zgrat | 8d2367e0bb2b238b649afdd4a13c681364f3ea8097f5b79e460f7d9fbe6eb12c

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Size

1.9MB
MD5

277ee62972ced037975513a5d4120175
SHA1

6d7531f9447a58b8978c8a24c2f71e14eebb3ea6
SHA256

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31
SHA512

9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb
SSDEEP

49152:xqfbh5qev49UlsetjyMjIRq/f1oUBT635:xq9wev49Ne4M//VBG

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1632-1-0x0000000001250000-0x0000000001438000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016d1a-33.dat	family_zgrat_v1
behavioral1/memory/956-56-0x0000000000AB0000-0x0000000000C98000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\", \"C:\\Users\\Default User\\smss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\sppsvc.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2596	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2596	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
956	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\1033\\winlogon.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Microsoft Office\\Office14\\csrss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\sppsvc.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Windows Sidebar\\ja-JP\\services.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\sppsvc.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ipinfo.io
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC3FB0BCE89E654246B8834B32AE6C533.TMP	csc.exe
File created	\??\c:\Windows\System32\slsogk.exe	csc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\0a1fd5f707cd16	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files\Microsoft Office\Office14\csrss.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files\Microsoft Office\Office14\886983d96e3d3e	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\c5b4cb5e9653cc	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\taskhost.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\cc11b995f2a76d	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\services.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2712	schtasks.exe
2948	schtasks.exe
2328	schtasks.exe
940	schtasks.exe
2800	schtasks.exe
2500	schtasks.exe
2684	schtasks.exe
1436	schtasks.exe
1952	schtasks.exe
2452	schtasks.exe
2008	schtasks.exe
1640	schtasks.exe
1872	schtasks.exe
2864	schtasks.exe
2860	schtasks.exe
1492	schtasks.exe
1660	schtasks.exe
1996	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
956	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Token: SeDebugPrivilege	956	services.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2476	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	32
PID 1632 wrote to memory of 2476	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	32
PID 1632 wrote to memory of 2476	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	32
PID 2476 wrote to memory of 2604	2476	csc.exe	34
PID 2476 wrote to memory of 2604	2476	csc.exe	34
PID 2476 wrote to memory of 2604	2476	csc.exe	34
PID 1632 wrote to memory of 952	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	50
PID 1632 wrote to memory of 952	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	50
PID 1632 wrote to memory of 952	1632	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	50
PID 952 wrote to memory of 2280	952	cmd.exe	52
PID 952 wrote to memory of 2280	952	cmd.exe	52
PID 952 wrote to memory of 2280	952	cmd.exe	52
PID 952 wrote to memory of 3040	952	cmd.exe	53
PID 952 wrote to memory of 3040	952	cmd.exe	53
PID 952 wrote to memory of 3040	952	cmd.exe	53
PID 952 wrote to memory of 956	952	cmd.exe	54
PID 952 wrote to memory of 956	952	cmd.exe	54
PID 952 wrote to memory of 956	952	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
"C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vkfaol44\vkfaol44.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21A4.tmp" "c:\Windows\System32\CSC3FB0BCE89E654246B8834B32AE6C533.TMP"
    3⤵
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gwcbsFDSjL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2280
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3040
- - C:\Program Files\Windows Sidebar\ja-JP\services.exe
    "C:\Program Files\Windows Sidebar\ja-JP\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc310" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc310" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\ja-JP\services.exe

Filesize
1.9MB

MD5
277ee62972ced037975513a5d4120175

SHA1
6d7531f9447a58b8978c8a24c2f71e14eebb3ea6

SHA256
0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

SHA512
9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21A4.tmp

Filesize
1KB

MD5
dd3b0e8315e80d07a0782a3714b23852

SHA1
4e33935bcfd33884166461904cb56fe84819a169

SHA256
274cd73066ec8acada8c56f93471ec7cc47878d3759e92d32bf2e1be549fc162

SHA512
664b37950d41ea0f636c657710461acb811223eeeb9fcd742d1a9edc139c20ea727df80b722b63f5a2399b34b90a27df38f00fedd758c283d00220fd21aa02ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwcbsFDSjL.bat

Filesize
179B

MD5
87c12e8aa0d8f21b71803b48131bfe65

SHA1
8e24df5fd769205b5f915936b6f19143616de0bc

SHA256
18217ddb0eb372d8fe95162680637108a01584380b5c57d5d4d39e01efa29cdb

SHA512
22ccb214038bcafc775479c69b3561b556d4fa1e74450ca289d0914fec3e11f7cff340ed38b545f047f21a83b3becc24ec3bf0a4fe13da9644cab9e63c64458a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vkfaol44\vkfaol44.0.cs

Filesize
383B

MD5
b83ed29316bb76c1dcaa2db0efb7fbc4

SHA1
9666b54cfa5513921ab49869aeec90023291819f

SHA256
adb5f27f336eef89bc5a7d20ac35ff4decced609a1913df9755247c8fbd0cce9

SHA512
91de69fceb2214f34ad0e408f2126007c214b01d63942c952019ea1d779cf12a8614f691a61488d284479edb094c39f53cf9716eaf747271675c586ca8501de9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vkfaol44\vkfaol44.cmdline

Filesize
235B

MD5
634f39eb71f0f0f720b99e7749a656a8

SHA1
f17aa72cb239041d9b1a9b4414e584b65e2f11dd

SHA256
9e0956fe56702088940461c5c968ecab39440b672610fbb96e3743395ca515dd

SHA512
282baf21d6508e49a345fcd688b0864e45bdcbd3b07764f042ca41b9f47c12eba4db11489dc2c4f1faaac7744f9ecdafab4a66ac300c0caae9df680b91e0101f

Download Submit
\??\c:\Windows\System32\CSC3FB0BCE89E654246B8834B32AE6C533.TMP

Filesize
1KB

MD5
3fcb2bd8a227751c0367dff5940613bb

SHA1
bcca174ab4499de5713d836fbc368966aa1f5b2c

SHA256
aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c

SHA512
c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

Download Submit
memory/956-56-0x0000000000AB0000-0x0000000000C98000-memory.dmp

Filesize
1.9MB

Download
memory/1632-23-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-14-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/1632-16-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/1632-20-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-21-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

Filesize
4KB

Download
memory/1632-19-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/1632-24-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-12-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-17-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-11-0x0000000000800000-0x0000000000818000-memory.dmp

Filesize
96KB

Download
memory/1632-8-0x00000000007E0000-0x00000000007FC000-memory.dmp

Filesize
112KB

Download
memory/1632-9-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-6-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1632-4-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-3-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-47-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-53-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-2-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/1632-1-0x0000000001250000-0x0000000001438000-memory.dmp

Filesize
1.9MB

Download