zgrat | d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Size

1.8MB
MD5

437a180db44c659505d08da56b1c5344
SHA1

63dcc88fc8ca4dc2c25028695b72fc48f9978df2
SHA256

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
SHA512

fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
SSDEEP

24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1448-1-0x0000000000AD0000-0x0000000000CAA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023415-25.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Program Files\\Java\\jre8\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\dwm.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Program Files\\Java\\jre8\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Program Files\\Reference Assemblies\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3820	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3820	schtasks.exe	85

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1448-1-0x0000000000AD0000-0x0000000000CAA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023415-25.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid	Process
4452	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jre8\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Reference Assemblies\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Java\\jre8\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Reference Assemblies\\dwm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB705FBA66B49474FA3909C32E93989F.TMP	csc.exe
File created	\??\c:\Windows\System32\cwwwvr.exe	csc.exe

Drops file in Program Files directory 9 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Windows NT\5b884080fd4f94	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Reference Assemblies\dwm.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Java\jre8\RuntimeBroker.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File opened for modification	C:\Program Files\Java\jre8\RuntimeBroker.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Java\jre8\9e8d7a4ca61bd9	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Reference Assemblies\6cb0b6c459d5d3	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	Process
4824	schtasks.exe
1492	schtasks.exe
412	schtasks.exe
1616	schtasks.exe
4788	schtasks.exe
3188	schtasks.exe
4220	schtasks.exe
3312	schtasks.exe
3888	schtasks.exe
4508	schtasks.exe
2252	schtasks.exe
1040	schtasks.exe
4212	schtasks.exe
2552	schtasks.exe
1376	schtasks.exe
1200	schtasks.exe
5060	schtasks.exe
3964	schtasks.exe

Modifies registry class 1 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

pid	Process
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid	Process
4452	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exedllhost.exe

description	pid	Process
Token: SeDebugPrivilege	1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Token: SeDebugPrivilege	4452	dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.execsc.execmd.exe

description	pid	Process	procid_target
PID 1448 wrote to memory of 4004	1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	89
PID 1448 wrote to memory of 4004	1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	89
PID 4004 wrote to memory of 1760	4004	csc.exe	91
PID 4004 wrote to memory of 1760	4004	csc.exe	91
PID 1448 wrote to memory of 4044	1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	107
PID 1448 wrote to memory of 4044	1448	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	107
PID 4044 wrote to memory of 2024	4044	cmd.exe	109
PID 4044 wrote to memory of 2024	4044	cmd.exe	109
PID 4044 wrote to memory of 4092	4044	cmd.exe	110
PID 4044 wrote to memory of 4092	4044	cmd.exe	110
PID 4044 wrote to memory of 4452	4044	cmd.exe	114
PID 4044 wrote to memory of 4452	4044	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
"C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k5izn3rj\k5izn3rj.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95B8.tmp" "c:\Windows\System32\CSCB705FBA66B49474FA3909C32E93989F.TMP"
    3⤵
    PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QAKXT7rTQX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2024
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4092
- - C:\Users\Default User\dllhost.exe
    "C:\Users\Default User\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\dwm.exe

Filesize
1.8MB

MD5
437a180db44c659505d08da56b1c5344

SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2

SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAKXT7rTQX.bat

Filesize
209B

MD5
51527a8a5d119d828512b7eba51fd6dc

SHA1
91232a8a73584f2c1631ea94682e3745cf4a518e

SHA256
a91836776e812b44ef6898fba2f14d263a8826a60a0b487603186fd1a479dd8d

SHA512
5f1c8710068d50f493a9ea70f3abced36481b8cba5ac9e54bac40a479ad9d48ed2cbdf814ffaef2219137316a46f41e6d8b6e5d6e4b54f044fa891322e209569

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95B8.tmp

Filesize
1KB

MD5
73cbb6b37990c6c0c1440ec67a6b1dff

SHA1
f8fc4140de96c12f182ebe69d29d39f63d3da965

SHA256
dc00b86105973c674413c81d3834ead0fda500b6493adbc10521d739d1b54ac8

SHA512
56659bf55c8e6c6bf21cbc795a4bfdad62b231c0044edb682739bb1555ae5c187e64bbc4634067c857e93e5022608308e890117581907d0bbde1a82e893a91a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k5izn3rj\k5izn3rj.0.cs

Filesize
387B

MD5
997fb647bf110fc9014fc740da967ce2

SHA1
940af4a325165383be9f9c39ca9874e9fb3bb9cc

SHA256
84bfb48628555e9111233655cd885212cb2b5e9f101813e54a99998b167696f2

SHA512
1a96cd44e1d1eb46b32f18a9ed50ff98f30fdf4b41a149ea774533ff112d98daf006dd3625102a5fb47f02dc2a5d6d7158372bb69d78fe3d3c604df3ea41190b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k5izn3rj\k5izn3rj.cmdline

Filesize
235B

MD5
ca3f1aa1da921e4a1d60fd70ffccf30f

SHA1
e15bd4f08deabccd74269f6239ea4e54925c555c

SHA256
272131396f41298577a09dff6dfe47a50796ab1764974de44ab28d9c50d5d1ad

SHA512
4ca437cffedb7ffdeaf02db165d30e9a84b1e7189dd534ac8e174c5c6dbc647a5db55133d3d02fe2456073fc4b1255743db1d4eaa66108bf73d0fb08afe62929

Download Submit
\??\c:\Windows\System32\CSCB705FBA66B49474FA3909C32E93989F.TMP

Filesize
1KB

MD5
913b41bbe173c6878eae5b8d8b62f5b7

SHA1
386047df3df2b03e486bc87c4b7a3fee5f68ad73

SHA256
24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135

SHA512
c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

Download Submit
memory/1448-12-0x0000000002F10000-0x0000000002F28000-memory.dmp

Filesize
96KB

Download
memory/1448-29-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-10-0x000000001BA90000-0x000000001BAE0000-memory.dmp

Filesize
320KB

Download
memory/1448-4-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-14-0x0000000002D80000-0x0000000002D8C000-memory.dmp

Filesize
48KB

Download
memory/1448-16-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-3-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-27-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-28-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-9-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-30-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-34-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

Filesize
8KB

Download
memory/1448-8-0x0000000002EF0000-0x0000000002F0C000-memory.dmp

Filesize
112KB

Download
memory/1448-6-0x0000000002D70000-0x0000000002D7E000-memory.dmp

Filesize
56KB

Download
memory/1448-47-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-50-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-2-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

Filesize
10.8MB

Download
memory/1448-1-0x0000000000AD0000-0x0000000000CAA000-memory.dmp

Filesize
1.9MB

Download
memory/4452-59-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download