zgrat | 8d2367e0bb2b238b649afdd4a13c681364f3ea8097f5b79e460f7d9fbe6eb12c

Analysis

max time kernel
145s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Size

1.9MB
MD5

277ee62972ced037975513a5d4120175
SHA1

6d7531f9447a58b8978c8a24c2f71e14eebb3ea6
SHA256

0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31
SHA512

9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb
SSDEEP

49152:xqfbh5qev49UlsetjyMjIRq/f1oUBT635:xq9wev49Ne4M//VBG

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4552-1-0x00000000005C0000-0x00000000007A8000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023439-31.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\", \"C:\\Users\\Public\\sihost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\", \"C:\\Users\\Public\\sihost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\", \"C:\\Users\\Public\\sihost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\RuntimeBroker.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\", \"C:\\Users\\Public\\sihost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\dllhost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\assembly\\spoolsv.exe\", \"C:\\Users\\Public\\sihost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\RuntimeBroker.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\dllhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	3864	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3864	schtasks.exe	88

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\sihost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\RuntimeBroker.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\RuntimeBroker.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\assembly\\spoolsv.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\sihost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\es-ES\\dwm.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PolicyDefinitions\\es-ES\\dllhost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\PolicyDefinitions\\es-ES\\dllhost.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\assembly\\spoolsv.exe\""	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ipinfo.io
8	ipinfo.io
54	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC64501B761C494819A99138AD1EDC76B.TMP	csc.exe
File created	\??\c:\Windows\System32\7wv1lf.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\9e8d7a4ca61bd9	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\dwm.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\6cb0b6c459d5d3	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\dllhost.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Windows\PolicyDefinitions\es-ES\5940a34987c991	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Windows\assembly\spoolsv.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Windows\assembly\f3b6ecef712a24	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
File created	C:\Windows\PolicyDefinitions\es-ES\dllhost.exe	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4560	schtasks.exe
1848	schtasks.exe
552	schtasks.exe
1476	schtasks.exe
3600	schtasks.exe
836	schtasks.exe
4992	schtasks.exe
2748	schtasks.exe
8	schtasks.exe
2844	schtasks.exe
588	schtasks.exe
3960	schtasks.exe
2012	schtasks.exe
4548	schtasks.exe
3400	schtasks.exe
3988	schtasks.exe
3512	schtasks.exe
2404	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4260	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1816	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
Token: SeDebugPrivilege	1816	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 4264	4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	92
PID 4552 wrote to memory of 4264	4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	92
PID 4264 wrote to memory of 1628	4264	csc.exe	119
PID 4264 wrote to memory of 1628	4264	csc.exe	119
PID 4552 wrote to memory of 5040	4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	111
PID 4552 wrote to memory of 5040	4552	0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe	111
PID 5040 wrote to memory of 4532	5040	cmd.exe	113
PID 5040 wrote to memory of 4532	5040	cmd.exe	113
PID 5040 wrote to memory of 4260	5040	cmd.exe	114
PID 5040 wrote to memory of 4260	5040	cmd.exe	114
PID 5040 wrote to memory of 1816	5040	cmd.exe	123
PID 5040 wrote to memory of 1816	5040	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
"C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hx15k3ff\hx15k3ff.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EE4.tmp" "c:\Windows\System32\CSC64501B761C494819A99138AD1EDC76B.TMP"
    3⤵
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgmBqYIxJW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4532
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe
    "C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc310" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc310" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31.exe.log

Filesize
1KB

MD5
cb4338b342d00bfe6111ffee5cbfc2ed

SHA1
fc16673b6833ad3cb00743a32868b859e90aa536

SHA256
343ed6661687e81c9615dcaea42fb1a98b70572bb9fe07e16f020108725dbbe9

SHA512
4bcea1366b8be00d08eb15cfd78c87e1c8f3aea140a4ea30efb3c0511cd3de21b7ce8c933c7478fb06a356573ecb928e50df23d340fbd9a6e6c156a004d2a77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EE4.tmp

Filesize
1KB

MD5
d25d701d925f4437d38d795cb3caaea9

SHA1
d5d2b7584a9ffddcfef7d78470ea73c3d548c5a8

SHA256
d0afded8cab141d61a865e17963e2611e46dba6b3c9719b3d842b9474c19fc18

SHA512
8da64f2e6b64356fc31d1965bd547aa9aa11a082a791c0cb69bc08480e650fc593dbe114717c7289e2442f14c8c0f5a64aae33583523a68b2114944ad9669361

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgmBqYIxJW.bat

Filesize
230B

MD5
487ff69497a6629393ca3c15e23b539a

SHA1
a459d72c0a091a0a11ca84be3c427dcfdaa8b240

SHA256
503909ece2eff59fa26faa80c00461619174bf8b62e6a9de148d1a1771a7881a

SHA512
4208ce4c2fecf84e5da1cff463f83e0866ce3317b9e8e44d228d24f83bcd3edfa2b15587b2b9a91dc9db2f0c1bebe2db41cc0858c73a755a6b74de1aad16d167

Download Submit
C:\Windows\assembly\spoolsv.exe

Filesize
1.9MB

MD5
277ee62972ced037975513a5d4120175

SHA1
6d7531f9447a58b8978c8a24c2f71e14eebb3ea6

SHA256
0da0a8f9d90d7b0bba9460e5471a09dfdd76457ffec081c64b4f91262499cc31

SHA512
9e53e3f7d966c334a59343d6b149961aff2e2e843fdf9e838c9b823cd23fb680ed4330ff8e3f76420e962567c80a7dec6a9bd207b0b5a1b5695817b72a902ebb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hx15k3ff\hx15k3ff.0.cs

Filesize
363B

MD5
adf1d717108373c6492db94fcecfc1c2

SHA1
514f0593f452c4fdfc7ee031f72c23dda1b7950b

SHA256
d200f6341a568636d3930fbd6067f65df31597bab85acf313362a2db2a37acf1

SHA512
36aaa7aa6ff9c9c736f53124dc77f7749f1587e9abcd28a742f6e8cc69b417d16cfd8c61c83b74758772551b90141752a89d6c2879e6acb87083961972978ef0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hx15k3ff\hx15k3ff.cmdline

Filesize
235B

MD5
ab4f3d48211d3d6427aa8ff2f83cff49

SHA1
2cfa3bd795b8ca3d1a81d91e219c1083eda68354

SHA256
fbf6a64f0a1b26cd3dccbb9fc73aa0d5f742a9f68939ccda6a9608ce609701e8

SHA512
ec0f4a3f885081c2bcd162d94c5250f2938134cc56f15f91ad2c607fb8bfa81daad68fe815129dc4592671f5598509d16e312932a16aaa36c9042dd078388578

Download Submit
\??\c:\Windows\System32\CSC64501B761C494819A99138AD1EDC76B.TMP

Filesize
1KB

MD5
af7c030393a1aa241dbd66ac9c612687

SHA1
7700f60d2b4b2730d78f792fd920a19f2df08853

SHA256
f7577c92c7a0e06a106d26fe5e9953f1db17612e65844fa4d1098ea7151bfdb3

SHA512
aefb89b99596423c7b732165d02f8a020eeecec7cea2bc6ee29966a39e739775f7f7f151bef74b4b83742d3b5ada120d4a9ad65738887b3bf5481afa4ee58d67

Download Submit
memory/1816-66-0x000000001C7A0000-0x000000001C86D000-memory.dmp

Filesize
820KB

Download
memory/4552-34-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-2-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-17-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-19-0x00000000029F0000-0x00000000029FC000-memory.dmp

Filesize
48KB

Download
memory/4552-20-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-16-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/4552-12-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-28-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-6-0x0000000002870000-0x000000000287E000-memory.dmp

Filesize
56KB

Download
memory/4552-33-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-11-0x0000000002A20000-0x0000000002A38000-memory.dmp

Filesize
96KB

Download
memory/4552-14-0x00000000028C0000-0x00000000028CE000-memory.dmp

Filesize
56KB

Download
memory/4552-42-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-40-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-36-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-4-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-0-0x00007FFF846E3000-0x00007FFF846E5000-memory.dmp

Filesize
8KB

Download
memory/4552-9-0x000000001B5D0000-0x000000001B620000-memory.dmp

Filesize
320KB

Download
memory/4552-3-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-56-0x000000001BA90000-0x000000001BB5D000-memory.dmp

Filesize
820KB

Download
memory/4552-58-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-35-0x00007FFF846E0000-0x00007FFF851A1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-1-0x00000000005C0000-0x00000000007A8000-memory.dmp

Filesize
1.9MB

Download
memory/4552-8-0x0000000002A00000-0x0000000002A1C000-memory.dmp

Filesize
112KB

Download