zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
1760s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
13-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral4/files/0x000100000002a9af-8.dat	family_zgrat_v1
behavioral4/files/0x000100000002a9af-10.dat	family_zgrat_v1
behavioral4/files/0x000200000002a9df-25.dat	family_zgrat_v1
behavioral4/memory/448-26-0x00000000009A0000-0x0000000000D42000-memory.dmp	family_zgrat_v1
behavioral4/files/0x000100000002a9e4-79.dat	family_zgrat_v1
behavioral4/files/0x000100000002a9e4-221.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\spoolsv.exe\", \"C:\\Windows\\GameBarPresenceWriter\\fontdrvhost.exe\", \"C:\\blockcontainerWincrtdll\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\spoolsv.exe\", \"C:\\Windows\\GameBarPresenceWriter\\fontdrvhost.exe\""	Sessionperf.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1080	powershell.exe
2468	powershell.exe
3952	powershell.exe
488	powershell.exe
3056	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

pid	Process
3432	Checker.exe
448	Sessionperf.exe
792	spoolsv.exe
2520	spoolsv.exe
3580	conhost.exe
3432	fontdrvhost.exe
4044	winlogon.exe
4256	services.exe
2624	spoolsv.exe
4928	conhost.exe
364	fontdrvhost.exe
3716	winlogon.exe
1940	spoolsv.exe
5000	conhost.exe
3056	fontdrvhost.exe
2844	services.exe
4868	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\blockcontainerWincrtdll\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\GameBarPresenceWriter\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\GameBarPresenceWriter\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\RedistList\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\blockcontainerWincrtdll\\winlogon.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF5539C6B33094DEBB97A48364F6EC5C2.TMP	csc.exe
File created	\??\c:\Windows\System32\nksdnj.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\services.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\c5b4cb5e9653cc	Sessionperf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\f3b6ecef712a24	Sessionperf.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\SearchHost.exe	Sessionperf.exe
File created	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	Sessionperf.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3368	schtasks.exe
1632	schtasks.exe
1404	schtasks.exe
5024	schtasks.exe
1492	schtasks.exe
4696	schtasks.exe
1680	schtasks.exe
4880	schtasks.exe
232	schtasks.exe
4988	schtasks.exe
1944	schtasks.exe
3620	schtasks.exe
4912	schtasks.exe
3660	schtasks.exe
416	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2412	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe
448	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
792	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	Loader.exe
Token: SeDebugPrivilege	448	Sessionperf.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	792	spoolsv.exe
Token: SeDebugPrivilege	2520	spoolsv.exe
Token: SeDebugPrivilege	3580	conhost.exe
Token: SeDebugPrivilege	3432	fontdrvhost.exe
Token: SeDebugPrivilege	4044	winlogon.exe
Token: SeDebugPrivilege	4256	services.exe
Token: SeDebugPrivilege	2624	spoolsv.exe
Token: SeDebugPrivilege	4928	conhost.exe
Token: SeDebugPrivilege	364	fontdrvhost.exe
Token: SeDebugPrivilege	3716	winlogon.exe
Token: SeDebugPrivilege	1940	spoolsv.exe
Token: SeDebugPrivilege	5000	conhost.exe
Token: SeDebugPrivilege	3056	fontdrvhost.exe
Token: SeDebugPrivilege	2844	services.exe
Token: SeDebugPrivilege	4868	winlogon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
792	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3432	3492	Loader.exe	82
PID 3492 wrote to memory of 3432	3492	Loader.exe	82
PID 3492 wrote to memory of 3432	3492	Loader.exe	82
PID 3432 wrote to memory of 1412	3432	Checker.exe	83
PID 3432 wrote to memory of 1412	3432	Checker.exe	83
PID 3432 wrote to memory of 1412	3432	Checker.exe	83
PID 1412 wrote to memory of 4340	1412	WScript.exe	84
PID 1412 wrote to memory of 4340	1412	WScript.exe	84
PID 1412 wrote to memory of 4340	1412	WScript.exe	84
PID 4340 wrote to memory of 2412	4340	cmd.exe	86
PID 4340 wrote to memory of 2412	4340	cmd.exe	86
PID 4340 wrote to memory of 2412	4340	cmd.exe	86
PID 4340 wrote to memory of 448	4340	cmd.exe	87
PID 4340 wrote to memory of 448	4340	cmd.exe	87
PID 448 wrote to memory of 4148	448	Sessionperf.exe	92
PID 448 wrote to memory of 4148	448	Sessionperf.exe	92
PID 4148 wrote to memory of 4876	4148	csc.exe	94
PID 4148 wrote to memory of 4876	4148	csc.exe	94
PID 448 wrote to memory of 3056	448	Sessionperf.exe	107
PID 448 wrote to memory of 3056	448	Sessionperf.exe	107
PID 448 wrote to memory of 488	448	Sessionperf.exe	108
PID 448 wrote to memory of 488	448	Sessionperf.exe	108
PID 448 wrote to memory of 3952	448	Sessionperf.exe	109
PID 448 wrote to memory of 3952	448	Sessionperf.exe	109
PID 448 wrote to memory of 2468	448	Sessionperf.exe	110
PID 448 wrote to memory of 2468	448	Sessionperf.exe	110
PID 448 wrote to memory of 1080	448	Sessionperf.exe	111
PID 448 wrote to memory of 1080	448	Sessionperf.exe	111
PID 448 wrote to memory of 4504	448	Sessionperf.exe	117
PID 448 wrote to memory of 4504	448	Sessionperf.exe	117
PID 4504 wrote to memory of 4068	4504	cmd.exe	119
PID 4504 wrote to memory of 4068	4504	cmd.exe	119
PID 4504 wrote to memory of 4736	4504	cmd.exe	120
PID 4504 wrote to memory of 4736	4504	cmd.exe	120
PID 4504 wrote to memory of 792	4504	cmd.exe	121
PID 4504 wrote to memory of 792	4504	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2412
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t11tmofo\t11tmofo.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E01.tmp" "c:\Windows\System32\CSCF5539C6B33094DEBB97A48364F6EC5C2.TMP"
        7⤵
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00eHCrmBUE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4736
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\blockcontainerWincrtdll\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4912

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\All Users\conhost.exe
"C:\Users\All Users\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\blockcontainerWincrtdll\winlogon.exe
C:\blockcontainerWincrtdll\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Program Files (x86)\Internet Explorer\en-US\services.exe
"C:\Program Files (x86)\Internet Explorer\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Users\All Users\conhost.exe
"C:\Users\All Users\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\blockcontainerWincrtdll\winlogon.exe
C:\blockcontainerWincrtdll\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Users\All Users\conhost.exe
"C:\Users\All Users\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
C:\Windows\GameBarPresenceWriter\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Program Files (x86)\Internet Explorer\en-US\services.exe
"C:\Program Files (x86)\Internet Explorer\en-US\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\blockcontainerWincrtdll\winlogon.exe
C:\blockcontainerWincrtdll\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\en-US\services.exe

Filesize
1.9MB

MD5
1ed6cddb272351d47a5981b0901216cc

SHA1
5cbedbc03a0e830012d14a0e59ad37e185710ceb

SHA256
e2489a918d8e8198dc8f152f91613a303a4e0a42d37fcebac21034c2955421f0

SHA512
652a62ed9864764912fb4ffd5e5dcf077fc4826ee994403f34b095100c8577d982fbc335c5f41ab7f879c54b1a60d69b60f2f469f636f08a2e7faec9eb22dee0

Download Submit
C:\Program Files (x86)\Internet Explorer\en-US\services.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\spoolsv.exe

Filesize
448KB

MD5
adc1a214488382713ab1a98667e1a783

SHA1
4ed61fb67822b03f86d175708ce613d6e5b47582

SHA256
175c930980dc18fef671695162c51b5b8c55a8c58373be434e41f001f3614354

SHA512
8f15c7eb998573ef8cb0d6874a3b2377205afb4a8af6f15941838459100829e0f29fa85609504e55ef1da5dfeff571f50a4f2aed7ff61e576d589d74c50ebcbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
847B

MD5
2940b232afa412901f8ae5651c790f93

SHA1
f79bd5d1433c803515e2d9a016396344187beea2

SHA256
16f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43

SHA512
553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
664B

MD5
630f47641a85f1a93593597ba90824ec

SHA1
90899d0063ea9c26920c7c0c07acee66265c742f

SHA256
4cdd7b7476d12cf7cc1b5513b2d2ce35562186fd75ac6ddbd4eca3d682ab3040

SHA512
1e7c3d67838f0d58a13939405661350519ada77b58262e60aed45c8a20f1a8b034127a917bba672ea8efb7dfd25d43006fa5ef3c6a30724f5591c9ee83de9ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00eHCrmBUE.bat

Filesize
219B

MD5
b5943fe34000279d57b270b59a3330c1

SHA1
267cd93fa841c4b5aada89c09b91f75624d4a0c5

SHA256
6b140dcc1027331362b33f801d8f71056dc8146ec538e3eb6191b23e272acb35

SHA512
b70fbca59b3b2d9c124ac970333aa9080bd7f0045025b3a1d856500989ffb1eb01d072d5db3770553763257a0db3151e6a02d5410facabc6b8f8c5b443987879

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E01.tmp

Filesize
1KB

MD5
c2d5cb15efe68b95ae1c2c27f45032f5

SHA1
1695ae9a8d44dafa4ec39a78422be3d9b610abd9

SHA256
59daab2be8722c6f6197a57f89d1ac25e439f93526a89a27aac879cd97f0d668

SHA512
a98998722b05dfca7b5349537de51c68cf44de185a3ea8fe5e552b17e10ba49a73a55eebcbacfba883534c48737dd214c2d6d3de35412cfd7c6e47c9268bf4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nomhhbwv.n2l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
2.1MB

MD5
cb76f90eb67a87def5026c116148838b

SHA1
f61138eb64666fb46184f07d014d3d2b124c7a8a

SHA256
e553be863aff8e6f800c41cc5b2c551ba0258f98f5dc25a565982e3fce6ce4d2

SHA512
ff27b6d15a63d615565f14f25b05cd2d876751986587a32be899af2ca6f69ceb58d63ca58acb184fd9114eb2a87a543fdb629d5ebe04dd36f161ff5b98f60e18

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
1.2MB

MD5
94f292cfbbb9695c7dfda1732afa7eb1

SHA1
d3351e53175f1a2710c9a70b2481560dc1d14312

SHA256
2fbf12dd577e90dec0d6ec6419686516c3376fc66577cef958a3af0bd8db5475

SHA512
fe7139db2eef0e69a6e7116fdd9df520e97a0bf557bb14685b32c9e813124f95dba36e15eb180d27e05fb8b533f346dc94df2e33f9b0ee5960cdf36944e940a5

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
2.1MB

MD5
6d070a13e2363c0257da357c535a58a6

SHA1
cfd062f2f4a224a6997c24aedf4408049dfdd87e

SHA256
8fef5bcda1bddf549c11f3e643b97c7950a650743c429137bb4da7790fb98161

SHA512
9d3de2b69e4d4c5cac9099bcbbc935837ceaf41d013552a0d936b895b66dea66337319f567a660617ebd938304cb5f4bb4ab06a8db61f083dd82baeb0dbe657f

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t11tmofo\t11tmofo.0.cs

Filesize
362B

MD5
7cbdd85d3ff6542a690c0a319c960717

SHA1
92551d073409d55fddd5273f34d63d2c9483a577

SHA256
706004f7937b3174a97ea8bdd3fbad413e4133da5452085bfb9106c413c8bece

SHA512
5ac8f0c6ab5d27bccd7c1bff58646e07723006ae2e0362158ec37fe15bd3009942400e39b45305b49f8dc54dfcd00d7d48352a6ef499cf7382db048e40ce1129

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t11tmofo\t11tmofo.cmdline

Filesize
235B

MD5
f8656f09aef3d1788608a2f6d6be1743

SHA1
8defbc737c106e72cbbbf93af31818d81cf7caa2

SHA256
1a6aa5335903b5a49450cfb200c2309e8a25c8074278b7baa4678281e44d83da

SHA512
d20ef5365ace49011c365a2fb12bbf7af89e2675f20bd1ac3e3254318ac919d0c9fb88190ac96206238f6aea535be8b698776154e66f0a3ba75c674efd87675d

Download Submit
\??\c:\Windows\System32\CSCF5539C6B33094DEBB97A48364F6EC5C2.TMP

Filesize
1KB

MD5
022c16fbfcaaa4fea7586617028cab20

SHA1
c463820b30a9f5caa4fd5fced818c98e0d8fc24b

SHA256
ac8cdcec9eba60a1d9be405f1d637ecdbd82953a83bc7a9b338c7e0cbb0298f0

SHA512
fc496c3af38d5bf26ce969f8221b8c8575a96c47e7219ceb59922bd8fd1bb3d6263c5d445770f25aaa34e165ecf8f5d6b4d4aba2dc05469141683c010b9d2109

Download Submit
memory/448-32-0x000000001BC20000-0x000000001BC3C000-memory.dmp

Filesize
112KB

Download
memory/448-41-0x000000001BC40000-0x000000001BC50000-memory.dmp

Filesize
64KB

Download
memory/448-51-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/448-58-0x000000001BD20000-0x000000001BD2E000-memory.dmp

Filesize
56KB

Download
memory/448-62-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/448-60-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download
memory/448-64-0x000000001BDF0000-0x000000001BE4A000-memory.dmp

Filesize
360KB

Download
memory/448-66-0x000000001BD90000-0x000000001BD9E000-memory.dmp

Filesize
56KB

Download
memory/448-70-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

Filesize
56KB

Download
memory/448-72-0x000000001C050000-0x000000001C068000-memory.dmp

Filesize
96KB

Download
memory/448-76-0x000000001C0C0000-0x000000001C10E000-memory.dmp

Filesize
312KB

Download
memory/448-74-0x000000001BDC0000-0x000000001BDCC000-memory.dmp

Filesize
48KB

Download
memory/448-53-0x000000001BD40000-0x000000001BD56000-memory.dmp

Filesize
88KB

Download
memory/448-68-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

Filesize
64KB

Download
memory/448-49-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/448-43-0x000000001BC50000-0x000000001BC5E000-memory.dmp

Filesize
56KB

Download
memory/448-30-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

Filesize
56KB

Download
memory/448-55-0x000000001BD60000-0x000000001BD72000-memory.dmp

Filesize
72KB

Download
memory/448-39-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/448-35-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

Filesize
64KB

Download
memory/448-33-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/448-28-0x000000001BBF0000-0x000000001BC16000-memory.dmp

Filesize
152KB

Download
memory/448-26-0x00000000009A0000-0x0000000000D42000-memory.dmp

Filesize
3.6MB

Download
memory/448-37-0x000000001BC60000-0x000000001BC78000-memory.dmp

Filesize
96KB

Download
memory/448-56-0x000000001C2B0000-0x000000001C7D8000-memory.dmp

Filesize
5.2MB

Download
memory/448-47-0x000000001BD00000-0x000000001BD12000-memory.dmp

Filesize
72KB

Download
memory/448-45-0x000000001BC80000-0x000000001BC8E000-memory.dmp

Filesize
56KB

Download
memory/2468-116-0x000002B093C70000-0x000002B093C92000-memory.dmp

Filesize
136KB

Download
memory/3492-13-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/3492-1-0x0000000000FC0000-0x000000000101E000-memory.dmp

Filesize
376KB

Download
memory/3492-3-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/3492-2-0x00007FF887AD0000-0x00007FF888592000-memory.dmp

Filesize
10.8MB

Download
memory/3492-0-0x00007FF887AD3000-0x00007FF887AD5000-memory.dmp

Filesize
8KB

Download