zgrat | 0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

Analysis

max time kernel
119s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277EE62972CED037975513A5D4120175.exe
Size

1.9MB
MD5

277ee62972ced037975513a5d4120175
SHA1

6d7531f9447a58b8978c8a24c2f71e14eebb3ea6
SHA256

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31
SHA512

9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb
SSDEEP

49152:xqfbh5qev49UlsetjyMjIRq/f1oUBT635:xq9wev49Ne4M//VBG

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/2556-1-0x0000000000AC0000-0x0000000000CA8000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016a8a-32.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\", \"C:\\Users\\Default User\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	277EE62972CED037975513A5D4120175.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2772	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2772	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\csrss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\explorer.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Prefetch\\ReadyBoot\\wininit.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\audiodg.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\277EE62972CED037975513A5D4120175 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277EE62972CED037975513A5D4120175 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io
9	ipinfo.io
10	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5B9ACA7D5AA545B781DAF050953AA1D.TMP	csc.exe
File created	\??\c:\Windows\System32\bsgne1.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\wininit.exe	277EE62972CED037975513A5D4120175.exe
File created	C:\Windows\Prefetch\ReadyBoot\56085415360792	277EE62972CED037975513A5D4120175.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2640	schtasks.exe
752	schtasks.exe
1440	schtasks.exe
2252	schtasks.exe
344	schtasks.exe
1968	schtasks.exe
1900	schtasks.exe
1348	schtasks.exe
2496	schtasks.exe
2140	schtasks.exe
756	schtasks.exe
1844	schtasks.exe
2724	schtasks.exe
2564	schtasks.exe
2784	schtasks.exe
884	schtasks.exe
1636	schtasks.exe
668	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	277EE62972CED037975513A5D4120175.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	277EE62972CED037975513A5D4120175.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe
2556	277EE62972CED037975513A5D4120175.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1784	277EE62972CED037975513A5D4120175.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	277EE62972CED037975513A5D4120175.exe
Token: SeDebugPrivilege	1784	277EE62972CED037975513A5D4120175.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2912	2556	277EE62972CED037975513A5D4120175.exe	32
PID 2556 wrote to memory of 2912	2556	277EE62972CED037975513A5D4120175.exe	32
PID 2556 wrote to memory of 2912	2556	277EE62972CED037975513A5D4120175.exe	32
PID 2912 wrote to memory of 2524	2912	csc.exe	34
PID 2912 wrote to memory of 2524	2912	csc.exe	34
PID 2912 wrote to memory of 2524	2912	csc.exe	34
PID 2556 wrote to memory of 2264	2556	277EE62972CED037975513A5D4120175.exe	50
PID 2556 wrote to memory of 2264	2556	277EE62972CED037975513A5D4120175.exe	50
PID 2556 wrote to memory of 2264	2556	277EE62972CED037975513A5D4120175.exe	50
PID 2264 wrote to memory of 1076	2264	cmd.exe	52
PID 2264 wrote to memory of 1076	2264	cmd.exe	52
PID 2264 wrote to memory of 1076	2264	cmd.exe	52
PID 2264 wrote to memory of 568	2264	cmd.exe	53
PID 2264 wrote to memory of 568	2264	cmd.exe	53
PID 2264 wrote to memory of 568	2264	cmd.exe	53
PID 2264 wrote to memory of 1784	2264	cmd.exe	54
PID 2264 wrote to memory of 1784	2264	cmd.exe	54
PID 2264 wrote to memory of 1784	2264	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe
"C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pjj41loe\pjj41loe.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37A4.tmp" "c:\Windows\System32\CSC5B9ACA7D5AA545B781DAF050953AA1D.TMP"
    3⤵
    PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vzoSCQWDHU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1076
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe
    "C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D41201752" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D4120175" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D41201752" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES37A4.tmp

Filesize
1KB

MD5
8a34b04e1515d70e29f9eb1c90296e75

SHA1
51e605963755e40a31c44f6aeba02fb803d9eb1b

SHA256
4198cae48c58a97b4cee7a8c641c33a9e169b90f589e7ec1945866e5e707edb4

SHA512
79952321002e1c2cb0938b3439b5cab1c7d25964f4af86f5db545eedfede6c4b89e5b58976eb0d1d55a5420281409b0eec7dca9d0c0b47c7f37efb8ce1fdc816

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzoSCQWDHU.bat

Filesize
246B

MD5
2e24a7a718ca9fdd9a807f7b4085e4be

SHA1
ee1bdb9407c35709d96dab2535e059290b0ddc84

SHA256
dfdbcb0504f5c1d1acff4b9669d3d20bda7a060362e4dc018cf1da4f22c48de9

SHA512
700c5e2125fbb49e1ba82142c168daedc67d20261a217336908eb1e905fa5ccc3336167f8acec2ec34d4379e96fdc73b8286b640eaec213640a5891cf64401c8

Download Submit
C:\Windows\Prefetch\ReadyBoot\wininit.exe

Filesize
1.9MB

MD5
277ee62972ced037975513a5d4120175

SHA1
6d7531f9447a58b8978c8a24c2f71e14eebb3ea6

SHA256
0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

SHA512
9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pjj41loe\pjj41loe.0.cs

Filesize
373B

MD5
8bcc880c55541810ab1219d61e553875

SHA1
cfc1b22ed079c178e4fdbe5285f055a05e59a593

SHA256
3d6ccf38d569cae50c7cbcb1e876b5e23419a591c9cdc3d09011859916fc2382

SHA512
70b7c203321f69a110df02ae2177102f966401fb3836290ef00781cd88fc0724f22a9857af82791faa920a8188bacb6fd5ff03f1dcd92b923213e90d4d7b6a25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pjj41loe\pjj41loe.cmdline

Filesize
235B

MD5
a713c52aff54a4c884a127b9ceecdfaa

SHA1
d9863639d7076a767ed4ebc2a6e3be1dfdfec76a

SHA256
d12fb97f96edc94133e3569703406bd8982a9bf1ba2efcf11c2cb23b4516c699

SHA512
f5d55056044c0dea8b0f44685e4337c4f5db28b419ba0131343f63d5f358082b161cf8b703dcca5d408948dc77df7f8ed1ae86c17039d02bb21926dce96ea19f

Download Submit
\??\c:\Windows\System32\CSC5B9ACA7D5AA545B781DAF050953AA1D.TMP

Filesize
1KB

MD5
dc62d02b56d310e294d158c225b91f50

SHA1
844e69b5ff0328e80441c54dbdff39d82c3263ba

SHA256
be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8

SHA512
23e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209

Download Submit
memory/2556-7-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2556-19-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-11-0x0000000000520000-0x0000000000538000-memory.dmp

Filesize
96KB

Download
memory/2556-13-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2556-16-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-15-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2556-22-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-27-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-20-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-9-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/2556-18-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2556-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2556-5-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-4-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-3-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-2-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-46-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-1-0x0000000000AC0000-0x0000000000CA8000-memory.dmp

Filesize
1.9MB

Download
memory/2556-52-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download