zgrat | d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Size

1.8MB
MD5

437a180db44c659505d08da56b1c5344
SHA1

63dcc88fc8ca4dc2c25028695b72fc48f9978df2
SHA256

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644
SHA512

fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a
SSDEEP

24576:cr3h9VUoVO3iealWdJarwRH7Vq5nTwJfrOTSxiRuxC7HtTlu6uFGBrkSVYNntYrl:cZbnV4koqTCxytBurGBwSVYNWZc7G8p

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4764-1-0x0000000000380000-0x000000000055A000-memory.dmp	family_zgrat_v1
C:\Program Files\Windows Mail\sppsvc.exe	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\taskhostw.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\taskhostw.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\taskhostw.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\msedge.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\wininit.exe\", \"C:\\Program Files\\Uninstall Information\\taskhostw.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Windows Defender\\msedge.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\sppsvc.exe\", \"C:\\Users\\All Users\\Templates\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3380	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Executes dropped EXE 2 IoCs

Processes:

sppsvc.exemsedge.exe

pid process

1476 sppsvc.exe
1976 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1476	sppsvc.exe
1976	msedge.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Templates\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Uninstall Information\\taskhostw.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\msedge.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Windows Defender\\msedge.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\sppsvc.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Mail\\sppsvc.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Templates\\wininit.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files\\Uninstall Information\\taskhostw.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\RuntimeBroker.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe\""	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC64A5E2D1DC814C678B2D6F6D2D2530.TMP	csc.exe
File created	\??\c:\Windows\System32\_iyiwy.exe	csc.exe

Drops file in Program Files directory 11 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.execsc.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\taskhostw.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Uninstall Information\ea9f0e6c9e2dcd	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Windows Mail\sppsvc.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files\Windows Mail\0a1fd5f707cd16	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC91DF4CEF3C14504B7B9CA9DC1451771.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\Windows Defender\61a52ddc9dd915	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9e8d7a4ca61bd9	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File created	C:\Program Files (x86)\Windows Defender\msedge.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\msedge.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Drops file in Windows directory 1 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description ioc process

File created C:\Windows\CSC\dllhost.exe d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CSC\dllhost.exe	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2084	schtasks.exe
5008	schtasks.exe
840	schtasks.exe
1976	schtasks.exe
3808	schtasks.exe
4604	schtasks.exe
3568	schtasks.exe
5088	schtasks.exe
1104	schtasks.exe
1844	schtasks.exe
4748	schtasks.exe
4468	schtasks.exe
1084	schtasks.exe
3404	schtasks.exe
3648	schtasks.exe
2352	schtasks.exe
3016	schtasks.exe
2344	schtasks.exe

Modifies registry class 1 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2664 PING.EXE

pid	process
2664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exesppsvc.exe

pid	process
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
1476	sppsvc.exe
1476	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

1476 sppsvc.exe

pid	process
1476	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
Token: SeDebugPrivilege	1476	sppsvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.execsc.execsc.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 4304	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 4764 wrote to memory of 4304	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 4304 wrote to memory of 2968	4304	csc.exe	cvtres.exe
PID 4304 wrote to memory of 2968	4304	csc.exe	cvtres.exe
PID 4764 wrote to memory of 4648	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 4764 wrote to memory of 4648	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	csc.exe
PID 4648 wrote to memory of 2544	4648	csc.exe	cvtres.exe
PID 4648 wrote to memory of 2544	4648	csc.exe	cvtres.exe
PID 4764 wrote to memory of 3152	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 4764 wrote to memory of 3152	4764	d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe	cmd.exe
PID 3152 wrote to memory of 4584	3152	cmd.exe	chcp.com
PID 3152 wrote to memory of 4584	3152	cmd.exe	chcp.com
PID 3152 wrote to memory of 2664	3152	cmd.exe	PING.EXE
PID 3152 wrote to memory of 2664	3152	cmd.exe	PING.EXE
PID 3152 wrote to memory of 1476	3152	cmd.exe	sppsvc.exe
PID 3152 wrote to memory of 1476	3152	cmd.exe	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe
"C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzhue2lt\mzhue2lt.cmdline"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4522.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC91DF4CEF3C14504B7B9CA9DC1451771.TMP"
3⤵
PID:2968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmlmuqmx\hmlmuqmx.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4774.tmp" "c:\Windows\System32\CSC64A5E2D1DC814C678B2D6F6D2D2530.TMP"
3⤵
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bRGMHCVoY6.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:4584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:2664

C:\Program Files\Windows Mail\sppsvc.exe
"C:\Program Files\Windows Mail\sppsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644d" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
- Executes dropped EXE
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Filesize
4KB

MD5
27184c7c7f7c38e797414b7ca3e3fb7d

SHA1
dee0e5b774536465523da1698bca7d797f4b4d11

SHA256
7bb06d22694c4832e93ffbbe4d02bf15f2b98541a58d026a8764f6118b4c82d2

SHA512
f5e82e9d5e42113d43e58cf9847534c3e252013cdecfa6215b3ad048f5b2c2350578661faeb967ecf1fc318ced7b3c12ba1268253698510490e56ca969f348d5

Download Submit
C:\Program Files\Windows Mail\sppsvc.exe
Filesize
1.8MB

MD5
437a180db44c659505d08da56b1c5344

SHA1
63dcc88fc8ca4dc2c25028695b72fc48f9978df2

SHA256
d72e20d6e093dcbca62d7a6481f598fe753c664655e3ffd5e3dadce4ef807644

SHA512
fc28c35c86aecf808101692b459d51eba922743677c48127d91fbc7ddb46202621a87f31e460fdd6915b26564a8ac5fe4ff190ae0dcfdb64f709bc193878582a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4522.tmp
Filesize
1KB

MD5
ce2fb0fc7cb9429ca0dfe0b52d1930a8

SHA1
1912ad76808b03ccfb31ade3f9bd70f2579a1acf

SHA256
d62d34635e25be11eb14530bef9a9a7a1f5e389e61f9166c10e922495b5ebbba

SHA512
ea5604b6a85089a0d090b4a913fd55f43e5f5a618fea4baafa8f7498151378767ccb67ff2723b998389c173a79a25f6c50aa7b9c825264386dc1d425535421f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4774.tmp
Filesize
1KB

MD5
875666b7347f5a5acd923080fda0e3ba

SHA1
d771cb409ec8512087a6b530972a2efd79b7ce75

SHA256
25555b221509e4c25019d1656e74f698b700994e8d12f6f2d554c54f30360bf0

SHA512
51a96fa7d1ad1210faea0d62b58f98e537eaf1fa8bf224a9ee1d4d2a273de667cf25b0fc0e35d7bdd60a21398707faa368e63fb9f357c1d3fbb3878dd8e6065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bRGMHCVoY6.bat
Filesize
168B

MD5
e8e8f21082dc067235c28abf2807cdf8

SHA1
a4cfee8536dba7c8508bb181dbc45e3adcb6d009

SHA256
60b60d163cb54a6156370fb255dc054dcdcddd36d9bc5374fc541cab18521a24

SHA512
23fde47e6ce82674dd5980f85082af3d493793913059c364bc6a8d68f49393c2728d0c253e8924a778888edeee081beb798b8ec8286e1daac25040768cd40c59

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC91DF4CEF3C14504B7B9CA9DC1451771.TMP
Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmlmuqmx\hmlmuqmx.0.cs
Filesize
372B

MD5
20d006c9c5f389468d8530a04a3acf30

SHA1
f355452149746872f7b01af6a73374d4d8f91221

SHA256
eaf621c891edaaa34b9e1561cfceac8282849b06f0208a75e09ee61b8d1f87a0

SHA512
83608a5194bfe17d1317604c966b7bc557a021479f8dd3d6cfca0ab2a920bdd82fdbef377f0026ca4640c0c7f97cea6b6b084a08ac8296c4596daf925d47ac8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmlmuqmx\hmlmuqmx.cmdline
Filesize
235B

MD5
47d4425918737723fa231c34e7ba9572

SHA1
1607567d1aa6382efc27fffc8c2f9998080354ee

SHA256
256c25aa713bec9b3d7d5e2ddf3279980c148fcca9e458e841007b8ba96e4d14

SHA512
2849592f27a2742d1dd1d62206df4aa21cd4938f825e6949f6e60ad626bbf446327a9945765d38f792a599e4e4a458867a8705c56bb08f3becbcb93a53cb796a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzhue2lt\mzhue2lt.0.cs
Filesize
402B

MD5
7b6e60e8b65bf87672fa75283950fd38

SHA1
cd04334a1c7259ca094f156e23211267fb45ea99

SHA256
2f31c8f49262531b08f30ad521704da9acefbcba6cdf906f596e1f4ba18e7ea3

SHA512
15acc7474732143b1ca371d89a93ae5f0a054f2513db3b36ef6ca337f0a332bb2358c8cd145703b0f0d239e59794afc58dd293ec3b3781b0e48c048da8fad029

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzhue2lt\mzhue2lt.cmdline
Filesize
265B

MD5
9b87d284b392ffcf0ce5b6d3045ca04d

SHA1
b9535e37ad5c0494974838002cabc45def9d0b14

SHA256
9316a55579ad8e55e22be1a4870ab0a66cefeccdd584d3395db0ee259cdcd890

SHA512
b2d079703506acf96b6a11251529f12dea190e6ccb53f61bfe66c022b51a2ed170cf3e734fd12a67c1207c88f256d5e2fb7d273dac11f3d86db73f7e434cff18

Download Submit
\??\c:\Windows\System32\CSC64A5E2D1DC814C678B2D6F6D2D2530.TMP
Filesize
1KB

MD5
188249e3f31caa0264351fc374794895

SHA1
323a707d1a37ac8cbae6d6e502cc850f69ae2e15

SHA256
1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

SHA512
28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

Download Submit
memory/1476-71-0x000000001C6B0000-0x000000001C7C5000-memory.dmp

Filesize
1.1MB

Download
memory/4764-16-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-0-0x00007FF894143000-0x00007FF894145000-memory.dmp

Filesize
8KB

Download
memory/4764-6-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/4764-29-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-30-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-31-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-32-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-7-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-15-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/4764-24-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-4-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-12-0x00000000027C0000-0x00000000027D8000-memory.dmp

Filesize
96KB

Download
memory/4764-13-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-10-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/4764-3-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-2-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-63-0x00007FF894140000-0x00007FF894C01000-memory.dmp

Filesize
10.8MB

Download
memory/4764-9-0x00000000027A0000-0x00000000027BC000-memory.dmp

Filesize
112KB

Download
memory/4764-1-0x0000000000380000-0x000000000055A000-memory.dmp

Filesize
1.9MB

Download