zgrat | 93fff33d2e1adb0f8fe56338727c0074cab763fc9018ae18884e2ff1c95a6df0

Analysis

max time kernel
53s
max time network
75s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-05-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

348KB
MD5

11f654abf3ca9b28cb249e98b804a980
SHA1

bd08373ada451d494b94067f3d68c830f9563e02
SHA256

93fff33d2e1adb0f8fe56338727c0074cab763fc9018ae18884e2ff1c95a6df0
SHA512

f6b97936361a3e9e763d875a6516ce4992d313866b0ce8ba23356c55aca9fda4184fbb37f4723990ac419f1f13b5c4a361a6905e522408008f6b4d0162883de2
SSDEEP

6144:o6IgLSq6ucXCJq7KPx/AuBshtZFDG5YorToy4d96r:QgLNF6fZFDGSovSzC

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000800000001ac40-7.dat	family_zgrat_v1
behavioral1/files/0x000900000001ac46-23.dat	family_zgrat_v1
behavioral1/memory/1380-25-0x0000000000990000-0x0000000000D32000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\OfficeClickToRun.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1508	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1508	schtasks.exe	77

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4864	powershell.exe
4980	powershell.exe
1628	powershell.exe
908	powershell.exe
4028	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

Checker.exeSessionperf.exeApplicationFrameHost.exe

pid	Process
1944	Checker.exe
1380	Sessionperf.exe
2452	ApplicationFrameHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\blockcontainerWincrtdll\\OfficeClickToRun.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\blockcontainerWincrtdll\\OfficeClickToRun.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\ApplicationFrameHost = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\ApplicationFrameHost.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC430437534DC54F399E9B832C8F9C60F6.TMP	csc.exe
File created	\??\c:\Windows\System32\leoba4.exe	csc.exe

Drops file in Program Files directory 7 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\5b884080fd4f94	Sessionperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	Sessionperf.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe	Sessionperf.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe	Sessionperf.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\6dd19aba3e2428	Sessionperf.exe

Drops file in Windows directory 1 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..-platform.resources_31bf3856ad364e35_10.0.15063.0_de-de_987cdfcccad491ab\SearchUI.exe	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4344	schtasks.exe
4496	schtasks.exe
4904	schtasks.exe
376	schtasks.exe
4620	schtasks.exe
4416	schtasks.exe
2776	schtasks.exe
4452	schtasks.exe
1940	schtasks.exe
4940	schtasks.exe
4648	schtasks.exe
4160	schtasks.exe
424	schtasks.exe
3988	schtasks.exe
2676	schtasks.exe

Modifies registry class 2 IoCs

Processes:

Sessionperf.exeChecker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Sessionperf.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Checker.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
900	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4552	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	Process
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe
1380	Sessionperf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2428	Loader.exe
Token: SeDebugPrivilege	1380	Sessionperf.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	powershell.exe
Token: SeSecurityPrivilege	1628	powershell.exe
Token: SeTakeOwnershipPrivilege	1628	powershell.exe
Token: SeLoadDriverPrivilege	1628	powershell.exe
Token: SeSystemProfilePrivilege	1628	powershell.exe
Token: SeSystemtimePrivilege	1628	powershell.exe
Token: SeProfSingleProcessPrivilege	1628	powershell.exe
Token: SeIncBasePriorityPrivilege	1628	powershell.exe
Token: SeCreatePagefilePrivilege	1628	powershell.exe
Token: SeBackupPrivilege	1628	powershell.exe
Token: SeRestorePrivilege	1628	powershell.exe
Token: SeShutdownPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeSystemEnvironmentPrivilege	1628	powershell.exe
Token: SeRemoteShutdownPrivilege	1628	powershell.exe
Token: SeUndockPrivilege	1628	powershell.exe
Token: SeManageVolumePrivilege	1628	powershell.exe
Token: 33	1628	powershell.exe
Token: 34	1628	powershell.exe
Token: 35	1628	powershell.exe
Token: 36	1628	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe
Token: SeUndockPrivilege	908	powershell.exe
Token: SeManageVolumePrivilege	908	powershell.exe
Token: 33	908	powershell.exe
Token: 34	908	powershell.exe
Token: 35	908	powershell.exe
Token: 36	908	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	powershell.exe
Token: SeSecurityPrivilege	4028	powershell.exe
Token: SeTakeOwnershipPrivilege	4028	powershell.exe
Token: SeLoadDriverPrivilege	4028	powershell.exe
Token: SeSystemProfilePrivilege	4028	powershell.exe
Token: SeSystemtimePrivilege	4028	powershell.exe
Token: SeProfSingleProcessPrivilege	4028	powershell.exe
Token: SeIncBasePriorityPrivilege	4028	powershell.exe
Token: SeCreatePagefilePrivilege	4028	powershell.exe
Token: SeBackupPrivilege	4028	powershell.exe
Token: SeRestorePrivilege	4028	powershell.exe
Token: SeShutdownPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeSystemEnvironmentPrivilege	4028	powershell.exe
Token: SeRemoteShutdownPrivilege	4028	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ApplicationFrameHost.exe

pid	Process
2452	ApplicationFrameHost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.exe

description	pid	Process	procid_target
PID 2428 wrote to memory of 1944	2428	Loader.exe	71
PID 2428 wrote to memory of 1944	2428	Loader.exe	71
PID 2428 wrote to memory of 1944	2428	Loader.exe	71
PID 1944 wrote to memory of 912	1944	Checker.exe	72
PID 1944 wrote to memory of 912	1944	Checker.exe	72
PID 1944 wrote to memory of 912	1944	Checker.exe	72
PID 912 wrote to memory of 5032	912	WScript.exe	73
PID 912 wrote to memory of 5032	912	WScript.exe	73
PID 912 wrote to memory of 5032	912	WScript.exe	73
PID 5032 wrote to memory of 900	5032	cmd.exe	75
PID 5032 wrote to memory of 900	5032	cmd.exe	75
PID 5032 wrote to memory of 900	5032	cmd.exe	75
PID 5032 wrote to memory of 1380	5032	cmd.exe	76
PID 5032 wrote to memory of 1380	5032	cmd.exe	76
PID 1380 wrote to memory of 4676	1380	Sessionperf.exe	81
PID 1380 wrote to memory of 4676	1380	Sessionperf.exe	81
PID 4676 wrote to memory of 2216	4676	csc.exe	83
PID 4676 wrote to memory of 2216	4676	csc.exe	83
PID 1380 wrote to memory of 4980	1380	Sessionperf.exe	96
PID 1380 wrote to memory of 4980	1380	Sessionperf.exe	96
PID 1380 wrote to memory of 4864	1380	Sessionperf.exe	97
PID 1380 wrote to memory of 4864	1380	Sessionperf.exe	97
PID 1380 wrote to memory of 1628	1380	Sessionperf.exe	98
PID 1380 wrote to memory of 1628	1380	Sessionperf.exe	98
PID 1380 wrote to memory of 908	1380	Sessionperf.exe	99
PID 1380 wrote to memory of 908	1380	Sessionperf.exe	99
PID 1380 wrote to memory of 4028	1380	Sessionperf.exe	100
PID 1380 wrote to memory of 4028	1380	Sessionperf.exe	100
PID 1380 wrote to memory of 4248	1380	Sessionperf.exe	106
PID 1380 wrote to memory of 4248	1380	Sessionperf.exe	106
PID 4248 wrote to memory of 2688	4248	cmd.exe	108
PID 4248 wrote to memory of 2688	4248	cmd.exe	108
PID 4248 wrote to memory of 4552	4248	cmd.exe	109
PID 4248 wrote to memory of 4552	4248	cmd.exe	109
PID 4248 wrote to memory of 2452	4248	cmd.exe	111
PID 4248 wrote to memory of 2452	4248	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:900
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rduavbtm\rduavbtm.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94FC.tmp" "c:\Windows\System32\CSC430437534DC54F399E9B832C8F9C60F6.TMP"
        7⤵
        
        PID:2216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x10LWxHw5U.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4552
        
        C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\blockcontainerWincrtdll\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\blockcontainerWincrtdll\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de6b5bd8bb85e031bc2fd5c31aae7e4f

SHA1
89f82abff96bf904ae6306aa20305dbb1645a85b

SHA256
3538769acc32b09f68d43d9f89b89fc65cdd4bf0d790fead9935f2d201ba7555

SHA512
1294eb06e5d5cba6ed5742fb75b744895b772e284a2a5a35b1293ea1a16caca43dcd4d21b682dcaee4ca73d71a4189248ad73867bb700045b9465e8a343e39d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a900906fa9241e67f340c13e514bfc3

SHA1
386f3bccd508c15dc059c8c8b2ee09c55a016320

SHA256
eec84ca5207f60d634fb05180449c78ce532163c00dabc663ade39b9753bb7f7

SHA512
ba681e3c8966e91e54a80902a090754ee96f6fa127708c09fb359f4914891d6da8d1c176144a869ef01c01e9df0e5a5067e2e8a51e0d34ab146ebe9b611078c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62c8561f755430780a652d626c597227

SHA1
c30910319267f5bd2942d20334f29f8117788a2f

SHA256
e2ef29f0c46e5e534cf2e39c70f9be50ba0fc248b009015c1d768a7892c6b75b

SHA512
12e52c18417f2b77db9d34f9b043cc962c3806ecf7ddd2f915280d173a0803e6a880cf5f6243bbd65cbe377a52d335f704d0b0cb38f48d2defe6752aaf72d3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94FC.tmp

Filesize
1KB

MD5
4ad071ec03001b61424404a8f979c976

SHA1
047fa039df443faa6a5fbdfebace01ccd3622329

SHA256
c949531c08d0180478508ce1ea840b0c45b089bcb82ac30f0080516d96489a2f

SHA512
a8c9f1c550c393d7692d791a276b51dd696f610724b4ff9799dd4b77b5aef9df59922099b63d6bb9fcf8876d0f140e2966bcf9d253348c14cbf6cf9fab344c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvnahcft.5ef.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x10LWxHw5U.bat

Filesize
199B

MD5
38e1603a47eb09ceebc0420656858daf

SHA1
fd54cee2b86c54c29dd25672b79368f1a88b39e6

SHA256
543b320cac9220490684210f21eeeef9cf48d661e9c5fcffa1d036c71f8b2509

SHA512
a0df9e014b1a5c3480778724bec526bbeeaec367dfbc49d276d5c65fb8e78ff8a2111ff754bdab8a32525030eb2e54288a01e73893d6e2b60d20eb1a4c4e2309

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rduavbtm\rduavbtm.0.cs

Filesize
403B

MD5
5e9bdf11f6506167ef7ebb81cefa47c6

SHA1
3887c6032c06da3bed918eb6c92647c04b6d88c4

SHA256
65ac37d37c5e131ab3442de536a146ee7b0561e52e46ef8865450ea88217ad56

SHA512
f8131b12eec3a86e1ab6ac745adc9be77dc431db3f6138b77002411075f90146511d0ee0a6ddfbe446ac2561c0ae57db7b87681c48f0a3e9d2026f8388f9743d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rduavbtm\rduavbtm.cmdline

Filesize
235B

MD5
5ca329487ebdb21f66f27a6b177cfda3

SHA1
3633ed3d47af425356be20af0c5847efa59b7a1e

SHA256
1a60057542bf88fa072c46a8b796d726ff75e75042c934878ea83305b523b260

SHA512
35c76182aaef82ad9d4a3fb19f3d4b695942fc0dccbf9db4cc1160d25a87644ad65b1f30c7b4ee2e1279f18e7313de1620ffb0ce98f4b5888adf1936a0970521

Download Submit
\??\c:\Windows\System32\CSC430437534DC54F399E9B832C8F9C60F6.TMP

Filesize
1KB

MD5
35d2029ed56d02bdd5f6f26e72234b06

SHA1
e3fcc132b8af4e099a5e614d8736689d87e1b83a

SHA256
e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881

SHA512
e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df

Download Submit
memory/908-133-0x000002349C640000-0x000002349C6B6000-memory.dmp

Filesize
472KB

Download
memory/1380-31-0x0000000002F90000-0x0000000002FAC000-memory.dmp

Filesize
112KB

Download
memory/1380-69-0x000000001BD10000-0x000000001BD1E000-memory.dmp

Filesize
56KB

Download
memory/1380-40-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/1380-42-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/1380-44-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/1380-46-0x000000001BA00000-0x000000001BA12000-memory.dmp

Filesize
72KB

Download
memory/1380-48-0x000000001B9E0000-0x000000001B9EC000-memory.dmp

Filesize
48KB

Download
memory/1380-50-0x000000001B9F0000-0x000000001BA00000-memory.dmp

Filesize
64KB

Download
memory/1380-52-0x000000001BCB0000-0x000000001BCC6000-memory.dmp

Filesize
88KB

Download
memory/1380-54-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/1380-55-0x000000001C220000-0x000000001C746000-memory.dmp

Filesize
5.1MB

Download
memory/1380-57-0x000000001BA20000-0x000000001BA2E000-memory.dmp

Filesize
56KB

Download
memory/1380-59-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/1380-61-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

Filesize
64KB

Download
memory/1380-63-0x000000001BD50000-0x000000001BDAA000-memory.dmp

Filesize
360KB

Download
memory/1380-65-0x000000001BCF0000-0x000000001BCFE000-memory.dmp

Filesize
56KB

Download
memory/1380-67-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/1380-38-0x0000000002E40000-0x0000000002E50000-memory.dmp

Filesize
64KB

Download
memory/1380-71-0x000000001BDB0000-0x000000001BDC8000-memory.dmp

Filesize
96KB

Download
memory/1380-73-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/1380-75-0x000000001BE20000-0x000000001BE6E000-memory.dmp

Filesize
312KB

Download
memory/1380-36-0x000000001B9C0000-0x000000001B9D8000-memory.dmp

Filesize
96KB

Download
memory/1380-34-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/1380-32-0x000000001BC40000-0x000000001BC90000-memory.dmp

Filesize
320KB

Download
memory/1380-25-0x0000000000990000-0x0000000000D32000-memory.dmp

Filesize
3.6MB

Download
memory/1380-27-0x0000000002E50000-0x0000000002E76000-memory.dmp

Filesize
152KB

Download
memory/1380-29-0x0000000002E20000-0x0000000002E2E000-memory.dmp

Filesize
56KB

Download
memory/2428-0-0x0000000000780000-0x00000000007DE000-memory.dmp

Filesize
376KB

Download
memory/2428-11-0x00007FFD3BE70000-0x00007FFD3C04B000-memory.dmp

Filesize
1.9MB

Download
memory/2428-3-0x00007FFD3BE70000-0x00007FFD3C04B000-memory.dmp

Filesize
1.9MB

Download
memory/2428-2-0x00007FFD3BE70000-0x00007FFD3C04B000-memory.dmp

Filesize
1.9MB

Download
memory/2428-1-0x00007FFD3BE70000-0x00007FFD3C04B000-memory.dmp

Filesize
1.9MB

Download
memory/4980-122-0x0000024CB8A40000-0x0000024CB8A62000-memory.dmp

Filesize
136KB

Download