zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cb1-8.dat	family_zgrat_v1
behavioral1/files/0x0036000000015d39-23.dat	family_zgrat_v1
behavioral1/memory/2432-24-0x0000000000E20000-0x00000000011C2000-memory.dmp	family_zgrat_v1
behavioral1/memory/1920-128-0x00000000012D0000-0x0000000001672000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\", \"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\conhost.exe\", \"C:\\Users\\All Users\\smss.exe\", \"C:\\blockcontainerWincrtdll\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\", \"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\", \"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\", \"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\conhost.exe\", \"C:\\Users\\All Users\\smss.exe\""	Sessionperf.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	1444	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1444	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
612	powershell.exe
1780	powershell.exe
1028	powershell.exe
560	powershell.exe
1292	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3048	Checker.exe
2432	Sessionperf.exe
1920	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	cmd.exe
2412	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\blockcontainerWincrtdll\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre7\\bin\\plugin2\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Common Files\\System\\en-US\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\blockcontainerWincrtdll\\services.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\u7e72d.exe	csc.exe
File created	\??\c:\Windows\System32\CSC5DEBEA303DA6493987A7DBBE8179B1D6.TMP	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\en-US\cmd.exe	Sessionperf.exe
File created	C:\Program Files\Common Files\System\en-US\ebf1f9fa8afd6d	Sessionperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe	Sessionperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\088424020bedd6	Sessionperf.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe	Sessionperf.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe	Sessionperf.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\cc11b995f2a76d	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1516	schtasks.exe
2112	schtasks.exe
2052	schtasks.exe
1404	schtasks.exe
356	schtasks.exe
320	schtasks.exe
2036	schtasks.exe
2736	schtasks.exe
2868	schtasks.exe
2024	schtasks.exe
1904	schtasks.exe
488	schtasks.exe
2908	schtasks.exe
1968	schtasks.exe
880	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2700	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe
2432	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1920	smss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	Loader.exe
Token: SeDebugPrivilege	2432	Sessionperf.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1920	smss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1920	smss.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3048	2196	Loader.exe	28
PID 2196 wrote to memory of 3048	2196	Loader.exe	28
PID 2196 wrote to memory of 3048	2196	Loader.exe	28
PID 2196 wrote to memory of 3048	2196	Loader.exe	28
PID 3048 wrote to memory of 2636	3048	Checker.exe	29
PID 3048 wrote to memory of 2636	3048	Checker.exe	29
PID 3048 wrote to memory of 2636	3048	Checker.exe	29
PID 3048 wrote to memory of 2636	3048	Checker.exe	29
PID 2636 wrote to memory of 2412	2636	WScript.exe	30
PID 2636 wrote to memory of 2412	2636	WScript.exe	30
PID 2636 wrote to memory of 2412	2636	WScript.exe	30
PID 2636 wrote to memory of 2412	2636	WScript.exe	30
PID 2412 wrote to memory of 2700	2412	cmd.exe	32
PID 2412 wrote to memory of 2700	2412	cmd.exe	32
PID 2412 wrote to memory of 2700	2412	cmd.exe	32
PID 2412 wrote to memory of 2700	2412	cmd.exe	32
PID 2412 wrote to memory of 2432	2412	cmd.exe	33
PID 2412 wrote to memory of 2432	2412	cmd.exe	33
PID 2412 wrote to memory of 2432	2412	cmd.exe	33
PID 2412 wrote to memory of 2432	2412	cmd.exe	33
PID 2432 wrote to memory of 2072	2432	Sessionperf.exe	38
PID 2432 wrote to memory of 2072	2432	Sessionperf.exe	38
PID 2432 wrote to memory of 2072	2432	Sessionperf.exe	38
PID 2072 wrote to memory of 2308	2072	csc.exe	40
PID 2072 wrote to memory of 2308	2072	csc.exe	40
PID 2072 wrote to memory of 2308	2072	csc.exe	40
PID 2432 wrote to memory of 612	2432	Sessionperf.exe	53
PID 2432 wrote to memory of 612	2432	Sessionperf.exe	53
PID 2432 wrote to memory of 612	2432	Sessionperf.exe	53
PID 2432 wrote to memory of 1292	2432	Sessionperf.exe	54
PID 2432 wrote to memory of 1292	2432	Sessionperf.exe	54
PID 2432 wrote to memory of 1292	2432	Sessionperf.exe	54
PID 2432 wrote to memory of 560	2432	Sessionperf.exe	56
PID 2432 wrote to memory of 560	2432	Sessionperf.exe	56
PID 2432 wrote to memory of 560	2432	Sessionperf.exe	56
PID 2432 wrote to memory of 1028	2432	Sessionperf.exe	57
PID 2432 wrote to memory of 1028	2432	Sessionperf.exe	57
PID 2432 wrote to memory of 1028	2432	Sessionperf.exe	57
PID 2432 wrote to memory of 1780	2432	Sessionperf.exe	58
PID 2432 wrote to memory of 1780	2432	Sessionperf.exe	58
PID 2432 wrote to memory of 1780	2432	Sessionperf.exe	58
PID 2432 wrote to memory of 412	2432	Sessionperf.exe	63
PID 2432 wrote to memory of 412	2432	Sessionperf.exe	63
PID 2432 wrote to memory of 412	2432	Sessionperf.exe	63
PID 412 wrote to memory of 2260	412	cmd.exe	65
PID 412 wrote to memory of 2260	412	cmd.exe	65
PID 412 wrote to memory of 2260	412	cmd.exe	65
PID 412 wrote to memory of 1196	412	cmd.exe	66
PID 412 wrote to memory of 1196	412	cmd.exe	66
PID 412 wrote to memory of 1196	412	cmd.exe	66
PID 412 wrote to memory of 1920	412	cmd.exe	67
PID 412 wrote to memory of 1920	412	cmd.exe	67
PID 412 wrote to memory of 1920	412	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2700
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sdizofqm\sdizofqm.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D3F.tmp" "c:\Windows\System32\CSC5DEBEA303DA6493987A7DBBE8179B1D6.TMP"
        7⤵
        
        PID:2308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\en-US\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SfbCWe9nlK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1196
        
        C:\Users\All Users\smss.exe
        
        "C:\Users\All Users\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\plugin2\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\blockcontainerWincrtdll\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\blockcontainerWincrtdll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3D3F.tmp

Filesize
1KB

MD5
91069db62371c454c1685b73f105988f

SHA1
b7cabc266d71ceab402f7bd120426aad6873f55d

SHA256
7c133bee3f858cc3e3272651c786761d28c87d92378f8da7979241ee91f205b1

SHA512
89e4c13073ebc031f733af535a3c2247c4c89683b55a8c6f1060415c474270acc0c4afdd9e38d8a65c8b1142f66e4979174366ae8b88122a9c5be92822e77afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SfbCWe9nlK.bat

Filesize
155B

MD5
c138c1d5b58403461337d08bbfe49259

SHA1
8aab11b5e43eb2ab02de9019a45ab822fd776b9f

SHA256
584e5def2567e61db71394e0df8822b6fc61ea3ee7bb36f838c1cac11e3aca9f

SHA512
b418881d7224745288eb58230fabb5b2923fc4c533b9ef8448ab0d1d47e871d1af222d301e275e56bbae043926d5133f2d8c37ac205f95d05d2ec9ef53ec9c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e3ebcf0c8a7a4cfb6884c0f0fec5fb0

SHA1
5d578b41a374fff51a0fba2f5983a756d337a1c4

SHA256
315788c3cf3af9988dec19634620bdcc5b0809641a6122e19597a7c15044915f

SHA512
8be335dd8b8da4c2f48b72bbd0cc73acf79d704fb1664c71cc167ed2c71dce8b66f0c9bccb313e1b642be05e2a56b6cd68f04e1be71bedd9628d3b07f48aec01

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sdizofqm\sdizofqm.0.cs

Filesize
383B

MD5
7d3b1a78ab8b6b8284fdd540a44062dd

SHA1
a0432dca7beb594e2c24a6f32f9db6ebe73f698f

SHA256
2592c79db4bea6202ce18fdd902cd08b56aff8eabfe48716d527295ff7c73437

SHA512
f6197f51d3da385e7b9304349bdeb06bb68d4d2c0b3e23a451433e30e28fa14bb8f3f51e3f285a3d58aa3fc882ca015145402cdb50700e1c318e1c8594b6f851

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sdizofqm\sdizofqm.cmdline

Filesize
235B

MD5
91bc3752ad391f710c12d855a9ef75be

SHA1
108e0a58c5d1fb084503e588cb963634d7f26093

SHA256
c4a7277e7a0683fc60789775603f81c0167cf1660ded29ac936cf4068c0e6552

SHA512
37f0284b85f2c499a02731527060bc51c65b1842d26b8f1e8827053f643d600cb0b2ea722d513eb12e7c38030f4ad36ddc8ce8668960338b7bc433ba863d4315

Download Submit
\??\c:\Windows\System32\CSC5DEBEA303DA6493987A7DBBE8179B1D6.TMP

Filesize
1KB

MD5
984924caf6574026769de34f35c2358e

SHA1
6dd41e492235d812252231912aa025f47fa7a9e7

SHA256
2bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986

SHA512
5918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46

Download Submit
memory/1780-104-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1780-109-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1920-128-0x00000000012D0000-0x0000000001672000-memory.dmp

Filesize
3.6MB

Download
memory/2196-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2196-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-1-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/2432-50-0x0000000000C00000-0x0000000000C16000-memory.dmp

Filesize
88KB

Download
memory/2432-70-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/2432-44-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2432-52-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/2432-48-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2432-46-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2432-56-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2432-58-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/2432-54-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2432-60-0x0000000000DB0000-0x0000000000E0A000-memory.dmp

Filesize
360KB

Download
memory/2432-62-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2432-64-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/2432-66-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download
memory/2432-34-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/2432-72-0x0000000002640000-0x000000000268E000-memory.dmp

Filesize
312KB

Download
memory/2432-68-0x00000000025D0000-0x00000000025E8000-memory.dmp

Filesize
96KB

Download
memory/2432-42-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2432-40-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/2432-38-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2432-36-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2432-32-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2432-30-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2432-28-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2432-26-0x0000000000330000-0x0000000000356000-memory.dmp

Filesize
152KB

Download
memory/2432-24-0x0000000000E20000-0x00000000011C2000-memory.dmp

Filesize
3.6MB

Download