zgrat | d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

General

Target

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Size

1.8MB
MD5

437a180db44c659505d08da56b1c5344
SHA1

63dcc88fc8ca4dc2c25028695b72fc48f9978df2
SHA256

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
SHA512

fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
SSDEEP

24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1732-1-0x00000000002E0000-0x00000000004BA000-memory.dmp	family_zgrat_v1
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe	family_zgrat_v1
behavioral1/memory/1160-49-0x0000000001230000-0x000000000140A000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\lsm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\lsm.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\lsm.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2788	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

1160 spoolsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1160	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\All Users\\Start Menu\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\lsm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\spoolsv.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\my\\explorer.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files (x86)\\Microsoft Office\\lsm.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSCDA022E01A9EC41EFB82138F319734DA3.TMP	csc.exe
File created	\??\c:\Windows\System32\oin92z.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\lsm.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Microsoft Office\101b941d020240	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\explorer.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\7a0fd90576e088	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2748	schtasks.exe
1564	schtasks.exe
2168	schtasks.exe
632	schtasks.exe
1264	schtasks.exe
856	schtasks.exe
2296	schtasks.exe
2620	schtasks.exe
2312	schtasks.exe
2652	schtasks.exe
2472	schtasks.exe
2660	schtasks.exe
2760	schtasks.exe
2164	schtasks.exe
1624	schtasks.exe
1844	schtasks.exe
1468	schtasks.exe
1616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

pid	process
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

spoolsv.exe

pid process

1160 spoolsv.exe

pid	process
1160	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exespoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Token: SeDebugPrivilege	1160	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.execsc.execmd.exe

description	pid	process	target process
PID 1732 wrote to memory of 2424	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 1732 wrote to memory of 2424	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 1732 wrote to memory of 2424	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 2424 wrote to memory of 2916	2424	csc.exe	cvtres.exe
PID 2424 wrote to memory of 2916	2424	csc.exe	cvtres.exe
PID 2424 wrote to memory of 2916	2424	csc.exe	cvtres.exe
PID 1732 wrote to memory of 1900	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 1732 wrote to memory of 1900	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 1732 wrote to memory of 1900	1732	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 1900 wrote to memory of 2744	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 2744	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 2744	1900	cmd.exe	chcp.com
PID 1900 wrote to memory of 2764	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 2764	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 2764	1900	cmd.exe	w32tm.exe
PID 1900 wrote to memory of 1160	1900	cmd.exe	spoolsv.exe
PID 1900 wrote to memory of 1160	1900	cmd.exe	spoolsv.exe
PID 1900 wrote to memory of 1160	1900	cmd.exe	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
"C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dvycxzyj\dvycxzyj.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1758.tmp" "c:\Windows\System32\CSCDA022E01A9EC41EFB82138F319734DA3.TMP"
3⤵
PID:2916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jrAUQUtTfV.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2744

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2764

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\my\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\my\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\my\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe
Filesize
1.8MB

MD5
437a180db44c659505d08da56b1c5344

SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2

SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1758.tmp
Filesize
1KB

MD5
40455eb942174c30f99a4e142657dfcb

SHA1
a295cf46f70e660221548558304f51150693ad6a

SHA256
c70b0ed0628a12b47ba336e33c3ad4099ffd028b1fbf6089c4860f3b4c67419d

SHA512
ea123c41e1664d60e7b7a4fb8365bf2f113f9d3ec61f1051e5eb689e5b5e1e21710d84dc58bb8c1f4d333d9779feb4c4b1b6d020268898c041c5bd2402e50bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrAUQUtTfV.bat
Filesize
250B

MD5
bc38422f293ad73a574f43d63be686f3

SHA1
528c32482acccb584c5bba9cbd994f56dd32f1d5

SHA256
bba5c4708ffab779906958f2cef9661d47c7fdcdd48df4d2fc7eba2ab30221f0

SHA512
c9aa5c9ab0b562f1472133d4895c4dc4043516371b71b568833bf2a8baca9dcc2ee0dcf5924613199f25fbdcd9fa55e7f0b401741f7c9f41f0f4033629561917

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvycxzyj\dvycxzyj.0.cs
Filesize
406B

MD5
51fc9346991d567197137ed11f79c95d

SHA1
977a57d5fed135de596910f84fdcc3fc741d71a4

SHA256
2a0277887591268611ae652486dc04239d5187b4153661a040b703b09c18f33a

SHA512
60ee80172db78b0f5764defc7a6f8b1f86482cd025307cca85f9dbf4af5307abb74cf70fa311a356a2cd0717fd14632d835818b824cf7af36054e6bb40789d6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dvycxzyj\dvycxzyj.cmdline
Filesize
235B

MD5
ec7d73247c696c23811e65adbd61d840

SHA1
e6854d1645ce8a3e9b6257b4aacd8650f5ed6a07

SHA256
9323f4e94c11de6142c2f275b41c55d2dd12d9e38cffb9b984c2ead65f7f125b

SHA512
cf7e5fe89fa40ebf5cc3d12c805a74bd4a98c1595f36a02a40445bca162688a6f50418ef2dfe9bc7a69125587f2ab0f329086c3ca4e129a5ef31fbb3e3974ad6

Download Submit
\??\c:\Windows\System32\CSCDA022E01A9EC41EFB82138F319734DA3.TMP
Filesize
1KB

MD5
1c0f7844f7e250162f11df610012cc1f

SHA1
2ee0b2ac51be783b0d196868edc6a1fe7a0af068

SHA256
988d255e5988f6b4de58f1eb852279c5974974d18d47af4dccb89cacff4cc020

SHA512
3b323f3a51f44e5dc73f7f54cecb39de91fdb6ea64965fb2e84764297e2856e86c9751c71bb5d549f322547c9b383a13f16775d32e8c9333a66a11739d5e3f6d

Download Submit
memory/1160-49-0x0000000001230000-0x000000000140A000-memory.dmp

Filesize
1.9MB

Download
memory/1732-6-0x0000000000770000-0x000000000077E000-memory.dmp

Filesize
56KB

Download
memory/1732-10-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-16-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-15-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-14-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/1732-12-0x0000000002110000-0x0000000002128000-memory.dmp

Filesize
96KB

Download
memory/1732-18-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-8-0x00000000020F0000-0x000000000210C000-memory.dmp

Filesize
112KB

Download
memory/1732-9-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-0-0x000007FEF5A43000-0x000007FEF5A44000-memory.dmp

Filesize
4KB

Download
memory/1732-4-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-3-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-2-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-46-0x000007FEF5A40000-0x000007FEF642C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-1-0x00000000002E0000-0x00000000004BA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads