5
b86bbb42b26e72a601087f68cda89208

SHA1
baca49e35da3b83cd56ba579d61f98e9b137debe

SHA256
320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

SHA512
e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYCYn73hCB.bat

Filesize
201B

MD5
e15d82c0945ccac27d63264e9ec455eb

SHA1
26fa336846c733efc0af311b1ad712ccdd7735b0

SHA256
63386659f1388cf49162abf1f3c4a2196f5b5f4b24dad0753ff07c7c7f3fb6bd

SHA512
abba6bd2a240c2be5a3375ad9b89489dced4f223ae1b33a0daad8ac6ad296bf5684819920e3cab5d6ac918bf0a054f9ab81227700a1be7e1dc358299b9b8b568

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe

Filesize
8KB

MD5
068a3a015a2821ab745a03dbae612233

SHA1
91c358a556d51466918c76c01ead079a484ce35a

SHA256
d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67

SHA512
d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C23.tmp

Filesize
1KB

MD5
b72c4f555bce29b868fc50db5a865304

SHA1
33ea6676d1aa5dce835fa71912b21b2a2141dcb4

SHA256
074f530bfd0562510a795636fa5ade278d17e84b7a53d89c53e6409cf6c121d9

SHA512
5401dd5e6a278c32a7bba3939cd0f18b410ba2182a9ee2c57725cc812a535655baff1f5cc7ccf45eed4107ca254a02d86d7f87973d6ab7199fb9fff09d8f1b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\leetcrack.exe

Filesize
8.7MB

MD5
93144ffd83e528ff8651605be2d2c1a4

SHA1
6c661ce690ecd3ecd21c8953e410543fcf8a69ad

SHA256
4ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60

SHA512
5236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\portmonitor.exe

Filesize
3.8MB

MD5
3d686dda8f890bef092779bc682dec10

SHA1
2e6f12de7a5d4febe798a63b2f8914458741bf7f

SHA256
af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4

SHA512
cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58

Download Submit
C:\Webnet\portmonitor.exe

Filesize
3.5MB

MD5
aa6c98cd853bf585a410394fd10817dc

SHA1
ceab1865997ae2c6e070a9c6adf6b129cf2ad383

SHA256
fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b

SHA512
2ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562

Download Submit
C:\Webnet\x9qTsv13UFeYw.bat

Filesize
84B

MD5
5bcb417bd38f4db1936b88b262c0f7ad

SHA1
d724fa06c67a7740497576d08b2c9b5b77c7eca4

SHA256
f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07

SHA512
9706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c

Download Submit
C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe

Filesize
209B

MD5
1fefc5b72cd89c9f83dcf8a47b254f58

SHA1
909c965e493baab2203bac16be714cfb88a75f0d

SHA256
7f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c

SHA512
5bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qdqdv53\1qdqdv53.0.cs

Filesize
384B

MD5
471020a9ad4fa978fab62dea7fa59a09

SHA1
a80cd808860e236783c556660621f41e171e1cf3

SHA256
80feb056e31e840d350b16f74411c4c4d9134588a60c4974aefb3e13383f6429

SHA512
5c5bf29867e222666cd43db5b2b0d894225fbbf3412198f2a561d3865ff37ed209abeb34517879178c65f340f765b50df837c45ed91a84804f75283378b0f34b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qdqdv53\1qdqdv53.cmdline

Filesize
235B

MD5
037e528471d9bc79df40a8e72196c0cb

SHA1
bac652276ba86717299831d2a132e084fcaff6d2

SHA256
5f2d6e607a8f0b7c92783b2f96d6b8a9a81861004090254484427cc7e92d80d8

SHA512
155616dc83bbd797cac12e713315a9af07f5d11c8bcd86c2f07ee12255baad494d75a0e092cf1a566d75166ddcd75e07e5c1682ee59d5480fe867105d7899c1a

Download Submit
\??\c:\Windows\System32\CSC38B37F72283F4F1AA99DE0AC9F1EA3ED.TMP

Filesize
1KB

MD5
9beedc7794aa6283d0dfe66633f0facc

SHA1
51dcbc25b09e1b1eed30d7e7c4ef6d10958b5c71

SHA256
852142ec581e78ed8efae8c1c328654f6bfad35e875f0d815c5f36c23a0fa860

SHA512
d07e046a043b4c4fd8352f0081ee5cad8585eda817f54e3a1025b16d8ac47b5d11409a6f0a3aeadb8ea04797bb7edf7edaa73214cc41f7557baa11406bb90eb4

Download Submit
memory/1088-68-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/1088-83-0x000000001BF60000-0x000000001BFBA000-memory.dmp

Filesize
360KB

Download
memory/1088-62-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/1088-64-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/1088-66-0x000000001B130000-0x000000001B13E000-memory.dmp

Filesize
56KB

Download
memory/1088-58-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/1088-70-0x000000001B140000-0x000000001B150000-memory.dmp

Filesize
64KB

Download
memory/1088-72-0x000000001BEC0000-0x000000001BED6000-memory.dmp

Filesize
88KB

Download
memory/1088-74-0x000000001BEE0000-0x000000001BEF2000-memory.dmp

Filesize
72KB

Download
memory/1088-75-0x000000001C430000-0x000000001C958000-memory.dmp

Filesize
5.2MB

Download
memory/1088-77-0x000000001B150000-0x000000001B15E000-memory.dmp

Filesize
56KB

Download
memory/1088-79-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

Filesize
64KB

Download
memory/1088-81-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x000000001B110000-0x000000001B128000-memory.dmp

Filesize
96KB

Download
memory/1088-85-0x000000001BEB0000-0x000000001BEBE000-memory.dmp

Filesize
56KB

Download
memory/1088-87-0x000000001BF00000-0x000000001BF10000-memory.dmp

Filesize
64KB

Download
memory/1088-89-0x000000001BF10000-0x000000001BF1E000-memory.dmp

Filesize
56KB

Download
memory/1088-91-0x000000001BF40000-0x000000001BF58000-memory.dmp

Filesize
96KB

Download
memory/1088-93-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/1088-95-0x000000001C010000-0x000000001C05E000-memory.dmp

Filesize
312KB

Download
memory/1088-56-0x000000001B160000-0x000000001B1B0000-memory.dmp

Filesize
320KB

Download
memory/1088-55-0x0000000002710000-0x000000000272C000-memory.dmp

Filesize
112KB

Download
memory/1088-53-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/1088-51-0x00000000026E0000-0x0000000002706000-memory.dmp

Filesize
152KB

Download
memory/1088-49-0x00000000000F0000-0x000000000047E000-memory.dmp

Filesize
3.6MB

Download
memory/3288-33-0x00007FF7D0700000-0x00007FF7D132A000-memory.dmp

Filesize
12.2MB

Download