81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e

General

Target

81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe
Size

3.8MB
MD5

54e25f490523f83e9af9b60ab197a3a7
SHA1

e698efcdc53a64ed9df1b2776887e4dbc8a3bf29
SHA256

81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e
SHA512

778a41cb762f2a6d1564d18545b589836ba46d10dc727bb19fd7e3c5f9b50cf0d8fc587cab6e509bc07258d094c9d7624f4938285dfb4bf7dcacef613cb254a9

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3028 powershell.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2724 reg.exe
Runs net.exe

pid	process
2724	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616

pid	process
616

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 580 wrote to memory of 3028	580	81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe	powershell.exe
PID 580 wrote to memory of 3028	580	81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe	powershell.exe
PID 580 wrote to memory of 3028	580	81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe	powershell.exe
PID 3028 wrote to memory of 2008	3028	powershell.exe	csc.exe
PID 3028 wrote to memory of 2008	3028	powershell.exe	csc.exe
PID 3028 wrote to memory of 2008	3028	powershell.exe	csc.exe
PID 2008 wrote to memory of 3008	2008	csc.exe	cvtres.exe
PID 2008 wrote to memory of 3008	2008	csc.exe	cvtres.exe
PID 2008 wrote to memory of 3008	2008	csc.exe	cvtres.exe
PID 3028 wrote to memory of 3928	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 3928	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 3928	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4068	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4068	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4068	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4000	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4000	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 4000	3028	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2704	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2704	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2704	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2724	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2724	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 2724	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 3844	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 3844	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 3844	3028	powershell.exe	reg.exe
PID 3028 wrote to memory of 992	3028	powershell.exe	net.exe
PID 3028 wrote to memory of 992	3028	powershell.exe	net.exe
PID 3028 wrote to memory of 992	3028	powershell.exe	net.exe
PID 992 wrote to memory of 3368	992	net.exe	net1.exe
PID 992 wrote to memory of 3368	992	net.exe	net1.exe
PID 992 wrote to memory of 3368	992	net.exe	net1.exe
PID 3028 wrote to memory of 188	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 188	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 188	3028	powershell.exe	cmd.exe
PID 188 wrote to memory of 2232	188	cmd.exe	cmd.exe
PID 188 wrote to memory of 2232	188	cmd.exe	cmd.exe
PID 188 wrote to memory of 2232	188	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2208	2232	cmd.exe	net.exe
PID 2232 wrote to memory of 2208	2232	cmd.exe	net.exe
PID 2232 wrote to memory of 2208	2232	cmd.exe	net.exe
PID 2208 wrote to memory of 2924	2208	net.exe	net1.exe
PID 2208 wrote to memory of 2924	2208	net.exe	net1.exe
PID 2208 wrote to memory of 2924	2208	net.exe	net1.exe
PID 3028 wrote to memory of 3860	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3860	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3860	3028	powershell.exe	cmd.exe
PID 3860 wrote to memory of 744	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 744	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 744	3860	cmd.exe	cmd.exe
PID 744 wrote to memory of 2124	744	cmd.exe	net.exe
PID 744 wrote to memory of 2124	744	cmd.exe	net.exe
PID 744 wrote to memory of 2124	744	cmd.exe	net.exe
PID 2124 wrote to memory of 3208	2124	net.exe	net1.exe
PID 2124 wrote to memory of 3208	2124	net.exe	net1.exe
PID 2124 wrote to memory of 3208	2124	net.exe	net1.exe
PID 3028 wrote to memory of 3104	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3104	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3104	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3412	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3412	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 3412	3028	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe
"C:\Users\Admin\AppData\Local\Temp\81d0dff89b17ba82da236f32f72ff13afe6d61530ec46e71a37a73793850815e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580

\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1al4brkg\1al4brkg.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AA2.tmp" "c:\Users\Admin\AppData\Local\Temp\1al4brkg\CSC1482EF78DE114D0E9F8EF698B3172EE.TMP"
4⤵
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:3844

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3412

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\1al4brkg\1al4brkg.dll
MD5
4cc37bc3033bc065f6bc9b5d8197ad2a

SHA1
bc5f9919117eea448f5890e4be23dd79f3d9b264

SHA256
3f03ac4ef2af238fcc687e0b6dfbb651db73b0a2439f5e5702de0f64ed22ca6d

SHA512
609085d496c745c3f874ef764287b6042fa1fc818d0b71f6c831ae691d56c3394eb4f9d2d790e5692a96457a8294a06e0342aef4baa1299caa62d8ca5557800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AA2.tmp
MD5
5a5f05d1e27a5aa1bb3d676cffab04db

SHA1
b0e10675129d14d9ca14503969d4bfdb6f4ae878

SHA256
adfd2644a1b789c12ec04de52cbdb8762ed314d87d1e9d0c43889ad170e93bf1

SHA512
511970743358a8da9202464cb34d70001890e9704f7a6a169f4afec5131cbcafb33b7bcb4ca2b4794ff3550e2d76d419cab5429fa64dae4147084d0eb3745fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
851bf8df96899b2cc50af8047e9fbe5c

SHA1
e259d3ea9eabae926f74358b6e8f583cfcb4106b

SHA256
b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6

SHA512
648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1al4brkg\1al4brkg.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1al4brkg\1al4brkg.cmdline
MD5
02f551a94355a41b176bc5379cd09ce0

SHA1
6c4a275dfa8d759f3954f04305423726b7f50e9c

SHA256
b157bcbb9eb9f43c28603f969d17f7fc7620e97f7ce8e02995a1b092e1365479

SHA512
2dc9b0608bd2f325378c9a18b6cacbf5eba9a955519f40f09efb943b53e83f956aece11c15f7fa9b4aebc774e38a942dd13dfaa7515e562eee6f568ada0222a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1al4brkg\CSC1482EF78DE114D0E9F8EF698B3172EE.TMP
MD5
b366e334f32ac87bffbe99c5b2c82c3b

SHA1
c526c119609d754ebf274039b2f24638d05d929c

SHA256
d3d22850b110b0f6ec5f7c025fa9a8166ca2f7e814068db9d1c04d44214db51b

SHA512
3114182ef95878a7ab1bf492dba41386de8473a5197218d7385303b4a6e281b15f1a9afbe8a0e0d16daaa7c86692d8d8ffe72017222fe6e699fdd6883c725df5

Download Submit
memory/188-115-0x0000000000000000-mapping.dmp

Download
memory/744-120-0x0000000000000000-mapping.dmp

Download
memory/992-113-0x0000000000000000-mapping.dmp

Download
memory/2008-14-0x0000000000000000-mapping.dmp

Download
memory/2124-121-0x0000000000000000-mapping.dmp

Download
memory/2208-117-0x0000000000000000-mapping.dmp

Download
memory/2232-116-0x0000000000000000-mapping.dmp

Download
memory/2704-110-0x0000000000000000-mapping.dmp

Download
memory/2724-111-0x0000000000000000-mapping.dmp

Download
memory/2924-118-0x0000000000000000-mapping.dmp

Download
memory/3008-17-0x0000000000000000-mapping.dmp

Download
memory/3028-12-0x000000000B430000-0x000000000B431000-memory.dmp

Filesize
4KB

Download
memory/3028-5-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000000000-mapping.dmp

Download
memory/3028-21-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3028-22-0x0000000008D50000-0x0000000008D51000-memory.dmp

Filesize
4KB

Download
memory/3028-135-0x0000000009260000-0x0000000009261000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3028-8-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3028-13-0x0000000009BD0000-0x0000000009BD1000-memory.dmp

Filesize
4KB

Download
memory/3028-1-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-2-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/3028-107-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/3028-106-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/3028-6-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3104-123-0x0000000000000000-mapping.dmp

Download
memory/3208-122-0x0000000000000000-mapping.dmp

Download
memory/3368-114-0x0000000000000000-mapping.dmp

Download
memory/3412-124-0x0000000000000000-mapping.dmp

Download
memory/3844-112-0x0000000000000000-mapping.dmp

Download
memory/3860-119-0x0000000000000000-mapping.dmp

Download
memory/3928-44-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/3928-48-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3928-46-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3928-45-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

Filesize
4KB

Download
memory/3928-43-0x0000000008890000-0x0000000008891000-memory.dmp

Filesize
4KB

Download
memory/3928-35-0x00000000088B0000-0x00000000088E3000-memory.dmp

Filesize
204KB

Download
memory/3928-24-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/3928-23-0x0000000000000000-mapping.dmp

Download
memory/4000-79-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/4000-78-0x0000000000000000-mapping.dmp

Download
memory/4068-51-0x0000000073020000-0x000000007370E000-memory.dmp

Filesize
6.9MB

Download
memory/4068-50-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads