zgrat | 0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

277EE62972CED037975513A5D4120175.exe
Size

1.9MB
MD5

277ee62972ced037975513a5d4120175
SHA1

6d7531f9447a58b8978c8a24c2f71e14eebb3ea6
SHA256

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31
SHA512

9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb
SSDEEP

49152:xqfbh5qev49UlsetjyMjIRq/f1oUBT635:xq9wev49Ne4M//VBG

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/780-1-0x0000000000F20000-0x0000000001108000-memory.dmp	family_zgrat_v1
behavioral2/files/0x00070000000233f7-33.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\smss.exe\", \"C:\\Users\\Public\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\System.exe\""	277EE62972CED037975513A5D4120175.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2304	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2304	schtasks.exe	84

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	277EE62972CED037975513A5D4120175.exe

Executes dropped EXE 1 IoCs

pid	Process
3812	smss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\System.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277EE62972CED037975513A5D4120175 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\277EE62972CED037975513A5D4120175 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\277EE62972CED037975513A5D4120175.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\WindowsRE\\smss.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\StartMenuExperienceHost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\Registry.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	277EE62972CED037975513A5D4120175.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\System.exe\""	277EE62972CED037975513A5D4120175.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
2	ipinfo.io
40	ipinfo.io
41	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC24996A07B44B4E438ACB6FB59C12AA84.TMP	csc.exe
File created	\??\c:\Windows\System32\fruvan.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\27d1bcfc3c54e0	277EE62972CED037975513A5D4120175.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\csrss.exe	277EE62972CED037975513A5D4120175.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe	277EE62972CED037975513A5D4120175.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ee2ad38f3d4382	277EE62972CED037975513A5D4120175.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System.exe	277EE62972CED037975513A5D4120175.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System.exe	277EE62972CED037975513A5D4120175.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4460	schtasks.exe
3940	schtasks.exe
3748	schtasks.exe
508	schtasks.exe
5012	schtasks.exe
4176	schtasks.exe
4264	schtasks.exe
3544	schtasks.exe
1984	schtasks.exe
4536	schtasks.exe
1512	schtasks.exe
1228	schtasks.exe
3408	schtasks.exe
4316	schtasks.exe
3272	schtasks.exe
752	schtasks.exe
5008	schtasks.exe
1744	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	277EE62972CED037975513A5D4120175.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4072	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe
780	277EE62972CED037975513A5D4120175.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3812	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	277EE62972CED037975513A5D4120175.exe
Token: SeDebugPrivilege	3812	smss.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1832	780	277EE62972CED037975513A5D4120175.exe	88
PID 780 wrote to memory of 1832	780	277EE62972CED037975513A5D4120175.exe	88
PID 1832 wrote to memory of 1936	1832	csc.exe	90
PID 1832 wrote to memory of 1936	1832	csc.exe	90
PID 780 wrote to memory of 1844	780	277EE62972CED037975513A5D4120175.exe	106
PID 780 wrote to memory of 1844	780	277EE62972CED037975513A5D4120175.exe	106
PID 1844 wrote to memory of 2004	1844	cmd.exe	108
PID 1844 wrote to memory of 2004	1844	cmd.exe	108
PID 1844 wrote to memory of 4072	1844	cmd.exe	109
PID 1844 wrote to memory of 4072	1844	cmd.exe	109
PID 1844 wrote to memory of 3812	1844	cmd.exe	113
PID 1844 wrote to memory of 3812	1844	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe
"C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ahhvublg\ahhvublg.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp" "c:\Windows\System32\CSC24996A07B44B4E438ACB6FB59C12AA84.TMP"
    3⤵
    PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\popGWlpx7F.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2004
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:4072
- - C:\Recovery\WindowsRE\smss.exe
    "C:\Recovery\WindowsRE\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D41201752" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D4120175" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "277EE62972CED037975513A5D41201752" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\277EE62972CED037975513A5D4120175.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\smss.exe

Filesize
1.9MB

MD5
277ee62972ced037975513a5d4120175

SHA1
6d7531f9447a58b8978c8a24c2f71e14eebb3ea6

SHA256
0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

SHA512
9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D84.tmp

Filesize
1KB

MD5
e58ed923695b36c37209ead44ca37445

SHA1
6e6c4bbac68901d4eb36f66f7f08c6004da48d55

SHA256
39dc32771ef5b980b0a6611b19558f5fa305efd8a1b7ba436885aa4303ce90b2

SHA512
88ea721acb9ec5a59cd3d06fee0bce845cbbb3152bce2d760ecd29ccced0e42fd9223542e79233676aab859cfca820fe0e163edb8f38ef181071512cecd3c2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\popGWlpx7F.bat

Filesize
158B

MD5
cc33672be2b30396a8918d3d18c82632

SHA1
9071e0b510e7bcaecd6e48b6cf5eb967fa036c3e

SHA256
e995223629d0a42170aef1c754708348268ab49da2168a3d755d9d25eb3b5b87

SHA512
16d10704cc09855117636f5e403cef0168fd93c7c95da9e0c4236fbd4200dd11068d764c64917ae319a8792cc656c677be9d5e9d78e1aedb229519c5fa8088a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahhvublg\ahhvublg.0.cs

Filesize
362B

MD5
6970474ec07ab4fa4bf1c5e86ffffc36

SHA1
70ce15c1e17afd638540f4dd6135f3c5bbe752e3

SHA256
7d001ec3318e6f60c82cc30edafae67eaa3152fb749c2a4aab389e57c912e0c5

SHA512
9ff3e842a317722743bf618fe042a176cdc894bf0b0fe017bbcb04a25f4efd89f8a46c48518923eb6ff688b777f535a87d94ccbf545af0ea882caef1e109d2ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahhvublg\ahhvublg.cmdline

Filesize
235B

MD5
76a52710f40d91abc00507afd9d7f254

SHA1
689c606a52b82dbb627a5259128061752a656037

SHA256
8f42cbb8c2a2dc1a45e1007dac234d846ea33e8f20836547c76bff59dbd3b95a

SHA512
e1a2b4a8eb4bd762d76345aafb4b4fcc4605546831ee0322b71500dc7286a490d0319ecc71e715219311fe69f417f7a956bb486be305aef2076707c3f23e4931

Download Submit
\??\c:\Windows\System32\CSC24996A07B44B4E438ACB6FB59C12AA84.TMP

Filesize
1KB

MD5
d52087709e2274a5a9381789082a9d03

SHA1
e1f693bc2b4cd35e7abdea93dc0bb77ef6ddce59

SHA256
f4091edfc561d6d16cdb8f686a10ebade8c6a9239730fddb9c652a1c005790c2

SHA512
5e448e07b49f301dd1d815818527f88d32cac7e869cd8120651b940783a29a18c2b4ec87ad18ce3a85c6973e4b676d9499068e3b805c972b6a95660a3c7dae12

Download Submit
memory/780-20-0x0000000003250000-0x000000000325C000-memory.dmp

Filesize
48KB

Download
memory/780-26-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-10-0x0000000003260000-0x000000000327C000-memory.dmp

Filesize
112KB

Download
memory/780-11-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-12-0x000000001C150000-0x000000001C1A0000-memory.dmp

Filesize
320KB

Download
memory/780-16-0x00000000031E0000-0x00000000031EE000-memory.dmp

Filesize
56KB

Download
memory/780-18-0x0000000003240000-0x0000000003248000-memory.dmp

Filesize
32KB

Download
memory/780-14-0x0000000003280000-0x0000000003298000-memory.dmp

Filesize
96KB

Download
memory/780-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

Filesize
8KB

Download
memory/780-21-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-23-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-8-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-7-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-35-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-36-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-37-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-6-0x00000000031D0000-0x00000000031DE000-memory.dmp

Filesize
56KB

Download
memory/780-4-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-3-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-2-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-55-0x000000001C3E0000-0x000000001C4AD000-memory.dmp

Filesize
820KB

Download
memory/780-56-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

Filesize
10.8MB

Download
memory/780-1-0x0000000000F20000-0x0000000001108000-memory.dmp

Filesize
1.9MB

Download
memory/3812-67-0x000000001E9B0000-0x000000001EA7D000-memory.dmp

Filesize
820KB

Download