zgrat | 93fff33d2e1adb0f8fe56338727c0074cab763fc9018ae18884e2ff1c95a6df0

Analysis

max time kernel
254s
max time network
262s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

348KB
MD5

11f654abf3ca9b28cb249e98b804a980
SHA1

bd08373ada451d494b94067f3d68c830f9563e02
SHA256

93fff33d2e1adb0f8fe56338727c0074cab763fc9018ae18884e2ff1c95a6df0
SHA512

f6b97936361a3e9e763d875a6516ce4992d313866b0ce8ba23356c55aca9fda4184fbb37f4723990ac419f1f13b5c4a361a6905e522408008f6b4d0162883de2
SSDEEP

6144:o6IgLSq6ucXCJq7KPx/AuBshtZFDG5YorToy4d96r:QgLNF6fZFDGSovSzC

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x0006000000023278-8.dat	family_zgrat_v1
behavioral3/files/0x000a0000000233d3-24.dat	family_zgrat_v1
behavioral3/memory/2332-26-0x0000000000DC0000-0x0000000001162000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Windows\\Globalization\\ICU\\SearchApp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Windows\\Globalization\\ICU\\SearchApp.exe\", \"C:\\Windows\\Setup\\State\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\cmd.exe\", \"C:\\Users\\All Users\\Application Data\\csrss.exe\", \"C:\\Windows\\Globalization\\ICU\\SearchApp.exe\", \"C:\\Windows\\Setup\\State\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\dwm.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1784	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1784	schtasks.exe	93

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3632	powershell.exe
2484	powershell.exe
2268	powershell.exe
1300	powershell.exe
2616	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exeChecker.exeWScript.exeSessionperf.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Sessionperf.exe

Executes dropped EXE 3 IoCs

Processes:

Checker.exeSessionperf.execsrss.exe

pid	Process
932	Checker.exe
2332	Sessionperf.exe
4396	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Application Data\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Globalization\\ICU\\SearchApp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Globalization\\ICU\\SearchApp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Setup\\State\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Setup\\State\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\SetupMetrics\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockcontainerWincrtdll\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Application Data\\csrss.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCEC21F36AD2D44209827345E69B43DE24.TMP	csc.exe
File created	\??\c:\Windows\System32\g0jyy6.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dwm.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6cb0b6c459d5d3	Sessionperf.exe

Drops file in Windows directory 4 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Windows\Setup\State\5b884080fd4f94	Sessionperf.exe
File created	C:\Windows\Globalization\ICU\SearchApp.exe	Sessionperf.exe
File created	C:\Windows\Globalization\ICU\38384e6a620884	Sessionperf.exe
File created	C:\Windows\Setup\State\fontdrvhost.exe	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4580	schtasks.exe
1012	schtasks.exe
1940	schtasks.exe
3312	schtasks.exe
4052	schtasks.exe
856	schtasks.exe
4016	schtasks.exe
868	schtasks.exe
1632	schtasks.exe
1824	schtasks.exe
3116	schtasks.exe
4556	schtasks.exe
952	schtasks.exe
4916	schtasks.exe
3264	schtasks.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
4404	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4724	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	Process
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
4396	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2556	Loader.exe
Token: SeDebugPrivilege	2332	Sessionperf.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4396	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid	Process
4396	csrss.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.exe

description	pid	Process	procid_target
PID 2556 wrote to memory of 932	2556	Loader.exe	85
PID 2556 wrote to memory of 932	2556	Loader.exe	85
PID 2556 wrote to memory of 932	2556	Loader.exe	85
PID 932 wrote to memory of 5056	932	Checker.exe	86
PID 932 wrote to memory of 5056	932	Checker.exe	86
PID 932 wrote to memory of 5056	932	Checker.exe	86
PID 5056 wrote to memory of 4084	5056	WScript.exe	89
PID 5056 wrote to memory of 4084	5056	WScript.exe	89
PID 5056 wrote to memory of 4084	5056	WScript.exe	89
PID 4084 wrote to memory of 4404	4084	cmd.exe	91
PID 4084 wrote to memory of 4404	4084	cmd.exe	91
PID 4084 wrote to memory of 4404	4084	cmd.exe	91
PID 4084 wrote to memory of 2332	4084	cmd.exe	92
PID 4084 wrote to memory of 2332	4084	cmd.exe	92
PID 2332 wrote to memory of 532	2332	Sessionperf.exe	97
PID 2332 wrote to memory of 532	2332	Sessionperf.exe	97
PID 532 wrote to memory of 2172	532	csc.exe	99
PID 532 wrote to memory of 2172	532	csc.exe	99
PID 2332 wrote to memory of 3632	2332	Sessionperf.exe	112
PID 2332 wrote to memory of 3632	2332	Sessionperf.exe	112
PID 2332 wrote to memory of 2484	2332	Sessionperf.exe	113
PID 2332 wrote to memory of 2484	2332	Sessionperf.exe	113
PID 2332 wrote to memory of 2268	2332	Sessionperf.exe	114
PID 2332 wrote to memory of 2268	2332	Sessionperf.exe	114
PID 2332 wrote to memory of 2616	2332	Sessionperf.exe	115
PID 2332 wrote to memory of 2616	2332	Sessionperf.exe	115
PID 2332 wrote to memory of 1300	2332	Sessionperf.exe	116
PID 2332 wrote to memory of 1300	2332	Sessionperf.exe	116
PID 2332 wrote to memory of 1520	2332	Sessionperf.exe	121
PID 2332 wrote to memory of 1520	2332	Sessionperf.exe	121
PID 1520 wrote to memory of 408	1520	cmd.exe	124
PID 1520 wrote to memory of 408	1520	cmd.exe	124
PID 1520 wrote to memory of 4724	1520	cmd.exe	125
PID 1520 wrote to memory of 4724	1520	cmd.exe	125
PID 1520 wrote to memory of 4396	1520	cmd.exe	126
PID 1520 wrote to memory of 4396	1520	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4404
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0w3asgbn\0w3asgbn.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp" "c:\Windows\System32\CSCEC21F36AD2D44209827345E69B43DE24.TMP"
        7⤵
        
        PID:2172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ICU\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k5YihuAsty.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4724
        
        C:\Users\All Users\Application Data\csrss.exe
        
        "C:\Users\All Users\Application Data\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ICU\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ICU\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp

Filesize
1KB

MD5
497a0d6e0a4093bf214ee1c6a01455f5

SHA1
6a00963d1160e8213799ab9bc2890d9994a9ff93

SHA256
a122e41ba041f0ef64f906f4817decd8312a1531c0651a4e89b78365a9b098a0

SHA512
b403d54d1fbb4424b542e61c7eba737700e7fcd5dc42abc2a0addc3feda771be265e652568d1c7a16b1e36afb199d6a5b9adbbbd1bceafc5d391cd116ff68468

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqojuza0.qxc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k5YihuAsty.bat

Filesize
173B

MD5
0649b84b5049472449eec19ea6c0984e

SHA1
eb7d03d4d85f8437a31a899054fef5388654171e

SHA256
db9ba15ce646880a1a41b8b1eaa0cb26a1ad3bf2e4eb80020e6da9f4140644dc

SHA512
a5254dcab711505b279643e10a99fbe9b072a4f80d21155fa62f23a6e8c95347f80b072d9ddd35e25300ae4be0c85face192d4e5888bf0bdc7b2b2e878e2aca5

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0w3asgbn\0w3asgbn.0.cs

Filesize
366B

MD5
edb1b053f8e624354632bdf895b29a3b

SHA1
891501007cf515049ff6254f89ea06816f09fefd

SHA256
5d50b8c1bdd4b5666a78cb6a76e44c672d4d73bc6f25e8b07093078e435f556d

SHA512
159898c8cec42e38380f9bd39bbd7ea01dd1434e05291ba94e27bd6fdc694393ca770e85282bc5472176fff109fca19d5ab2b0e2576859d15e02533c6dd8e4ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0w3asgbn\0w3asgbn.cmdline

Filesize
235B

MD5
3851f3746a560ec6024ec552271b5074

SHA1
5c193f76aeb49ce6a42be8e989af2363906c4ab2

SHA256
f76c80188b4152e58d38e0f0ea20244ba8afd77372c9bab572dd7c68095b5946

SHA512
94ff81080ac5fde86770ca8c85c7d4c189996ff1173e7530829e839131415c818650709d84982cdfaafa21aaa0e19c0e5061ac85d46d0fc45e59b0641039fb96

Download Submit
\??\c:\Windows\System32\CSCEC21F36AD2D44209827345E69B43DE24.TMP

Filesize
1KB

MD5
ee02e61712b278a663aabf6c9cd9c14a

SHA1
ce82ed14abd6953b216a9939320a70329212905d

SHA256
65299c0a98dc9afed5cc30f0ba894c76e44aff475873108c6a4d29ce08e94888

SHA512
b8fb886ed346b5eef8136094cb5627194f7ab552e5c62d5d76de05b69ec1bc3379d28695b2733e2c250a65d066c60000a3f538d0b681d7be44e2ce5e3d34a7a4

Download Submit
memory/2268-104-0x000001957F740000-0x000001957F762000-memory.dmp

Filesize
136KB

Download
memory/2332-32-0x00000000032F0000-0x000000000330C000-memory.dmp

Filesize
112KB

Download
memory/2332-70-0x000000001D210000-0x000000001D21E000-memory.dmp

Filesize
56KB

Download
memory/2332-37-0x0000000003320000-0x0000000003338000-memory.dmp

Filesize
96KB

Download
memory/2332-39-0x00000000032D0000-0x00000000032E0000-memory.dmp

Filesize
64KB

Download
memory/2332-41-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/2332-43-0x000000001D0D0000-0x000000001D0DE000-memory.dmp

Filesize
56KB

Download
memory/2332-45-0x000000001D0E0000-0x000000001D0EE000-memory.dmp

Filesize
56KB

Download
memory/2332-47-0x000000001D170000-0x000000001D182000-memory.dmp

Filesize
72KB

Download
memory/2332-49-0x000000001D0F0000-0x000000001D0FC000-memory.dmp

Filesize
48KB

Download
memory/2332-51-0x000000001D100000-0x000000001D110000-memory.dmp

Filesize
64KB

Download
memory/2332-53-0x000000001D1B0000-0x000000001D1C6000-memory.dmp

Filesize
88KB

Download
memory/2332-55-0x000000001D1D0000-0x000000001D1E2000-memory.dmp

Filesize
72KB

Download
memory/2332-56-0x000000001D720000-0x000000001DC48000-memory.dmp

Filesize
5.2MB

Download
memory/2332-58-0x000000001D110000-0x000000001D11E000-memory.dmp

Filesize
56KB

Download
memory/2332-60-0x000000001D190000-0x000000001D1A0000-memory.dmp

Filesize
64KB

Download
memory/2332-62-0x000000001D1A0000-0x000000001D1B0000-memory.dmp

Filesize
64KB

Download
memory/2332-64-0x000000001D250000-0x000000001D2AA000-memory.dmp

Filesize
360KB

Download
memory/2332-66-0x000000001D1F0000-0x000000001D1FE000-memory.dmp

Filesize
56KB

Download
memory/2332-68-0x000000001D200000-0x000000001D210000-memory.dmp

Filesize
64KB

Download
memory/2332-35-0x00000000019A0000-0x00000000019B0000-memory.dmp

Filesize
64KB

Download
memory/2332-72-0x000000001D2B0000-0x000000001D2C8000-memory.dmp

Filesize
96KB

Download
memory/2332-74-0x000000001D220000-0x000000001D22C000-memory.dmp

Filesize
48KB

Download
memory/2332-76-0x000000001D320000-0x000000001D36E000-memory.dmp

Filesize
312KB

Download
memory/2332-33-0x000000001D120000-0x000000001D170000-memory.dmp

Filesize
320KB

Download
memory/2332-26-0x0000000000DC0000-0x0000000001162000-memory.dmp

Filesize
3.6MB

Download
memory/2332-30-0x0000000001990000-0x000000000199E000-memory.dmp

Filesize
56KB

Download
memory/2332-28-0x00000000032A0000-0x00000000032C6000-memory.dmp

Filesize
152KB

Download
memory/2332-111-0x000000001D6B0000-0x000000001D71B000-memory.dmp

Filesize
428KB

Download
memory/2332-110-0x000000001DF50000-0x000000001E01D000-memory.dmp

Filesize
820KB

Download
memory/2556-1-0x0000000000DD0000-0x0000000000E2E000-memory.dmp

Filesize
376KB

Download
memory/2556-12-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-3-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-2-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-0-0x00007FFD08013000-0x00007FFD08015000-memory.dmp

Filesize
8KB

Download
memory/4396-191-0x000000001DC00000-0x000000001DCCD000-memory.dmp

Filesize
820KB

Download
memory/4396-193-0x000000001D810000-0x000000001D818000-memory.dmp

Filesize
32KB

Download
memory/4396-192-0x000000001E410000-0x000000001E47B000-memory.dmp

Filesize
428KB

Download