zgrat | 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
Size

8.7MB
MD5

57ec49d438753f3bdfec6a616258b370
SHA1

a34f757f5f2bd4763f04206c0d0cd32ab4491117
SHA256

872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638
SHA512

88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a
SSDEEP

196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu

Score

10^/10

zgrat persistence rat upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d49-34.dat	family_zgrat_v1
behavioral1/files/0x0008000000015d77-46.dat	family_zgrat_v1
behavioral1/memory/3016-50-0x0000000000840000-0x0000000000BCE000-memory.dmp	family_zgrat_v1
behavioral1/memory/832-125-0x0000000000250000-0x00000000005DE000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Users\\All Users\\Desktop\\sppsvc.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Users\\All Users\\Desktop\\sppsvc.exe\", \"C:\\Webnet\\System.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\", \"C:\\Users\\All Users\\Desktop\\sppsvc.exe\", \"C:\\Webnet\\System.exe\", \"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2732	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2732	schtasks.exe	36

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015d49-34.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0008000000015d77-46.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/3016-50-0x0000000000840000-0x0000000000BCE000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/832-125-0x0000000000250000-0x00000000005DE000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 6 IoCs

pid	Process
1760	Nursultan 1.16.5 Crack.exe
2284	leetcrack.exe
2792	3b73a6fa2092a350d795.exe
2648	portmonitor.exe
3016	portmonitor.exe
832	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
2284	leetcrack.exe
2284	leetcrack.exe
2684	cmd.exe
2684	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0029000000015d0c-23.dat	upx
behavioral1/memory/2792-30-0x000000013F4A0000-0x00000001400CA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Webnet\\System.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Desktop\\sppsvc.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\cmd.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\winlogon.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Desktop\\sppsvc.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Webnet\\System.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\""	portmonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\50341a82-0d88-11ef-8a7e-5aba25856535\\Idle.exe\""	portmonitor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC49A33694301F4671BE5CC7FEF2B0B159.TMP	csc.exe
File created	\??\c:\Windows\System32\ldgalj.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
772	schtasks.exe
1132	schtasks.exe
668	schtasks.exe
304	schtasks.exe
1136	schtasks.exe
1752	schtasks.exe
1400	schtasks.exe
1656	schtasks.exe
744	schtasks.exe
2024	schtasks.exe
2276	schtasks.exe
1272	schtasks.exe
980	schtasks.exe
836	schtasks.exe
1288	schtasks.exe
620	schtasks.exe
824	schtasks.exe
1556	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1500	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe
3016	portmonitor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
832	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	portmonitor.exe
Token: SeDebugPrivilege	832	winlogon.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1760	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	28
PID 1936 wrote to memory of 1760	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	28
PID 1936 wrote to memory of 1760	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	28
PID 1936 wrote to memory of 1760	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	28
PID 1936 wrote to memory of 2284	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	29
PID 1936 wrote to memory of 2284	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	29
PID 1936 wrote to memory of 2284	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	29
PID 1936 wrote to memory of 2284	1936	872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe	29
PID 2284 wrote to memory of 2792	2284	leetcrack.exe	30
PID 2284 wrote to memory of 2792	2284	leetcrack.exe	30
PID 2284 wrote to memory of 2792	2284	leetcrack.exe	30
PID 2284 wrote to memory of 2792	2284	leetcrack.exe	30
PID 2284 wrote to memory of 2648	2284	leetcrack.exe	31
PID 2284 wrote to memory of 2648	2284	leetcrack.exe	31
PID 2284 wrote to memory of 2648	2284	leetcrack.exe	31
PID 2284 wrote to memory of 2648	2284	leetcrack.exe	31
PID 2648 wrote to memory of 2020	2648	portmonitor.exe	32
PID 2648 wrote to memory of 2020	2648	portmonitor.exe	32
PID 2648 wrote to memory of 2020	2648	portmonitor.exe	32
PID 2648 wrote to memory of 2020	2648	portmonitor.exe	32
PID 2020 wrote to memory of 2684	2020	WScript.exe	33
PID 2020 wrote to memory of 2684	2020	WScript.exe	33
PID 2020 wrote to memory of 2684	2020	WScript.exe	33
PID 2020 wrote to memory of 2684	2020	WScript.exe	33
PID 2684 wrote to memory of 3016	2684	cmd.exe	35
PID 2684 wrote to memory of 3016	2684	cmd.exe	35
PID 2684 wrote to memory of 3016	2684	cmd.exe	35
PID 2684 wrote to memory of 3016	2684	cmd.exe	35
PID 3016 wrote to memory of 1044	3016	portmonitor.exe	40
PID 3016 wrote to memory of 1044	3016	portmonitor.exe	40
PID 3016 wrote to memory of 1044	3016	portmonitor.exe	40
PID 1044 wrote to memory of 2072	1044	csc.exe	42
PID 1044 wrote to memory of 2072	1044	csc.exe	42
PID 1044 wrote to memory of 2072	1044	csc.exe	42
PID 3016 wrote to memory of 2928	3016	portmonitor.exe	59
PID 3016 wrote to memory of 2928	3016	portmonitor.exe	59
PID 3016 wrote to memory of 2928	3016	portmonitor.exe	59
PID 2928 wrote to memory of 2028	2928	cmd.exe	61
PID 2928 wrote to memory of 2028	2928	cmd.exe	61
PID 2928 wrote to memory of 2028	2928	cmd.exe	61
PID 2928 wrote to memory of 1500	2928	cmd.exe	62
PID 2928 wrote to memory of 1500	2928	cmd.exe	62
PID 2928 wrote to memory of 1500	2928	cmd.exe	62
PID 2928 wrote to memory of 832	2928	cmd.exe	63
PID 2928 wrote to memory of 832	2928	cmd.exe	63
PID 2928 wrote to memory of 832	2928	cmd.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
"C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\leetcrack.exe
  "C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe
    "C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\portmonitor.exe
    "C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Webnet\x9qTsv13UFeYw.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Webnet\portmonitor.exe
        
        "C:\Webnet/portmonitor.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\piccn4qf\piccn4qf.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp" "c:\Windows\System32\CSC49A33694301F4671BE5CC7FEF2B0B159.TMP"
        8⤵
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ldFVeKsEAn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1500
        
        C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe
        
        "C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Webnet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Webnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Webnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 11 /tr "'C:\Webnet\portmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 9 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe

Filesize
8KB

MD5
068a3a015a2821ab745a03dbae612233

SHA1
91c358a556d51466918c76c01ead079a484ce35a

SHA256
d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67

SHA512
d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp

Filesize
1KB

MD5
73e2d12701e635a97c6366a6e6988e68

SHA1
5cf23950c767f7f76779fe5af1718c8762d3992e

SHA256
3c5aa0abdb7846342b2e367b1bb0665502b48993549f1a56d41db30aeacfd19c

SHA512
a439b97280e519661cb154031ac3d58d06991751e530d2c3ec320d2d985e186f1665902e3ed15d1fbcb2d67712f03121ec5aa1a925c7f202876f374de31d3541

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldFVeKsEAn.bat

Filesize
189B

MD5
e2b9165b12e26d82816f680d6fb6ad1c

SHA1
6d4d1be1e34be5e16f378c6a1b2557e436140dae

SHA256
a007b8301364367d6cc457bb46b3d85e31ee8ab876c5b6207533ea5545e33017

SHA512
896a3417f0b0ccf450658d0daf6b4e650021708c57dca7507e87e6e3e6236fac53b0be8ba07d783d787a8562dcd008004f797b7e77eeb67773d4c038d3e57e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\portmonitor.exe

Filesize
3.8MB

MD5
3d686dda8f890bef092779bc682dec10

SHA1
2e6f12de7a5d4febe798a63b2f8914458741bf7f

SHA256
af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4

SHA512
cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58

Download Submit
C:\Webnet\x9qTsv13UFeYw.bat

Filesize
84B

MD5
5bcb417bd38f4db1936b88b262c0f7ad

SHA1
d724fa06c67a7740497576d08b2c9b5b77c7eca4

SHA256
f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07

SHA512
9706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c

Download Submit
C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe

Filesize
209B

MD5
1fefc5b72cd89c9f83dcf8a47b254f58

SHA1
909c965e493baab2203bac16be714cfb88a75f0d

SHA256
7f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c

SHA512
5bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\piccn4qf\piccn4qf.0.cs

Filesize
389B

MD5
a8760a63f78cd871c03a62e105b104f7

SHA1
38c909e17cfc47853f028cc076cdc81b31ce9514

SHA256
1cbbee784490403415029b462cb8ce0f6d987ec6177f17601ad084b444a7a0ca

SHA512
269de54f975a6aaf1c933c32f841f27a0e4e2454ad52a03e7055ba1792d36d2ce326af81103968cc8c5252cf8ef1ac4a762aedcff97f9cd6ac51ed0aaa3eae7a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\piccn4qf\piccn4qf.cmdline

Filesize
235B

MD5
98a5592ce7a726247996f6881c489f4b

SHA1
6b56c9b951f52809d6ccf3b875afe897621d6502

SHA256
2f4e788c60c7b1e1c8c83786f70e7c799b0d0f8c5154b8dd3b1781737f98a77d

SHA512
00bae714735008afd102fd81f6d621320f2897e1a7f4a824b4551f689952d876121af0abd91bbcba27c2c1f05adf966bd24792191bb76f31704f81bacb658a33

Download Submit
\??\c:\Windows\System32\CSC49A33694301F4671BE5CC7FEF2B0B159.TMP

Filesize
1KB

MD5
bfb5195b3f3a87a55924d32b25f58821

SHA1
20a15b7e5c1f8626a991b0018ecff1e0f9bbdd55

SHA256
27fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241

SHA512
137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b

Download Submit
\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe

Filesize
5.2MB

MD5
b86bbb42b26e72a601087f68cda89208

SHA1
baca49e35da3b83cd56ba579d61f98e9b137debe

SHA256
320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0

SHA512
e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974

Download Submit
\Users\Admin\AppData\Local\Temp\leetcrack.exe

Filesize
8.7MB

MD5
93144ffd83e528ff8651605be2d2c1a4

SHA1
6c661ce690ecd3ecd21c8953e410543fcf8a69ad

SHA256
4ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60

SHA512
5236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c

Download Submit
\Webnet\portmonitor.exe

Filesize
3.5MB

MD5
aa6c98cd853bf585a410394fd10817dc

SHA1
ceab1865997ae2c6e070a9c6adf6b129cf2ad383

SHA256
fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b

SHA512
2ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562

Download Submit
memory/832-125-0x0000000000250000-0x00000000005DE000-memory.dmp

Filesize
3.6MB

Download
memory/2284-29-0x00000000033E0000-0x000000000400A000-memory.dmp

Filesize
12.2MB

Download
memory/2792-30-0x000000013F4A0000-0x00000001400CA000-memory.dmp

Filesize
12.2MB

Download
memory/3016-68-0x000000001AAA0000-0x000000001AAB2000-memory.dmp

Filesize
72KB

Download
memory/3016-84-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

Filesize
56KB

Download
memory/3016-66-0x00000000025D0000-0x00000000025DE000-memory.dmp

Filesize
56KB

Download
memory/3016-62-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/3016-70-0x000000001AA80000-0x000000001AA90000-memory.dmp

Filesize
64KB

Download
memory/3016-72-0x000000001AAE0000-0x000000001AAF6000-memory.dmp

Filesize
88KB

Download
memory/3016-74-0x000000001AB00000-0x000000001AB12000-memory.dmp

Filesize
72KB

Download
memory/3016-76-0x000000001AA90000-0x000000001AA9E000-memory.dmp

Filesize
56KB

Download
memory/3016-78-0x000000001AAC0000-0x000000001AAD0000-memory.dmp

Filesize
64KB

Download
memory/3016-80-0x000000001AAD0000-0x000000001AAE0000-memory.dmp

Filesize
64KB

Download
memory/3016-82-0x000000001BA70000-0x000000001BACA000-memory.dmp

Filesize
360KB

Download
memory/3016-64-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3016-86-0x000000001ABB0000-0x000000001ABC0000-memory.dmp

Filesize
64KB

Download
memory/3016-88-0x000000001ABC0000-0x000000001ABCE000-memory.dmp

Filesize
56KB

Download
memory/3016-90-0x000000001AFC0000-0x000000001AFD8000-memory.dmp

Filesize
96KB

Download
memory/3016-92-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/3016-94-0x000000001BBD0000-0x000000001BC1E000-memory.dmp

Filesize
312KB

Download
memory/3016-60-0x00000000025E0000-0x00000000025F8000-memory.dmp

Filesize
96KB

Download
memory/3016-58-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/3016-56-0x00000000025A0000-0x00000000025BC000-memory.dmp

Filesize
112KB

Download
memory/3016-54-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/3016-52-0x0000000002370000-0x0000000002396000-memory.dmp

Filesize
152KB

Download
memory/3016-50-0x0000000000840000-0x0000000000BCE000-memory.dmp

Filesize
3.6MB

Download