zgrat | d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

General

Target

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Size

1.8MB
MD5

437a180db44c659505d08da56b1c5344
SHA1

63dcc88fc8ca4dc2c25028695b72fc48f9978df2
SHA256

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
SHA512

fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
SSDEEP

24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-1-0x0000000000D30000-0x0000000000F0A000-memory.dmp	family_zgrat_v1
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	family_zgrat_v1
behavioral1/memory/572-48-0x0000000001230000-0x000000000140A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Windows\\Cursors\\System.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Windows\\Cursors\\System.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Windows\\Cursors\\System.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Windows\\Cursors\\System.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\smss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\", \"C:\\Windows\\Cursors\\System.exe\", \"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\", \"C:\\Users\\Public\\Desktop\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2720	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2720	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-1-0x0000000000D30000-0x0000000000F0A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/572-48-0x0000000001230000-0x000000000140A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

572 smss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
572	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Defender\\es-ES\\Idle.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Desktop\\smss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Cursors\\System.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Cursors\\System.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\Desktop\\smss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\csrss.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC2C14C447027461A8CC2D839025456.TMP	csc.exe
File created	\??\c:\Windows\System32\ldgalj.exe	csc.exe

Drops file in Program Files directory 6 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\es-ES\Idle.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Windows Defender\es-ES\6ccacd8608530f	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\b233e56e0515d6	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in Windows directory 2 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
File created	C:\Windows\Cursors\System.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Windows\Cursors\27d1bcfc3c54e0	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1124	schtasks.exe
1756	schtasks.exe
1664	schtasks.exe
1552	schtasks.exe
468	schtasks.exe
1508	schtasks.exe
2004	schtasks.exe
2148	schtasks.exe
2700	schtasks.exe
796	schtasks.exe
2000	schtasks.exe
1916	schtasks.exe
2848	schtasks.exe
2900	schtasks.exe
2836	schtasks.exe
2176	schtasks.exe
1616	schtasks.exe
1228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exesmss.exe

pid	process
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
572	smss.exe
572	smss.exe
572	smss.exe
572	smss.exe
572	smss.exe
572	smss.exe
572	smss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

572 smss.exe

pid	process
572	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Token: SeDebugPrivilege	572	smss.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.execsc.execmd.exe

description	pid	process	target process
PID 3016 wrote to memory of 2740	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 3016 wrote to memory of 2740	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 3016 wrote to memory of 2740	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 2740 wrote to memory of 1048	2740	csc.exe	cvtres.exe
PID 2740 wrote to memory of 1048	2740	csc.exe	cvtres.exe
PID 2740 wrote to memory of 1048	2740	csc.exe	cvtres.exe
PID 3016 wrote to memory of 1428	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 3016 wrote to memory of 1428	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 3016 wrote to memory of 1428	3016	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 1428 wrote to memory of 1332	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 1332	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 1332	1428	cmd.exe	chcp.com
PID 1428 wrote to memory of 2972	1428	cmd.exe	w32tm.exe
PID 1428 wrote to memory of 2972	1428	cmd.exe	w32tm.exe
PID 1428 wrote to memory of 2972	1428	cmd.exe	w32tm.exe
PID 1428 wrote to memory of 572	1428	cmd.exe	smss.exe
PID 1428 wrote to memory of 572	1428	cmd.exe	smss.exe
PID 1428 wrote to memory of 572	1428	cmd.exe	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
"C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\slweyote\slweyote.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C1F.tmp" "c:\Windows\System32\CSC2C14C447027461A8CC2D839025456.TMP"
    3⤵
    PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmghfkJ5Ze.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1332
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2972
- - C:\Users\Public\Desktop\smss.exe
    "C:\Users\Public\Desktop\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Cursors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe

Filesize
1.8MB

MD5
437a180db44c659505d08da56b1c5344

SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2

SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2C1F.tmp

Filesize
1KB

MD5
a43cc3e14d7de54914d0099d8b22ed7c

SHA1
96f2e3465b32eecf770f7874dda342f3b9437d73

SHA256
d662b86e15366b2eaf631819173c2e612adf292af96adf08898ffa962b8fece1

SHA512
92ececb27e2f4c6d8975759058be2fc822c8aae51af2cd1f34d4611c29fd965f86c2b514132e1c1232a424f4fb4ba720de426d23ddaa3a9c38207033e1eb86fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmghfkJ5Ze.bat

Filesize
208B

MD5
ae6ce2a4dc06f8be98bbf7deb620376b

SHA1
94f7a77f3b960c0392119de8faf036a8aa06c3b8

SHA256
e60a8bbabf537e1f247b7287acae40206d0ec6554bad49baf2361c01b120087d

SHA512
5f39b18e8c2d5ade03b8ba2d7a3af10bc7a73eba30aba6b3366ece2a625de7e6f388903735f56a6d108cf9ad1cc95bdea79659523004abc3237185d222cd18a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\slweyote\slweyote.0.cs

Filesize
389B

MD5
878c0a5434c2d336588ba28467b44d50

SHA1
8cafe615c23e9dc486e08b6123df1d8ee6067620

SHA256
1fa45b73f5c89f3e60f2de498cecbdc32532d3d76a4a17caee3b7291396bba01

SHA512
31bdc4c5847e35dc93e2172033faf12cb71ba3c66a12b7d69199ff47b7aef8a6a319fc57eae7fd6482bf6b45c2b89da9e6799c6edc52d26946ab404759e683c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\slweyote\slweyote.cmdline

Filesize
235B

MD5
52da9c3a57f9da0d8536db426332a258

SHA1
1d393f929f1a166ff6e0da9bba0b17beb2e63f5a

SHA256
a64a68638cfc3fd805c94a94fca1611f43b2926f02937326de2864d403d12e55

SHA512
f774acceb6de037a9197bde6220e436c7bf98ea09d52273f69d9bf549a6155e434c30f6ffa074248f108b7be106c7b3ddaca3b830e8d1c607bf8f1c7ecb4ae04

Download Submit
\??\c:\Windows\System32\CSC2C14C447027461A8CC2D839025456.TMP

Filesize
1KB

MD5
bfb5195b3f3a87a55924d32b25f58821

SHA1
20a15b7e5c1f8626a991b0018ecff1e0f9bbdd55

SHA256
27fc2b6d7eb6b901e442740584ea89682cf613798415d7f431174412a2c78241

SHA512
137ad28b8cc1d5a270c6f98fe129697c1a1d6828f8fbeb72a2f290e0242f547c9aeb97d28c818efe717aa6b7833cece46dd6ddd5d033d9d1f5ce442757d2ab3b

Download Submit
memory/572-48-0x0000000001230000-0x000000000140A000-memory.dmp

Filesize
1.9MB

Download
memory/3016-6-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/3016-8-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/3016-15-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-13-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/3016-11-0x0000000000A20000-0x0000000000A38000-memory.dmp

Filesize
96KB

Download
memory/3016-16-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-9-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-14-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-0-0x000007FEF55D3000-0x000007FEF55D4000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-3-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-2-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-45-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1-0x0000000000D30000-0x0000000000F0A000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads